Your search keyword '"Address space layout randomization"' showing total 13 results

1. Fine-Grained Address Space Layout Randomization on Program Load.

Author

Nurmukhametov, A. R., Zhabotinskiy, E. A., Kurmangaleev, Sh. F., Gaissaryan, S. S., and Vishnyakov, A. V.

Subjects

*COMPUTER programming management, *SOFTWARE protection, *RANDOMIZATION (Statistics), *COMPUTER operating systems, *LOADERS (Computer programs)

Abstract

Abstract: Software vulnerabilities are a serious security threat. It is important to develop protection mechanisms preventing their exploitation, especially with a rapid increase of ROP attacks. State of the art protection mechanisms have some drawbacks that can be used by attackers. In this paper, we propose fine-grained address space layout randomization on program load that is able to protect from such kind of attacks. During the static linking stage, the executable and library files are supplemented with information about function boundaries and relocations. A system dynamic linker/loader uses this information to perform permutation of functions. The proposed method was implemented for 64-bit programs on CentOS 7 operating system. The implemented method has shown good resistance to ROP attacks evaluated by two metrics: the number of survived gadgets and the exploitability estimation of ROP chain examples. The implementation presented in this article is applicable across the entire operating system and has no compatibility problems affecting the program performance. The working capacity of proposed approach was demonstrated on real programs. The further research can cover forking randomization and finer granularity than on the function level. It also makes sense to implement the randomization of short functions placement taking into account the relationships between them. The close arrangement of functions that often call each other can improve the performance of individual programs. [ABSTRACT FROM AUTHOR]

Published

2018

2. MKM: Multiple Kernel Memory for Protecting Page Table Switching Mechanism Against Memory Corruption

Author

Toshihiro Yamauchi and Hiroki Kuzuno

Subjects

Address space layout randomization, Software_OPERATINGSYSTEMS, Computer science, 020206 networking & telecommunications, Memory corruption, 02 engineering and technology, Attack surface, computer.software_genre, Mandatory access control, Virtual address space, System call, Kernel (statistics), 0202 electrical engineering, electronic engineering, information engineering, Operating system, 020201 artificial intelligence & image processing, Page table, computer

Abstract

Countermeasures against kernel vulnerability attacks on an operating system (OS) are highly important kernel features. Some kernels adopt several kernel protection methods such as mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation; however, kernel vulnerabilities can still be exploited to execute attack codes and corrupt kernel memory. To accomplish this, adversaries subvert kernel protection methods and invoke these kernel codes to avoid administrator privileges restrictions and gain complete control of the target host. To prevent such subversion, we present Multiple Kernel Memory (MKM), which offers a novel security mechanism using an alternative design for kernel memory separation that was developed to reduce the kernel attack surface and mitigate the effects of illegal data manipulation in the kernel memory. The proposed MKM is capable of isolating kernel memory and dedicates the trampoline page table for a gateway of page table switching and the security page table for kernel protection methods. The MKM encloses the vulnerable kernel code in the kernel page table. The MKM mechanism achieves complete separation of the kernel code execution range of the virtual address space on each page table. It ensures that vulnerable kernel code does not interact with different page tables. Thus, the page table switching of the trampoline and the kernel protection methods of the security page tables are protected from vulnerable kernel code in other page tables. An evaluation of MKM indicates that it protects the kernel code and data on the trampoline and security page tables from an actual kernel vulnerabilities that lead to kernel memory corruption. In addition, the performance results show that the overhead is 0.020 \(\mu \)s to 0.5445 \(\mu \)s, in terms of the system call latency and the application overhead average is 196.27 \(\mu \)s to 6,685.73 \(\mu \)s , for each download access of 100,000 Hypertext Transfer Protocol sessions.

