Your search keyword '"Address space layout randomization"' showing total 37 results

1. Exploit detection based on illegal control flow transfers identification

Author

Ming-hua WANG, Ling-yun YING, and Deng-guo FENG

Subjects

software vulnerability, exploit, attack detection, address space layout randomization, data execution pro-tection, Telecommunication, TK5101-6720

Abstract

In order to deal with exploit attacks such as APT,an approach was proposed to detect exploits based on illegal control flow transfers identification.Both static and dynamic analysis methods were performed to construct the CFSO (control flow safety outline),which was used to restrict the targets of control flow transfers occurred during the target program's running.When a call/ret/jmp was about to execute,the target was checked according to the CFSO.The illegal control flow transfer is considered as an exploit attack and all the following attacking steps could be captured.The ex-periment also showed that proposed method had decent overhead and could be applied to detect exploits online.

Published

2014

2. Stopping Memory Disclosures via Diversification and Replicated Execution

Author

Wenke Lee, Chengyu Song, Taesoo Kim, Kangjie Lu, and Meng Xu

Subjects

021110 strategic, defence & security studies, Web server, Address space layout randomization, Exploit, Computer science, 0211 other engineering and technologies, Memory corruption, 02 engineering and technology, computer.software_genre, Computer security, Memory management, Synchronization (computer science), Confidentiality, Electrical and Electronic Engineering, Heartbleed, computer

Abstract

With the wide deployment of security mechanisms such as Address Space Layout Randomization (ASLR), memory disclosures have become a prerequisite for critical memory-corruption attacks (e.g., code-reuse attack)—adversaries are forced to exploit memory disclosures to circumvent ASLR as the first step. As a result, the security threats of memory disclosures are now significantly aggravated—they break not only data confidentiality but also the effectiveness of security mechanisms. In this paper, we propose a general detection methodology and develop a system to stop memory disclosures. We observe that memory disclosures are not root causes but rather consequences of a variety of hard-to-detect program errors such as memory corruption and uninitialized read. We thus propose a replicated execution–based methodology to generally detect memory disclosures, regardless of their causes. We realize this methodology with Buddy : By seamlessly maintaining two identical running instances of a target program and diversifying only its target data, Buddy can accurately detects memory disclosures of the data, as doing so will result in the two instances outputting different values. Extensive evaluation results show that Buddy is reliable and efficient while stopping real memory disclosures such as the Heartbleed leak.

Published

2021

3. Address Space Layout Randomization Comparative Analysis on Windows 10 and Ubuntu 18.04 LTS

Author

Martiño Rivera-Dourado, Raquel Vázquez Díaz, Pilar Vila Avendaño, Rubén Pérez-Jove, and José M. Vázquez-Naya

Subjects

Windows, Address space layout randomization, Exploit, Computer science, media_common.quotation_subject, Comparative analysis, Process (computing), Context (language use), Ubuntu, ASLR, Memory management, Virtual address space, Computer engineering, Memory, Function (engineering), Memory protection, media_common

Abstract

Presented at the 4th XoveTIC Conference, A Coruña, Spain, 7–8 October 2021 [Abstract] Memory management is one of the main tasks of an Operating System, where the data of each process running in the system is kept. In this context, there exist several types of attacks that exploit memory-related vulnerabilities, forcing Operating Systems to feature memory protection techniques that make difficult to exploit them. One of these techniques is ASLR, whose function is to introduce randomness into the virtual address space of a process. The goal of this work was to measure, analyze and compare the behavior of ASLR on the 64-bit versions of Windows 10 and Ubuntu 18.04 LTS. The results have shown that the implementation of ASLR has improved significantly on these two Operating Systems compared to previous versions. However, there are aspects, such as partial correlations or a frequency distribution that is not always uniform, so it can still be improved. We wish to acknowledge the support received from the Centro de Investigación de Galicia “CITIC”. CITIC, as Research Center accredited by Galician University System, is funded by “Consellería de Cultura, Educación e Universidade from Xunta de Galicia”, supported in an 80% through ERDF, ERDF Operational Programme Galicia 2014–2020, and the remaining 20% by “Secretaría Xeral de Universidades” (Grant ED431G 2019/01). This work was also supported by the “Consellería de Cultura, Educación e Ordenación Universitaria” via the Consolidation and Structuring of Competitive Research Units—Competitive Reference Groups (ED431C 2018/49) and the COST Action 17124 DigForAsp, supported by COST (European Cooperation in Science and Technology, www.cost.eu, (accessed on 20 July 2021)) Xunta de Galicia; ED431G 2019/01 Xunta de Galicia; ED431C 2018/49

Published

2021

4. ARG: Automatic ROP Chains Generation

Author

Jianwei Zhuge, Ennan Zheng, Wei Yuan, Senlin Luo, Jing Gao, Limin Pan, and Bo Li

Subjects

AMOCO, Intermediate language, return oriented programming, Address space layout randomization, Z3 solver, General Computer Science, Exploit, business.industry, Computer science, automatic exploit generation, General Engineering, satisfiability modulo theories, Symbolic execution, Data Execution Prevention, Gadget, Embedded system, General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, lcsh:TK1-9971, Return-oriented programming

