skip to main content
tutorial

ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks

Authors Info & Claims
Published:08 April 2017Publication History
Skip Abstract Section

Abstract

Recent code reuse attacks are able to circumvent various address space layout randomization (ASLR) techniques by exploiting memory disclosure vulnerabilities. To mitigate sophisticated code reuse attacks, we proposed a light-weight virtual machine, ReRanz, which deployed a novel continuous binary code re-randomization to mitigate memory disclosure oriented attacks. In order to meet security and performance goals, costly code randomization operations were outsourced to a separate process, called the "shuffling process". The shuffling process continuously flushed the old code and replaced it with a fine-grained randomized code variant. ReRanz repeated the process each time an adversary might obtain the information and upload a payload. Our performance evaluation shows that ReRanz Virtual Machine incurs a very low performance overhead. The security evaluation shows that ReRanz successfully protect the Nginx web server against the Blind-ROP attack.

References

  1. Apache HTTP Server. In http://httpd.apache.org/.Google ScholarGoogle Scholar
  2. Blind ROP tool. In http://www.scs.stanford.edu/brop/.Google ScholarGoogle Scholar
  3. LLVM Compiler Infrastructure. In http://llvm.org/.Google ScholarGoogle Scholar
  4. Libunwind library. In http://www.nongnu.org/libunwind/.Google ScholarGoogle Scholar
  5. Nginx Web Server. In http://nginx.org/.Google ScholarGoogle Scholar
  6. Getting around non-executable stack (and fix). In http://seclists.org/bugtraq/1997/Aug/63.Google ScholarGoogle Scholar
  7. ab tool. In https://httpd.apache.org/docs/2.4/programs/ab.html.Google ScholarGoogle Scholar
  8. M. Backes and S. Nürnberger. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In 23rd USENIX Security Symposium (USENIX Security 14), pages 433--447, San Diego, CA, Aug. 2014. USENIX Association. ISBN 978-1-931971-15-7.Google ScholarGoogle Scholar
  9. C. Bienia and K. Li. PARSEC 2.0: A New Benchmark Suite for Chip-Multiprocessors. In Proceedings of the 5th Annual Workshop on Modeling, Benchmarking and Simulation, June 2009.Google ScholarGoogle Scholar
  10. D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 268--279, New York, NY, USA, 2015. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. A. Bittau, A. Belay, A. Mashtizadeh, D. Mazires, and D. Boneh. Hacking Blind. In 2014 IEEE Symposium on Security and Privacy, pages 227--242, May 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented Programming: A New Class of Code-reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 30--40, New York, NY, USA, 2011. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented Programming Without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 559--572, New York, NY, USA, 2010. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Y. Chen, Z. Wang, D. Whalley, and L. Lu. Remix: Ondemand live randomization. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, CODASPY '16, pages 50--61, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-3935-3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks. In NDSS. The Internet Society, 2014. Google ScholarGoogle ScholarCross RefCross Ref
  16. S. J. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. De Sutter, and M. Franz. It's a TRaP: Table Randomization and Protection Against Function-Reuse Attacks. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 243--255, New York, NY, USA, 2015. ACM. ISBN 978-1-4503-3832-5.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. L. V. Davi, A. Dmitrienko, S. Nürnberger, and A.-R. Sadeghi. Gadge Me if You Can: Secure and Efficient Adhoc Instruction-level Randomization for X86 and ARM. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS '13, pages 299--310, New York, NY, USA, 2013. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. R. Gawlik, B. Kollenda, P. Koppe, B. Garmany, and T. Holz. Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding. In 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016, 2016.Google ScholarGoogle ScholarCross RefCross Ref
  19. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In Proceedings of the 21st USENIX Conference on Security Symposium, Security' 12, pages 40--40, Berkeley, CA, USA, 2012. USENIX Association.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. E. G?ktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In 2014 IEEE Symposium on Security and Privacy, pages 575--589, May 2014. doi: 10.1109/SP.2014.43. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. E. Göktaş, R. Gawlik, B. Kollenda, E. Athanasopoulos, G. Portokalidis, C. Giuffrida, and H. Bos. Undermining Information Hiding (and What to Do about It). In 25th USENIX Security Symposium (USENIX Security 16), pages 105--119, Austin, TX, Aug. 2016. USENIX Association. ISBN 978-1-931971-32-4.Google ScholarGoogle Scholar