Published

2020

3. A Review of Memory Errors Exploitation in x86-64

Author

Hector Marco-Gisbert, Carolyn Begg, and Conor Pirry

Subjects

Address space layout randomization, Exploit, Memory errors, SSP, Computer Networks and Communications, Computer science, Vulnerability, stack buffer overflows, Computer security, computer.software_genre, lcsh:QA75.5-76.95, Human-Computer Interaction, ASLR, x86-64, NX, x86, Stack buffer overflow, memory errors, lcsh:Electronic computers. Computer science, Android (operating system), computer, Buffer overflow

Abstract

Memory errors are still a serious threat affecting millions of devices worldwide. Recently, bounty programs have reached a new record, paying up to USD 2.5 million for one single vulnerability in Android and up to USD 2 million for Apple’s operating system. In almost all cases, it is common to exploit memory errors in one or more stages to fully compromise those devices. In this paper, we review and discuss the importance of memory error vulnerabilities, and more specifically stack buffer overflows to provide a full view of how memory errors are exploited. We identify the root causes that make those attacks possible on modern x86-64 architecture in the presence of modern protection techniques. We have analyzed how unsafe library functions are prone to buffer overflows, revealing that although there are secure versions of those functions, they are not actually preventing buffer overflows from happening. Using secure functions does not result in software free from vulnerabilities and it requires developers to be security-aware. To overcome this problem, we discuss the three main security protection techniques present in all modern operating system; the non-eXecutable bit (NX), the Stack Smashing Protector (SSP) and the Address Space Layout Randomization (ASLR). After discussing their effectiveness, we conclude that although they provide a strong level of protection against classical exploitation techniques, modern attacks can bypass them.

Published

2020

4. Lightweight and Seamless Memory Randomization for Mission-Critical Services in a Cloud Platform

Author

Ki-Woong Park, Joobeom Yun, Dongyoung Koo, and Youngjoo Shin

Subjects

Service (systems architecture), Control and Optimization, Source code, Computer science, Cost effectiveness, Process (engineering), media_common.quotation_subject, Mission critical, 0211 other engineering and technologies, Vulnerability, Energy Engineering and Power Technology, Cloud computing, 02 engineering and technology, address space layout randomization (ASLR), rerandomization, code-reuse attack, return-oriented programming (ROP), seamless memory randomization, Computer security, computer.software_genre, lcsh:Technology, Software, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, address space layout randomization (aslr), Engineering (miscellaneous), media_common, 021110 strategic, defence & security studies, Address space layout randomization, Renewable Energy, Sustainability and the Environment, business.industry, lcsh:T, 020206 networking & telecommunications, return-oriented programming (rop), business, computer, Energy (miscellaneous)

Abstract

Nowadays, various computing services are often hosted on cloud platforms for their availability and cost effectiveness. However, such services are frequently exposed to vulnerabilities. Therefore, many countermeasures have been invented to defend against software hacking. At the same time, more complicated attacking techniques have been created. Among them, code-reuse attacks are still an effective means of abusing software vulnerabilities. Although state-of-the-art address space layout randomization (ASLR) runtime-based solutions provide a robust way to mitigate code-reuse attacks, they have fundamental limitations; for example, the need for system modifications, and the need for recompiling source codes or restarting processes. These limitations are not appropriate for mission-critical services because a seamless operation is very important. In this paper, we propose a novel ASLR technique to provide memory rerandomization without interrupting the process execution. In addition, we describe its implementation and evaluate the results. In summary, our method provides a lightweight and seamless ASLR for critical service applications.