Abstract

Return Oriented Programming (ROP) chains attack has been widely used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection. However, the generation technology for ROP chains is still in a state of manual coding. While, current techniques for automatically generating ROP chains are still insufficiently researched and have few successful applications. On the other hand, the existing methods are based on using Intermediate Language (IL) which is in order to translate the semantics of original instructions for symbolic execution, and then fill in a predefined gadget arrangement to automatically construct a gadget list. This kind of methods may bring following problems: (1) when converting semantics of original to IL, there is a large amount of overhead time, critical instructions may be discarded; (2) the process of populating a predetermined gadget arrangement is inflexible and may fail to construct ROP chains due to address mismatching. In this paper, we propose the Automatic ROP chains Generation (ARG) which is the first fully automatic ROP chains generation tool without using IL. Tested with data from 6 open-source international Capture The Flag (CTF) competitions and 3 Common Vulnerabilities & Exposures (CVE)s, this technology successfully generated ROP chains for all of them. According to the obtained results, our technique can automatically create ROP payloads and reduce up to 80% of ROP exploit payloads. It takes only 3-5 seconds to exploit successfully, compared to manual analysis for at least 60 minutes, as well as it can effectively bypass both Write XOR Execute (W⊕X) and ASLR.

Published

2019

5. Exploiting stack-based buffer overflow using modern day techniques

Author

Ștefan Nicula and Razvan Daniel Zota

Subjects

Address space layout randomization, Exploit, Computer science, Memory pool, 020206 networking & telecommunications, 02 engineering and technology, computer.file_format, computer.software_genre, Memory leak, Data Execution Prevention, 0202 electrical engineering, electronic engineering, information engineering, Operating system, General Earth and Planetary Sciences, Stack buffer overflow, 020201 artificial intelligence & image processing, Executable, computer, General Environmental Science, Buffer overflow, Heap (data structure)

Abstract

One of the most commonly known vulnerabilities that can affect a binary executable is the stack-based buffer overflow. The buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. Nowadays, due to multiple protection mechanisms enforced by the operating system and on the executable level, the buffer overflow has become harder to exploit. Multiple bypassing techniques are often required to be used in order to successfully exploit the vulnerability and control the execution flow of the studied executable. One of the security features designed as protection mechanisms is Data Execution Prevention (DEP) which helps prevent code execution from the stack, heap or memory pool pages by marking all memory locations in a process as non-executable unless the location explicitly contains executable code. Another protection mechanism targeted is the Address Space Layout Randomization (ASLR), which is often used in conjunction with DEP. This security feature randomizes the location where the system executables are loaded into memory. By default, modern day operating systems have these security features implemented. However, on the executable level, they have to be explicitly enabled. Most of the protection mechanisms, like the ones mentioned above, require certain techniques in order to bypass them and many of these techniques are using some form of address memory leakage in order to leverage an exploit. By successfully exploiting a buffer overflow, the adversary can potentially obtain code execution on the affected operating system which runs the vulnerable executable. The level of privilege granted to the adversary is highly depended on the level of privilege that the binary is executed with. As such, an adversary may gain elevated privileges inside the system. Most of the times, this type of vulnerability is used for privilege escalation attacks or for gaining remote code execution on the system.

Published

2019

6. An Automatic Evaluation Approach for Binary Software Vulnerabilities with Address Space Layout Randomization Enabled

Author

Xie Jia, Feng Chao, Tang Chao-jing, and Zhang Bin

Subjects

Address space layout randomization, Exploit, Computer science, business.industry, Vulnerability, Computer security, computer.software_genre, Software, Software security assurance, Vulnerability assessment, Proof of concept, Information leakage, business, computer

Abstract

ASLR is currently an effective mean to defend against exploits based on known addresses, but in recent years, exploit codes have begun to effectively bypass the ASLR technology. Since the ASLR mechanism bypass methods are different and closely related to the target program, the current vulnerability assessments with ASLR enabled are manually completed based on the experience of manual vulnerability exploitation. Therefore, how to quickly assess software vulnerabilities, especially with the ASLR enabled, is a problem that needs to be solved in current software security. In this paper, we propose an automatic evaluation approach for binary software vulnerabilities with ASLR enabled, that can obtain key address information from the program to identify the possible ASLR bypasspaths. The approach uses an information leakage method based on a recessive output function by imitating the ASLR bypass technology commonly used among human vulnerability exploitation experts. By inputting a valid proof of concept, it first obtains the vulnerability triggering constraints of the target program, then searches for the hidden output function to leak information, and generates a final exploit that can be used to bypass ASLR. We argue that this automatic evaluation approach can reduce the reliance on manual work of ASLR-related exploits, and improves the vulnerability assessment mechanism significantly. We evaluated our approach against three CTF binary programs, and the results show that it can assess the exploitability of the vulnerability with the ASLR enabled in seconds.

Published

2021

7. BadASLR: Exceptional Cases of ASLR Aiding Exploitation

Author

Daehee Jang

Subjects

Commercial software, Wargame, Address space layout randomization, Exploit, business.industry, Computer science, Computer security, computer.software_genre, Software, Information leakage, Set (psychology), business, computer, Memory safety

Abstract

Address Space Layout Randomization (ASLR) is de-facto standard exploit mitigation in our daily life software. The simplest idea of unpredictably randomizing memory layout significantly raises the bar for memory exploitation due to the additionally required attack primitives such as information leakage. Ironically, although exceptional, there are rare edge cases where ASLR becomes handy for memory exploitation. In this paper, we dig into such theoretical set of cases and name it as BadASLR. To evaluate if BadASLR can be an actual plausible scenario, we look into real-world bug bounty cases, CTF/wargame challenges. Surprisingly, we found multiple vulnerabilities in commercial software where ASLR becomes handy for attacker. With BadASLR cases, we succeeded in exploiting peculiar vulnerabilities, and received total 10,000 USD as bug bounty reward including one CVE assignment.

