Local Memory via Layout Randomization

Randomization is used in computer security as a tool to introduce unpredictability into the software infrastructure. In this paper, we study the use of randomization to achieve the secrecy and integrity guarantees for local memory. We follow the approach set out by Abadi and Plot kin. We consider the execution of an idealized language in two environments. In the strict environment, opponents cannot access local variables of the user program. In the lax environment, opponents may attempt to guess allocated memory locations and thus, with small probability, gain access the local memory of the user program. We model these environments using two novel calculi: lambda-mu-hashref and lambda-mu-proberef. Our contribution to the Abadi-Plot kin program is to enrich the programming language with dynamic memory allocation, first class and higher order references and call/cc-style control. On the one hand, these enhancements allow us to directly model a larger class of system hardening principles. On the other hand, the class of opponents is also enhanced since our enriched language permits natural and direct encoding of attacks that alter the control flow of programs. Our main technical result is a fully abstract translation (up to probability) of lambda-mu-hashref into lambda-mu-proberef. Thus, in the presence of randomized layouts, the opponent gains no new power from being able to guess local references of the user program. Our numerical bounds are similar to those of Abadi and Plot kin, thus, the extra programming language features do not cause a concomitant increase in the resources required for protection via randomization.

[1]  Søren B. Lassen,et al.  Head Normal Form Bisimulation for Pairs and the \lambda\mu-Calculus , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[2]  Albert R. Meyer,et al.  Towards fully abstract semantics for local variables , 1988, POPL '88.

[3]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[4]  Calton Pu,et al.  Protecting Systems from Stack Smashing Attacks with StackGuard , 1999 .

[5]  Radha Jagadeesan,et al.  Open bisimulation for aspects , 2007, LNCS Trans. Aspect Oriented Softw. Dev..

[6]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[7]  Andrew D. Gordon Bisimilarity as a theory of functional programming , 1995, MFPS.

[8]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[9]  Søren B. Lassen,et al.  Eager normal form bisimulation , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[10]  Angelos D. Keromytis,et al.  Fast and practical instruction-set randomization for commodity systems , 2010, ACSAC '10.

[11]  Soren Lassen Head Normal Form Bisimulation for Pairs and the λμ-Calculus (Extended Abstract) , 2006 .

[12]  Michel Parigot,et al.  Lambda-Mu-Calculus: An Algorithmic Interpretation of Classical Natural Deduction , 1992, LPAR.

[13]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[14]  I. Stark,et al.  On the Observable Properties of Higher Order Functions that Dynamically Create Local Names (Preliminary Report) , 1993 .

[15]  Søren B. Lassen,et al.  A complete, co-inductive syntactic theory of sequential control and state , 2007, POPL '07.

[16]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[17]  Andrew M. Pitts,et al.  Observable Properties of Higher Order Functions that Dynamically Create Local Names, or What's new? , 1993, MFCS.

[18]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[19]  Davide Sangiorgi,et al.  A Theory of Bisimulation for the pi-Calculus , 1993, CONCUR.

[20]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[21]  Davide Sangiorgi,et al.  A theory of bisimulation for the π-calculus , 2009, Acta Informatica.