Published

2020

5. KASLR-MT: kernel address space layout randomization for multi-tenant cloud systems

Author

Hector Marco-Gisbert and Fernando Vano-Garcia

Subjects

Computer Networks and Communications, Computer science, Distributed computing, Linux kernel, Cloud computing, 02 engineering and technology, computer.software_genre, Theoretical Computer Science, Artificial Intelligence, Virtualization, 0202 electrical engineering, electronic engineering, information engineering, Operating systems, Address space layout randomization, business.industry, 020206 networking & telecommunications, ARQUITECTURA Y TECNOLOGIA DE COMPUTADORES, Cloud computing architecture, Memory management, Shared memory, Kernel (image processing), Hardware and Architecture, Scalability, Security, Memory deduplication, 020201 artificial intelligence & image processing, business, computer, Cloud, Software, Memory protection

Abstract

[EN] Cloud computing has completely changed our lives. This technology dramatically impacted on how we play, work and live. It has been widely adopted in many sectors mainly because it reduces the cost of performing tasks in a flexible, scalable and reliable way. To provide a secure cloud computing architecture, the highest possible level of protection must be applied. Unfortunately, the cloud computing paradigm introduces new scenarios where security protection techniques are weakened or disabled to obtain a better performance and resources exploitation. Kernel ASLR (KASLR) is a widely adopted protection technique present in all modern operating systems. KASLR is a very effective technique that thwarts unknown attacks but unfortunately its randomness have a significant impact on memory deduplication savings. Both techniques are very desired by the industry, the first one because of the high level of security that it provides and the latter to obtain better performance and resources exploitation. In this paper, we propose KASLR-MT, a new Linux kernel randomization approach compatible with memory deduplication. We identify why the most widely and effective technique used to mitigate attacks at kernel level, KASLR, fails to provide protection and shareability at the same time. We analyze the current Linux kernel randomization and how it affects to the shared memory of each kernel region. Then, based on the analysis, we propose KASLR-MT, the first effective and practical Kernel ASLR memory protection that maximizes the memory deduplication savings rate while providing a strong security. Our tests reveal that KASLR-MT is not intrusive, very scalable and provides strong protection without sacrificing the shareability. (C) 2019 Elsevier Inc. All rights reserved.

Published

2020

6. TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs

Author

Cristiano Giuffrida, Jakob Koschel, Herbert Bos, Kaveh Razavi, Computer Systems, Network Institute, and Systems and Network Security

Subjects

SDG 16 - Peace, Address space layout randomization, Exploit, Computer science, Address space, Distributed computing, Translation lookaside buffer, SDG 16 - Peace, Justice and Strong Institutions, 0102 computer and information sciences, 02 engineering and technology, Translation (geometry), 01 natural sciences, Justice and Strong Institutions, n/a, 010201 computation theory & mathematics, Face (geometry), Kernel (statistics), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Isolation (database systems)

Abstract

Kernel Address Space Layout Randomization (KASLR) has been repeatedly targeted by side-channel attacks that exploit a typical unified user/kernel address space organization to disclose randomized kernel addresses. The community has responded with kernel address space isolation techniques that separate user and kernel address spaces (and associated resources) to eradicate all existing side-channel attacks. In this paper, we show that kernel address space isolation is insufficient to harden KASLR against practical side-channel attacks on modern tagged TLB architectures. While tagged TLBs have been praised for optimizing the performance of kernel address space isolation, we show that they also silently break its original security guarantees and open up opportunities for new derandomization attacks. As a concrete demonstration, we present TagBleed, a new side-channel attack that abuses tagged TLBs and residual translation information to break KASLR even in the face of state-of-The-Art mitigations. TagBleed is practical and shows that implementing secure address space isolation requires deep partitioning of microarchitectural resources and a more generous performance budget than previously assumed.

Published

2020

7. Fine-grained address space layout randomization on program load

Author

Shamil Kurmangaleev, A. V. Vishnyakov, A.R. Nurmukhametov, E. A. Zhabotinskiy, and Serguei Gaissaryan

Subjects

Computer science, Distributed computing, 0211 other engineering and technologies, Working capacity, 02 engineering and technology, lcsh:QA75.5-76.95, rop, Software, 0202 electrical engineering, electronic engineering, information engineering, General Environmental Science, 021110 strategic, defence & security studies, Address space layout randomization, business.industry, рандомизация адресного пространства, 020207 software engineering, computer.file_format, Loader, Dynamic linker, General Earth and Planetary Sciences, диверсификация, Granularity, Executable, lcsh:Electronic computers. Computer science, business, computer, aslr