Published

2021

8. A Review of Memory Errors Exploitation in x86-64

Author

Hector Marco-Gisbert, Carolyn Begg, and Conor Pirry

Subjects

Address space layout randomization, Exploit, Memory errors, SSP, Computer Networks and Communications, Computer science, Vulnerability, stack buffer overflows, Computer security, computer.software_genre, lcsh:QA75.5-76.95, Human-Computer Interaction, ASLR, x86-64, NX, x86, Stack buffer overflow, memory errors, lcsh:Electronic computers. Computer science, Android (operating system), computer, Buffer overflow

Abstract

Memory errors are still a serious threat affecting millions of devices worldwide. Recently, bounty programs have reached a new record, paying up to USD 2.5 million for one single vulnerability in Android and up to USD 2 million for Apple’s operating system. In almost all cases, it is common to exploit memory errors in one or more stages to fully compromise those devices. In this paper, we review and discuss the importance of memory error vulnerabilities, and more specifically stack buffer overflows to provide a full view of how memory errors are exploited. We identify the root causes that make those attacks possible on modern x86-64 architecture in the presence of modern protection techniques. We have analyzed how unsafe library functions are prone to buffer overflows, revealing that although there are secure versions of those functions, they are not actually preventing buffer overflows from happening. Using secure functions does not result in software free from vulnerabilities and it requires developers to be security-aware. To overcome this problem, we discuss the three main security protection techniques present in all modern operating system; the non-eXecutable bit (NX), the Stack Smashing Protector (SSP) and the Address Space Layout Randomization (ASLR). After discussing their effectiveness, we conclude that although they provide a strong level of protection against classical exploitation techniques, modern attacks can bypass them.

Published

2020

9. TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs

Author

Cristiano Giuffrida, Jakob Koschel, Herbert Bos, Kaveh Razavi, Computer Systems, Network Institute, and Systems and Network Security

Subjects

SDG 16 - Peace, Address space layout randomization, Exploit, Computer science, Address space, Distributed computing, Translation lookaside buffer, SDG 16 - Peace, Justice and Strong Institutions, 0102 computer and information sciences, 02 engineering and technology, Translation (geometry), 01 natural sciences, Justice and Strong Institutions, n/a, 010201 computation theory & mathematics, Face (geometry), Kernel (statistics), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Isolation (database systems)

Abstract

Kernel Address Space Layout Randomization (KASLR) has been repeatedly targeted by side-channel attacks that exploit a typical unified user/kernel address space organization to disclose randomized kernel addresses. The community has responded with kernel address space isolation techniques that separate user and kernel address spaces (and associated resources) to eradicate all existing side-channel attacks. In this paper, we show that kernel address space isolation is insufficient to harden KASLR against practical side-channel attacks on modern tagged TLB architectures. While tagged TLBs have been praised for optimizing the performance of kernel address space isolation, we show that they also silently break its original security guarantees and open up opportunities for new derandomization attacks. As a concrete demonstration, we present TagBleed, a new side-channel attack that abuses tagged TLBs and residual translation information to break KASLR even in the face of state-of-The-Art mitigations. TagBleed is practical and shows that implementing secure address space isolation requires deep partitioning of microarchitectural resources and a more generous performance budget than previously assumed.

Published

2020

10. Badaslr: Exceptional cases of ASLR aiding exploitation

Author

Daehee Jang

Subjects

Commercial software, Address space layout randomization, Wargame, General Computer Science, Exploit, Computer science, Computer security, computer.software_genre, Heap spraying, Pointer (computer programming), Information leakage, x86, Law, computer

Abstract

Address Space Layout Randomization (ASLR) is de-facto standard exploit mitigation in our daily life software. The simplest idea of unpredictably randomizing memory layout significantly raises the bar for memory exploitation due to the additionally required attack primitives such as information leakage. Ironically, although exceptional, there are rare edge cases where ASLR becomes handy for memory exploitation. In this paper, we dig into such theoretical set of cases and name it as BadASLR. Based on our study, we introduce four categories of BadASLR: (i) aiding free chunk reclamation in heap spraying attack, (ii) aiding stack pivoting in frame-pointer null poisoning attack, (iii) reviving the exploitability of invalid pointer referencing bug, and (iv) introducing wild-card ROP gadgets in x86/x64 position independent code environment. To evaluate if BadASLR can be an actual plausible scenario, we look into real-world bug bounty cases, CTF/wargame challenges. Surprisingly, we found multiple vulnerabilities in commercial software where ASLR becomes handy for attacker. With BadASLR cases, we succeeded in exploiting peculiar vulnerabilities, and received total 10,000 USD as bug bounty reward including one CVE assignment.