  22. D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard. Prefetch side-channel attacks: Bypassing smap and kernel aslr. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, pages 368--379, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4139-4. doi: 10.1145/2976749.2978356. URL http://doi.acm.org/10.1145/2976749.2978356. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J. L. Henning. SPEC CPU2006 Benchmark Descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, Sept. 2006. ISSN 0163-5964.Google ScholarGoogle Scholar
  24. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd My Gadgets Go? In 2012 IEEE Symposium on Security and Privacy, pages 571--585, May 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15), pages 177--192, Washington, D.C., Aug. 2015. USENIX Association.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. R. Hund, C. Willems, and T. Holz. Practical timing side channel attacks against kernel space aslr. In 2013 IEEE Symposium on Security and Privacy, pages 191--205, May 2013. doi: 10.1109/SP.2013.23. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Y. Jang, S. Lee, and T. Kim. Breaking kernel address space layout randomization with intel tsx. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, pages 380--392, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4139-4. doi: 10.1145/2976749.2978321. URL http://doi.acm.org/10.1145/2976749.2978321. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In ACSAC, pages 339--348. IEEE Computer Society, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. H. Koo and M. Polychronakis. Juggling the gadgets: Binary-level code randomization using instruction displacement. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS '16, pages 23--34, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4233-9.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. K. Lu, S. Nürnberger, M. Backes, and W. Lee. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In 23rd Annual Symposium on Network and Distributed System Security (NDSS 2016), 2015.Google ScholarGoogle Scholar
  31. Microsoft. Data Execution Prevention (DEP).Google ScholarGoogle Scholar
  32. V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization. In 2012 IEEE Symposium on Security and Privacy, pages 601--615, May 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 447--462, Washington, D.C., 2013. USENIX. ISBN 978-1-931971-03-4.Google ScholarGoogle Scholar
  34. R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-Oriented Programming: Systems, Languages, and Applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012. ISSN 1094-9224.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically Returning to Randomized lib(c). In ACSAC, pages 60--69. IEEE Computer Society, 2009. ISBN 978-0-7695-3919-5. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. J. Salwan. ROPGadget. In http://shellstorm.org/project/ROPgadget.Google ScholarGoogle Scholar
  37. F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A. R. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In 2015 IEEE Symposium on Security and Privacy, pages 745--762, May 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. J. Seibert, H. Okhravi, and E. Söderström. Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 54--65, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2957-6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, pages 298--307, New York, NY, USA, 2004. ACM. ISBN 1-58113-961-6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. R. Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574--588, May 2013.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the Memory Secrecy Assumption. In Proceedings of the Second European Workshop on System Security, EUROSEC '09, pages 1--8, New York, NY, USA, 2009. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. L. Szekeres, M. Payer, L. T. Wei, and R. Sekar. Eternal war in memory. IEEE Security Privacy, 12(3):45--53, May 2014. ISSN 1540-7993. doi: 10.1109/MSP.2014.44. Google ScholarGoogle ScholarCross RefCross Ref
  43. U.Wiki. Address space layout randomization (ASLR).Google ScholarGoogle Scholar
  44. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 157--168, New York, NY, USA, 2012. ACM. ISBN 978-1-4503-1651-4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. D. Williams-King, G. Gobieski, K. Williams-King, J. P. Blake, X. Yuan, P. Colp, M. Zheng, V. P. Kemerlis, J. Yang, and W. Aiello. Shuffler: Fast and deployable continuous code re-randomization. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), pages 367--382, GA, Nov. 2016. USENIX Association.Google ScholarGoogle Scholar

Index Terms

  1. ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM SIGPLAN Notices
        ACM SIGPLAN Notices  Volume 52, Issue 7
        VEE '17
        July 2017
        256 pages
        ISSN:0362-1340
        EISSN:1558-1160
        DOI:10.1145/3140607
        Issue’s Table of Contents
        • cover image ACM Conferences
          VEE '17: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
          April 2017
          261 pages
          ISBN:9781450349482
          DOI:10.1145/3050748

        Copyright © 2017 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 8 April 2017

        Check for updates

        Qualifiers

        • tutorial
        • Research
        • Refereed limited

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!