Abstract

Software vulnerabilities are a serious security threat. It is important to develop protection mechanisms preventing their exploitation, especially with a rapid increase of ROP attacks. State of the art protection mechanisms have some drawbacks that can be used by attackers. In this paper, we propose fine-grained address space layout randomization on program load that is able to protect from such kind of attacks. During the static linking stage, the executable and library files are supplemented with information about function boundaries and relocations. A system dynamic linker/loader uses this information to perform permutation of functions. The proposed method was implemented for 64-bit programs on CentOS 7 operating system. The implemented method has shown good resistance to ROP attacks evaluated by two metrics: the number of survived gadgets and the exploitability estimation of ROP chain examples. The implementation presented in this article is applicable across the entire operating system and has no compatibility problems affecting the program performance. The working capacity of proposed approach was demonstrated on real programs. The further research can cover forking randomization and finer granularity than on the function level. It also makes sense to implement the randomization of short functions placement taking into account the relationships between them. The close arrangement of functions that often call each other can improve the performance of individual programs.

Published

2018

8. BoundShield: Comprehensive Mitigation for Memory Disclosure Attacks via Secret Region Isolation

Author

Yajuan Du, Benxi Liu, Deqing Zou, and Hai Jin

Subjects

General Computer Science, Computer science, Memory corruption, 02 engineering and technology, computer.software_genre, Computer security, 01 natural sciences, Memory disclosure attacks, Function pointer, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), General Materials Science, execute-only memory, 010302 applied physics, Address space layout randomization, software security, Address space, General Engineering, 020207 software engineering, Hypervisor, Pointer (computer programming), Compiler, lcsh:Electrical engineering. Electronics. Nuclear engineering, computer, lcsh:TK1-9971, Memory protection

Abstract

Address space layout randomization (ASLR) is now widely adopted in modern operating systems to thwart code reuse attacks. However, an adversary can still bypass fine-grained ASLR by exploiting memory corruption vulnerabilities and performing memory disclosure attacks. Although Execute-no-Read schemes have been proven to be an efficient solution against read-based memory disclosures, existing solutions need modifications to kernel or hypervisor. Besides, the defense of execution-based memory disclosures has been ignored. In this paper, we propose BoundShield, a self-protection scheme that provides comprehensive protection against memory disclosure attacks, especially against those based on executing arbitrary code by leveraging Intel Memory Protection Extension . BoundShield protects code memory by defending not only read-based memory disclosure attacks but also execution-based memory disclosure attacks. On one hand, read-based memory disclosures can be eliminated by hiding all code sections and code pointers in a secret region separated from the user address space. On the other hand, BoundShield prevents return addresses from being corrupted and ensures that all function pointers point to the legitimate entries whenever they are dereferenced, which significantly reduces the attack surface for execution-based memory disclosures. We have implemented a prototype of BoundShield based on a set of modifications to compiler toolchain and the standard C library. Our evaluation results show that the BoundShield can provide strong defenses against memory disclosure attacks while incurring a small performance overhead.

Published

2018

9. Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Author

Benjamin Kollenda, Philipp Koppe, Robert Gawlik, Radhesh Krishnan Konoth, Enes Goktas, Cristiano Giuffrida, Tim Blazytko, Herbert Bos, Thorsten Holz, Computer Systems, Network Institute, and Systems and Network Security

Subjects

021110 strategic, defence & security studies, Theoretical computer science, Source code, Address space layout randomization, Exploit, Address space, Computer science, media_common.quotation_subject, 0211 other engineering and technologies, Crash, 02 engineering and technology, computer.file_format, Metadata, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Executable, computer, media_common

Abstract

Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few 'hidden' application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.