Published

2022

11. Automatic Exploit Generation for Buffer Overflow Vulnerabilities

Author

Yongjun Li, Wei Dong, Weixi Jia, and Luhang Xu

Subjects

021110 strategic, defence & security studies, Address space layout randomization, Exploit, business.industry, Computer science, Distributed computing, 0211 other engineering and technologies, 02 engineering and technology, Symbolic execution, Software quality, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, business, Constraint satisfaction problem, Vulnerability (computing), Buffer overflow

Abstract

Buffer overflow vulnerabilities are widely found in software. Finding these vulnerabilities and identifying whether these vulnerabilities can be exploit is very important. However, it is not easy to find all of the buffer overflow vulnerabilities in software programs, and it is more difficult to find and exploit these vulnerabilities in binary programs. This paper proposes a method and a corresponding tool that automatically finds buffer overflow vulnerabilities in binary programs, and then automatically generate exploit for the vulnerability. The tool uses symbolic execution to search the target software and find potential buffer overflow vulnerabilities, then try to bypass system protection by choosing different exploiting method according to the different level of protections. Finally, the exploit of software vulnerability is generated using constraint solver. The method and tool can automatically find vulnerabilities and generate exploits for three kinds of protection: without system protection, with address space layout randomization protection, and with stack non-executable protection.

Published

2018

12. Dynamic Loader Oriented Programming on Linux

Author

Thomas Kittel, Claudia Eckert, Julian Kirsch, and Bruno Bierbaumer

Subjects

Loader, Taint checking, Address space layout randomization, Control flow, Software bug, Exploit, Computer science, Pointer (computer programming), Operating system, x86, computer.software_genre, computer

Abstract

Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiederganger1-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386/x86_64 Linux.Wiederganger-attacks abuse determinism in Linux ASLR implementation combined with the fact that (even with protection mechanisms such as relro and glibc's pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences.To show the relevance of Wiederganger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86_64/i386 Linux to date.We believe Wiederganger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP).

Published

2017

13. Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Author

Benjamin Kollenda, Philipp Koppe, Robert Gawlik, Radhesh Krishnan Konoth, Enes Goktas, Cristiano Giuffrida, Tim Blazytko, Herbert Bos, Thorsten Holz, Computer Systems, Network Institute, and Systems and Network Security

Subjects

021110 strategic, defence & security studies, Theoretical computer science, Source code, Address space layout randomization, Exploit, Address space, Computer science, media_common.quotation_subject, 0211 other engineering and technologies, Crash, 02 engineering and technology, computer.file_format, Metadata, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Executable, computer, media_common

Abstract

Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few 'hidden' application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.

Published

2017

14. HAIT: Heap Analyzer with Input Tracing

Author

Giovanni Squillero, Andrea Atzeni, Francesco Muroni, and Andrea Marcelli

Subjects

Exploit, Heap, Spectrum analyzer, Address space layout randomization, Computer science, Distributed computing, Memory Profiler, Tracing, Heap spraying, Taint checking, Dynamic Symbolic Execution, Heap, Exploit, Memory Profiler, Dynamic Symbolic Execution, Taint Analysis, Taint Analysis, Binomial heap, Heap (data structure)

Abstract

Heap exploits are one of the most advanced, complex and frequent types of attack. Over the years, many effective techniques have been developed to mitigate them, such as data execution prevention, address space layout randomization and canaries. However, if both knowledge and control of the memory allocation are available, heap spraying and other attacks are still feasible. This paper presents HAIT, a memory profiler that records critical operations on the heap and shows them graphically in a clear and comprehensible format. A prototype was implemented on top of Triton, a framework for dynamic binary analysis. The experimental evaluation demonstrates that HAIT can help identifying the essential information needed to carry out heap exploits, providing valuable knowledge for an effective attack.

Published

2017

15. ASLR and ROP Attack Mitigations for ARM-Based Android Devices

Author

Vivek Parikh and Prabhaker Mateti

Subjects

0301 basic medicine, Address space layout randomization, Exploit, Java, Computer science, 02 engineering and technology, Computer security, computer.software_genre, 03 medical and health sciences, Normal functioning, 030104 developmental biology, 020204 information systems, Crowd sourcing, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), Android device, computer, Return-oriented programming, computer.programming_language

Abstract

ASLR (address space layout randomization) and ROP (return oriented programming) attacks have been happening for years on the PC platform. Android devices are ripe for these same attacks. Android has made mitigation efforts, mostly in the Zygote (mother of all Java processes), which is presently exposed to a vast number of ASLR bypassing exploits. We carefully re-analyzed the Zygote process creation model. We include mitigations not only for ASLR but also for ROP attacks. We demonstrate that Android becomes robust against most of the ROP exploits by running such attacks on the device, in the presence of our solution. We compare our solution with existing solutions and show that ours is a more effective approach to mitigate ASLR and ROP attacks on ARM based Android devices. Our changes do not interfere with the normal functioning of the Android device and can be easily incorporated as a secure replacement for the existing Zygote that is presently exposed to a vast number of ASLR bypassing vulnerabilities.

Published

2017

16. LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization

Author

Yier Jin, Ahmad-Reza Sadeghi, Dean Sullivan, Orlando Arias, Christopher Liebchen, and David Gens

Subjects

010302 applied physics, 021110 strategic, defence & security studies, Address space layout randomization, Exploit, Computer science, business.industry, Payload (computing), 0211 other engineering and technologies, 02 engineering and technology, 01 natural sciences, Kernel (statistics), 0103 physical sciences, Code (cryptography), Paging, Side channel attack, business, Privilege escalation, Computer network

Abstract

Kernel exploits are commonly used for privilege escalation to take full control over a system, e.g., by means of code-reuse attacks. For this reason modern kernels are hardened with kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can exploit unprivileged instructions to collect timing information through side channels in the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software.

