On Layout Randomization for Arrays and Functions

Low-level attacks often rely on guessing absolute or relative memory addresses. Layout randomization aims to thwart such attacks. In this paper, we study layout randomization in a setting in which arrays and functions can be stored in memory. Our results relate layout randomization to language-level protection mechanisms, namely to the use of abstract locations (rather than integer addresses). They apply, in particular, when each abstract location can hold an entire array which, concretely, compilation implements with a memory buffer at a random base address.

[1]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[2]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[3]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[4]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[5]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design VII , 2014, Lecture Notes in Computer Science.

[6]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[7]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[8]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[9]  Tsutomu Hoshino,et al.  The PAX project , 1992 .

[10]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[11]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[12]  Fred B. Schneider,et al.  Independence from obfuscation: a semantic framework for diversity , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[13]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[14]  Matthias Felleisen,et al.  Control operators, the SECD-machine, and the λ-calculus , 1987, Formal Description of Programming Concepts.

[15]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[16]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.