Published

2017

10. G-free: Defeating return-oriented programming through gadget-less binaries

Author

Andrea Lanzi, Engin Kirda, Kaan Onarlioglu, Davide Balzarotti, and Leyla Bilge

Subjects

Computer science, Program compilers, 0211 other engineering and technologies, Security of data, Memory corruption, 02 engineering and technology, computer.software_genre, Computer security, Security systems, Gadget, 0202 electrical engineering, electronic engineering, information engineering, Return-oriented programming, Practical solutions, Software system, Software systems, Branch instructions, Operating systems, Control-flow integrity, 021110 strategic, defence & security studies, Address space layout randomization, Real-world application, 020207 software engineering, computer.file_format, Protection mechanisms, Computer operating systems, ROP, Return-to-libc, Compiler, Executable, Computer applications, computer, Exploitation techniques

Abstract

Conference name: ACSAC '10 Proceedings of the 26th Annual Computer Security Applications Conference Date of Conference: 06-10 December, 2010 Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. A recent exploitation technique, called Return-Oriented Programming (ROP), has lately attracted a considerable attention from academia. Past research on the topic has mostly focused on refining the original attack technique, or on proposing partial solutions that target only particular variants of the attack. In this paper, we present G-Free, a compiler-based approach that represents the first practical solution against any possible form of ROP. Our solution is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-branch instructions to prevent them from being misused by an attacker. We developed a prototype based on our approach, and evaluated it by compiling GNU libc and a number of real-world applications. The results of the experiments show that our solution is able to prevent any form of return-oriented programming. © 2010 ACM.

Published

2010

11. Breaking the memory secrecy assumption

Author

Sven Lachmund, Raoul Strackx, Frank Piessens, Yves Younan, Thomas Walter, Pieter Philippaerts, Markatos, Envagelos, and Costa, Manuel

Subjects

Instruction set randomization, Address space layout randomization, Exploit, Computer science, Secrecy, Probabilistic logic, security, Computer security, computer.software_genre, computer, Randomness, Buffer overflow, Heap (data structure)

Abstract

Many countermeasures exist that attempt to protect against buffer overflow attacks on applications written in C and C++. The most widely deployed countermeasures rely on artificially introducing randomness in the memory image of the application. StackGuard and similar systems for instance will insert a random value before the return address on the stack, and Address Space Layout Randomization (ASLR) will make the location of stack and/or heap less predictable for an attacker. A critical assumption in these probabilistic countermeasures is that attackers cannot read the contents of memory. In this paper we show that this assumption is not always justified. We identify a new class of vulnerabilities – buffer overreads – that occur in practice and that can be exploited to read parts of the memory contents of a process running a vulnerable application. We describe in detail how to exploit an application protected by both ASLR and stack canaries if the application contains both a buffer overread and a buffer overflow vulnerability. We also provide a detailed discussion of how this vulnerability affects other, less widely deployed probabilistic countermeasures such as memory obfuscation and instruction set randomization. ispartof: pages:1-8 ispartof: Proceedings of the 2nd European Workshop on System Security pages:1-8 ispartof: Eurosec location:Nuremberg date:31 Mar - 31 Mar 2009 status: published

Published

2009

12. The Security Challenges of Client-Side Just-in-Time Engines.

Author

Rohlf, Chris and Ivnitskiy, Yan

Abstract

Any added complexity in a software system will increase the possible program states, introducing a larger attack surface and the possibility of more exploitable flaws. JIT engines, however, alter the environment in which they execute in far more interesting ways, not only through implementation flaws but also by their fundamental operation modes. [ABSTRACT FROM PUBLISHER]

Published

2012

13. Mobile Attacks and Defense.

Author

Miller, Charlie

Abstract

Smartphones' features are great, but with the power they provide, there's also a threat. Smartphones are becoming a target of attackers in the same way PCs have been for many years. This article examines the security models of two popular smart phone operating systems: Apple's iOS and Google's Android. [ABSTRACT FROM PUBLISHER]

Published

2011