Published

2017

17. A Function Level Randomization Technique to Mitigate ROP Attacks

Author

Xun Zhan, Liang Xiao, and Tao Zheng

Subjects

Address space layout randomization, Exploit, Computer science, business.industry, media_common.quotation_subject, General Engineering, computer.file_format, Computer security, computer.software_genre, Software, Code (cryptography), Binary code, Executable, Function (engineering), business, Return-oriented programming, computer, media_common

Abstract

ROP (Return-Oriented Programming) is a kind of attack technique which makes use of the existing binary code of target systems. ASLR (Address Space Layout Randomization) is widely used to protect systems from buffer-overflow attacks by introducing artificial diversity to software. With ASLR software can be immune from ROP attacks to some extent. Due to the fact that ASLR cant randomize base addresses of executables code segments and its utility on 32-bit architectures is limited by the number of bits available for address randomization, attackers can successfully exploit a target system by using brute force in limited time. Thus, we proposed FLR, a function level randomization technique to mitigate ROP attacks. FLR randomly permutes functions in executables, making attackers assumptions on executables incorrect. We implemented a prototype of FLR and randomized ten executables. ROP attacks succeeded without FLR and failed with FLR.

Published

2013

18. Control-flow integrity principles, implementations, and applications

Author

Martín Abadi, Úlfar Erlingsson, Jay Ligatti, and Mihai Budiu

Subjects

Address space layout randomization, General Computer Science, Exploit, business.industry, Call stack, Computer science, Distributed computing, Access control, Security policy, Computer security, computer.software_genre, Software, Safety, Risk, Reliability and Quality, business, Enforcement, Return-oriented programming, computer

Abstract

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, control-flow integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple and its guarantees can be established formally, even with respect to powerful adversaries. Moreover, CFI enforcement is practical: It is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.

Published

2009

19. Short Paper

Author

Vijay Ganesh, Martín Ochoa, and Sebastian Banescu

Subjects

Address space layout randomization, Exploit, Mechanism (biology), Computer science, Probabilistic logic, State of affairs, Meaning (existential), Computer security, computer.software_genre, Implementation, computer, Buffer overflow

Abstract

In this paper, we introduce a formal notion of partial compliance, called ATTACK-RESISTANCE, of a computer program running together with a defense mechanism w.r.t a non-exploitability specification. In our setting, a program may contain exploitable vulnerabilities, such as buffer overflows, but appropriate defense mechanisms built into the program or the operating system render such vulnerabilities hard to exploit by certain attackers, usually relying on the strength of the randomness of a probabilistic transformation of the environment or the program and some knowledge on the attacker's goals and attack strategy. We are motivated by the reality that most large-scale programs have vulnerabilities despite our best efforts to get rid of them. Security researchers have responded to this state of affairs by coming up with ingenious defense mechanisms such as address space layout randomization (ASLR) or instruction set randomization (ISR) that provide some protection against exploitation. However, implementations of such mechanism have been often shown to be insecure, even against the attacks they were designed to prevent. By formalizing this notion of attack-resistance we pave the way towards addressing the questions: "How do we formally analyze defense mechanisms? Is there a mathematical way of distinguishing effective defense mechanisms from ineffective ones? Can we quantify and show that these defense mechanisms provide formal security guarantees, albeit partial, even in the presence of exploitable vulnerabilities?". To illustrate our approach we discuss under which circumstances ISR implementations comply with the ATTACK-RESISTANCE definition.

Published

2015

20. Securing Legacy Software against Real-World Code-Reuse Exploits

Author

Ahmad-Reza Sadeghi, Lucas Davi, and Per Larsen

Subjects

Address space layout randomization, Exploit, business.industry, Computer science, Code reuse, Legacy system, Vulnerability, computer.software_genre, Computer security, Backward compatibility, Software, Server, Compiler, Legacy code, business, computer

Abstract

Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in error-prone languages such as C and C++. At the same time, modern exploits are evolving quickly and routinely incorporate sophisticated techniques such as code reuse and memory disclosure. As a result, they bypass all widely deployed countermeasures including data execution prevention (DEP) and code randomization such as address space layout randomization (ASLR).The good news is that the security community has recently introduced several promising prototype defenses that offer a more principled response to modern exploits. Even though these solutions have improved substantially over time, they are not perfect and weaknesses that allow bypasses are continually being discovered. Moreover, it remains to be seen whether these prototype defenses can be matured and integrated into operating systems, compilers, and other systems software.This paper provides a brief overview of current state-of-the-art exploitation and defense techniques against run-time exploits and elaborates on innovative research prototypes that may one day stem the tide of sophisticated exploits. We also provide a brief analysis and categorization of existing defensive techniques and ongoing work in the areas of code randomization and control-flow integrity, and cover both hardware and software-based solutions.

Published

2015

21. Malicious PDF Documents Explained

Author

Didier Stevens

Subjects

Address space layout randomization, Exploit, Computer Networks and Communications, Computer science, business.industry, computer.software_genre, Computer security, World Wide Web, Software, Software bug, Data Execution Prevention, ComputingMethodologies_DOCUMENTANDTEXTPROCESSING, Code (cryptography), Malware, Electrical and Electronic Engineering, business, Law, computer

Abstract

What makes a PDF file malicious? PDF designers and the PDF reader software architects never intended for files to be able to modify the operating system running the PDF reader. But security researchers and malware authors found ways to exploit PDF readers' software bugs and to creatively use the PDF language, enabling them to produce PDF documents that execute arbitrary code. Embedded files are a good example of this design philosophy. The PDF language allows files to be embedded inside PDF documents.PDF reader software designers have begun using Windows security features such as data execution prevention (DEP) and address space layout randomization (ASLR) to prevent exploits from executing.

Published

2011

22. Information Leaks Without Memory Disclosures

Author

Eric Söderström, Jeff Seibert, and Hamed Okhravi

Subjects

Address space layout randomization, Exploit, Computer science, Code reuse, Code (cryptography), Memory corruption, Code injection, Side channel attack, Computer security, computer.software_genre, computer

Abstract

Code diversification has been proposed as a technique to mitigate code reuse attacks, which have recently become the predominant way for attackers to exploit memory corruption vulnerabilities. As code reuse attacks require detailed knowledge of where code is in memory, diversification techniques attempt to mitigate these attacks by randomizing what instructions are executed and where code is located in memory. As an attacker cannot read the diversified code, it is assumed he cannot reliably exploit the code. In this paper, we show that the fundamental assumption behind code diversity can be broken, as executing the code reveals information about the code. Thus, we can leak information without needing to read the code. We demonstrate how an attacker can utilize a memory corruption vulnerability to create side channels that leak information in novel ways, removing the need for a memory disclosure vulnerability. We introduce seven new classes of attacks that involve fault analysis and timing side channels, where each allows a remote attacker to learn how code has been diversified.

Published

2014

23. Hacking Blind

Author

Ali Mashtizadeh, Adam Belay, David Mazières, Dan Boneh, and Andrea Bittau

Subjects

Address space layout randomization, Source code, Exploit, Computer science, media_common.quotation_subject, computer.software_genre, System call, Server, Operating system, Stack buffer overflow, Return-oriented programming, computer, Vulnerability (computing), media_common

Abstract

We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. We implemented Braille, a fully automated exploit that yielded a shell in under 4,000 requests (20 minutes) against a contemporary nginx vulnerability, yaSSL + MySQL, and a toy proprietary server written by a colleague. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.

Published

2014

24. Security through Emulation-Based Processor Diversification

Author

Juan Carlos Ruiz, David de Andrés, Ismael Ripoll, and Hector Marco

Subjects

Web server, Emulation, Address space layout randomization, Exploit, Memory errors, Hardware virtualization, business.industry, Computer science, computer.software_genre, Software security assurance, Embedded system, business, computer, Memory protection

Abstract

Memory errors, such as stack and integer vulnerabilities, still rank among the top most dangerous software security issues. Existing protection techniques, like Address Space Layout Randomization and Stack-Smashing Protection, prevent potential intrusions by crashing applications when anomalous behaviors are detected. Unfortunately, typical networking server architectures, such those used on Web servers ones, limit the effectiveness of such countermeasures. Since memory error exploits usually rely on highly specific processor characteristics, the same exploit rarely works on different hardware architectures. This paper proposes a novel strategy to thwart memory error exploitation by dynamically changing, upon crash detection, the variant executing the networking server. Required software diversification among variants is obtained using off-the-shelf cross-compilation suites, whereas hardware diversification relies on processor emulation. The proposed case study shows the feasibility and effectiveness of the approach to reduce the likelihood, and in some cases even prevent the possibility, of exploiting memory errors.

Published

2014

25. A Static Recognition Mechanism for Indirect Call Based on Static Single Assignment

Author

Qiaoming Zhu, Xun Zhan, Tao Zheng, Wenyang Bai, Shixiang Gao, Junyuan Xie, and Xianping Tao

Subjects

Function pointer, Address space layout randomization, Ubiquitous computing, Exploit, Static single assignment form, Backtracking, Computer science, Distributed computing, Key (cryptography), Stack buffer overflow

Abstract

By preventing attacks which exploit stack buffer overflow vulnerabilities, address space layout randomization is an effective way for embedded systems protection. However, ASLR will probably suffer exhaustive attacks because the pertinence is not strong. At present only coarse-grained randomization has been implemented because one of the key bottlenecks for fine-grained randomization is the dependencies between functions cannot be constructed completely due to indirect calls. As a result, we give a static inter-procedural backtracking recognition mechanism in this paper by using intermediate code analysis technologies to identify the destination addresses of indirect callings generated by function pointers.

Published

2014

26. Measuring ASLR implementations on modern operating systems

Author

Ricardo Yepes Guevara, David Mora Rodriguez, and David Herrera Aristizabal

Subjects

Address space layout randomization, Exploit, Computer science, Address space, business.industry, Memory corruption, computer.software_genre, Embedded system, Virtual memory, Operating system, NIST, business, computer, Implementation, Randomness

Abstract

Address Space Layout Randomization (ASLR) is a security technique that uses randomness to conceal regions of virtual memory address space of processes, to increase the effort required to develop reliable exploits. It was introduced in the first decade of the third millennium as a mechanism to stop a dangerous attack vector, known as memory corruption. This paper presents a methodology used to evaluate the effectiveness of this technique, as well as the results of the evaluation of two commonly used operating systems: Microsoft's Windows 7 and Canonical's Ubuntu Linux 10.10, both in the 32-bits and 64-bits versions.

Published

2013

27. Practical Control Flow Integrity and Randomization for Binary Executables

Author

Wei Zou, Tao Wei, Dawn Song, Stephen McCamant, Chao Zhang, Lei Duan, Zhaofeng Chen, and Laszlo Szekeres

Subjects

Source code, Address space layout randomization, Exploit, Computer science, business.industry, media_common.quotation_subject, Spec#, computer.file_format, Embedded system, Executable, business, computer, Return-oriented programming, media_common, computer.programming_language

Abstract

Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.

Published

2013

28. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization

Author

Alexandra Dmitrienko, Lucas Davi, Kevin Z. Snow, Fabian Monrose, Ahmad-Reza Sadeghi, and Christopher Liebchen

Subjects

Address space layout randomization, Exploit, Computer science, business.industry, Code reuse, Memory corruption, Computer security, computer.software_genre, Embedded system, The Internet, business, Return-oriented programming, computer, Control-flow integrity

Abstract

Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this paper, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, that undermines the benefits of fine-grained ASLR. Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application's memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets -- all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.

Published

2013

29. String oriented programming

Author

Thomas R. Gross and Mathias Payer

Subjects

scanf format string, Theoretical computer science, Address space layout randomization, Exploit, Computer science, Programming language, Probabilistic logic, Static program analysis, Software system, Static random-access memory, computer.software_genre, Return-oriented programming, computer

Abstract

Control-data attacks are a well known attack vector; these attacks either inject new code into running applications or reuse existing code in an unintended way to execute their malicious payload.Current software systems are protected against control-data attacks using numerous mechanisms like Data Execution Prevention (DEP), stack canaries, and Address Space Layout Randomization (ASLR). ASLR turns deterministic attacks into probabilistic attacks and reduces the probability of a successful attack. Unfortunately, the current ASLR implementation for Linux leaves some memory regions non-randomized. These static memory regions can be used to exploit applications that have ASLR, DEP, and stack canaries enabled.Format string exploits are an often overlooked attack vector that enables attacker-controlled memory writes in an application. A format string bug exists if a user-supplied string is passed as a first argument to any printf function. The only prerequisite for a successful format string exploit is that the attacker must be able to control that format string.This paper presents String Oriented Programming (SOP), an approach that exploits static memory regions in ASLR enabled applications. SOP uses a format string bug to exploit applications that are protected by a combination of weak ASLR, DEP, and stack canaries. Similar to return oriented programming or jump oriented programming, SOP does not rely on existing code but concatenates gadgets in the application using static program analysis.

Published

2013

30. Applying POMDP to moving target optimization

Author

Lu Yu and Richard R. Brooks

Subjects

Set (abstract data type), Mathematical optimization, Optimization problem, Address space layout randomization, Exploit, Computer science, Benchmark (computing), Overhead (computing), Partially observable Markov decision process, Nonlinear programming

Abstract

Diversity maintains security by making the computing environment less standard and less predictable. Recent studies show that many randomization techniques, e.g. address space layout randomization (ASLR) significantly enhance system security simply through reducing the number of return to libc exploits [14]. However, "diversity" may incur significant overhead on the computing platforms. We study the problem of implementing diversity to trade off security performance with diversity implementation costs. We address this problem by formulating it as a partially observable Markov decision process (POMDP). An optimal solution considering a fixed amount of history can be obtained by transforming the POMDP optimization problem into a nonlinear programming (NLP) problem. Simulation results for a set of benchmark problems illustrate the effectiveness of the proposed method.

Published

2013

31. ILR: Where'd My Gadgets Go?

Author

Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W. Davidson

Subjects

Address space layout randomization, Exploit, Computer science, Address space, Operating system, x86, Executable, computer.file_format, Compiler, computer.software_genre, Computer security, computer, Return-oriented programming

Abstract

Through randomization of the memory space and the confinement of code to non-data pages, computer security researchers have made a wide range of attacks against program binaries more difficult. However, attacks have evolved to exploit weaknesses in these defenses. To thwart these attacks, we introduce a novel technique called Instruction Location Randomization (ILR). Conceptually, ILR randomizes the location of every instruction in a program, thwarting an attacker's ability to re-use program functionality (e.g., arc-injection attacks and return-oriented programming attacks). ILR operates on arbitrary executable programs, requires no compiler support, and requires no user interaction. Thus, it can be automatically applied post-deployment, allowing easy and frequent re-randomization. Our preliminary prototype, working on 32-bit x86 Linux ELF binaries, provides a high degree of entropy. Individual instructions are randomly placed within a 31-bit address space. Thus, attacks that rely on a priori knowledge of the location of code or derandomization are not feasible. We demonstrated ILR's defensive capabilities by defeating attacks against programs with vulnerabilities, including Adobe's PDF viewer, acroread, which had an in-the-wild vulnerability. Additionally, using an industry-standard CPU performance benchmark suite, we compared the run time of prototype ILR-protected executables to that of native executables. The average run-time overhead of ILR was 13% with more than half the programs having effectively no overhead (15 out of 29), indicating that ILR is a realistic and cost-effective mitigation technique.

Published

2012

32. OverCovert: Using Stack-Overflow Software Vulnerability to Create a Covert Channel

Author

Fatma A. Omara, Sherif Khattab, and Tamer S. Fatayer

Subjects

Address space layout randomization, Exploit, business.industry, Computer science, Covert channel, Encryption, Computer security, computer.software_genre, Obfuscation (software), Heap overflow, business, computer, Computer network, Communication channel, Backdoor

Abstract

Attackers exploit software vulnerabilities, such as stack overflow, heap overflow, and format string errors, to break into victim machines and implant backdoors to maintain access. They typically use obfuscation techniques, such as encryption and covert channels, to hide their command-and-control traffic and avoid detection. In this paper, we show how a vulnerable program can be used to create a covert channel that allows an entity (e.g., an attacker) to stealthily send information to another remote entity (e.g., a backdoor). The proposed covert channel, for which we coin the term OverCovert, is based on the common return-to-libc stack-overflow attack and the address space layout randomization defense. We implemented a proof-of-concept of OverCovert under Linux and evaluated its throughput sending files of different formats. We also propose and analyze techniques to improve channel undetectability and throughput.

Published

2011

33. Surgically Returning to Randomized lib(c)

Author

Roberto Paleari, Giampaolo Fresi Roglia, Danilo Bruschi, and Lorenzo Martignoni

Subjects

Information sensitivity, Address space layout randomization, Exploit, Computer science, Operating system, x86, Executable, computer.file_format, computer.software_genre, computer, Return-oriented programming, Code injection attacks, Buffer overflow

Abstract

To strengthen systems against code injection attacks, the write or execute only policy (W + X) and address space layout randomization (ASLR) are typically used in combination. The former separates data and code, while the latter randomizes the layout of a process. In this paper we present a new attack to bypass W + X and ASLR. The state-of-the-art attack against this combination of protections is based on brute-force, while ours is based on the leakage of sensitive information about the memory layout of the process. Using our attack an attacker can exploit the majority of programs vulnerable to stack-based buffer overflows surgically, i.e., in a single attempt. We have estimated that our attack is feasible on 95.6% and 61.8% executables (of medium size) for Intel x86 and x86-64 architectures, respectively. We also analyze the effectiveness of other existing protections at preventing our attack. We conclude that position independent executables (PIE) are essential to complement ASLR and to prevent our attack. However, PIE requires recompilation, it is often not adopted even when supported, and it is not available on all ASLR-capable operating systems. To overcome these limitations, we propose a new protection that is as effective as PIE, does not require recompilation, and introduces only a minimal overhead.

Published

2009

34. Breaking the memory secrecy assumption

Author

Sven Lachmund, Raoul Strackx, Frank Piessens, Yves Younan, Thomas Walter, Pieter Philippaerts, Markatos, Envagelos, and Costa, Manuel

Subjects

Instruction set randomization, Address space layout randomization, Exploit, Computer science, Secrecy, Probabilistic logic, security, Computer security, computer.software_genre, computer, Randomness, Buffer overflow, Heap (data structure)

Abstract

Many countermeasures exist that attempt to protect against buffer overflow attacks on applications written in C and C++. The most widely deployed countermeasures rely on artificially introducing randomness in the memory image of the application. StackGuard and similar systems for instance will insert a random value before the return address on the stack, and Address Space Layout Randomization (ASLR) will make the location of stack and/or heap less predictable for an attacker. A critical assumption in these probabilistic countermeasures is that attackers cannot read the contents of memory. In this paper we show that this assumption is not always justified. We identify a new class of vulnerabilities – buffer overreads – that occur in practice and that can be exploited to read parts of the memory contents of a process running a vulnerable application. We describe in detail how to exploit an application protected by both ASLR and stack canaries if the application contains both a buffer overread and a buffer overflow vulnerability. We also provide a detailed discussion of how this vulnerability affects other, less widely deployed probabilistic countermeasures such as memory obfuscation and instruction set randomization. ispartof: pages:1-8 ispartof: Proceedings of the 2nd European Workshop on System Security pages:1-8 ispartof: Eurosec location:Nuremberg date:31 Mar - 31 Mar 2009 status: published

Published

2009

35. Control-flow integrity

Author

Martín Abadi, Mihai Budiu, Jay Ligatti, and Úlfar Erlingsson

Subjects

Address space layout randomization, Exploit, Computer science, Call stack, business.industry, Distributed computing, Vulnerability, Access control, Memory corruption, Computer security, computer.software_genre, Security policy, Software, business, Enforcement, computer, Return-oriented programming, Arbitrary code execution

Abstract

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple, and its guarantees can be established formally even with respect to powerful adversaries. Moreover, CFI enforcement is practical: it is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.

Published

2005

36. On the effectiveness of address-space randomization

Author

Hovav Shacham, Matthew Page, Nagendra Modadugu, Eu-Jin Goh, Ben Pfaff, and Dan Boneh

Subjects

Address space layout randomization, Randomization, Exploit, Address space, Computer science, Distributed computing, Code (cryptography), Memory corruption, Return-oriented programming, Buffer overflow, Arbitrary code execution

Abstract

Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a derandomization attack that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack.We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.

Published

2004

37. Transparent runtime randomization for security

Author

Jun Xu, Ravishankar K. Iyer, and Zbigniew Kalbarczyk

Subjects

Loader, Memory address, Address space layout randomization, Heap overflow, Exploit, C dynamic memory allocation, Computer science, Operating system, Integer overflow, computer.software_genre, computer, Heap (data structure)

Abstract

A large class of security attacks exploit software implementation vulnerabilities such as unchecked buffers. This paper proposes transparent runtime randomization (TRR), a generalized approach for protecting against a wide range of security attacks. TRR dynamically and randomly relocates a program's stack, heap, shared libraries, and parts of its runtime control data structures inside the application memory address space. Making a program's memory layout different each time it runs foils the attacker's assumptions about the memory layout of the vulnerable program and makes the determination of critical address values difficult if not impossible. TRR is implemented by changing the Linux dynamic program loader, hence it is transparent to applications. We demonstrate that TRR is effective in defeating real security attacks, including malloc-based heap overflow, integer overflow, and double-free attacks, for which effective prevention mechanisms are yet to emerge. Furthermore, TRR incurs less than 9% program startup overhead and no runtime overhead.

Published

2004