Poking Holes in Information Hiding

ASLR is no longer a strong defense in itself, but it still serves as a foundation for sophisticated defenses that use randomization for pseudo-isolation. Crucially, these defenses hide sensitive information (such as shadow stacks and safe regions) at a random position in a very large address space. Previous attacks on randomization-based information hiding rely on complicated side channels and/or probing of the mapped memory regions. Assuming no weaknesses exist in the implementation of hidden regions, the attacks typically lead to many crashes or other visible side-effects. For this reason, many researchers still consider the pseudo-isolation offered by ASLR sufficiently strong in practice. We introduce powerful new primitives to show that this faith in ASLR-based information hiding is misplaced, and that attackers can break ASLR and find hidden regions on 32 bit and 64 bit Linux systems quickly with very few malicious inputs. Rather than building on memory accesses that probe the allocated memory areas, we determine the sizes of the unallocated holes in the address space by repeatedly allocating large chunks of memory. Given the sizes, an attacker can infer the location of the hidden region with few or no side-effects. We show that allocation oracles are pervasive and evaluate our primitives on real-world server applications.

[1]  Liang Deng,et al.  ISboxing: An Instruction Substitution Based Data Sandboxing for x86 Untrusted Libraries , 2015, SEC.

[2]  Herbert Bos,et al.  Undermining Information Hiding (and What to Do about It) , 2016, USENIX Security Symposium.

[3]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[4]  Xi Chen,et al.  StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries , 2015, NDSS.

[5]  Thorsten Holz,et al.  Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding , 2016, NDSS.

[6]  Per Larsen,et al.  Leakage-Resilient Layout Randomization for Mobile Devices , 2016, NDSS.

[7]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[8]  Wenke Lee,et al.  ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks , 2015, CCS.

[9]  Oracle Corp,et al.  Memory Overcommit… without the commitment , 2008 .

[10]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[11]  Per Larsen,et al.  It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks , 2015, CCS.

[12]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[13]  Angelos D. Keromytis,et al.  libdft: practical dynamic data flow tracking for commodity systems , 2012, VEE '12.

[14]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[15]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[16]  Jeff Seibert,et al.  Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code , 2014, CCS.

[17]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[18]  Peng Ning,et al.  HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities , 2015, CODASPY.

[19]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[21]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[22]  Nicolas Le Scouarnec,et al.  Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters , 2015, RAID.

[23]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[24]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[25]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[26]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection against Return-to-User Attacks , 2012, USENIX Security Symposium.

[27]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[28]  Maninder Singh,et al.  Address Space Layout Randomization (ASLR) in Windows & Linux: Proof of Concept (PoC) Implementation , 2013 .

[29]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[30]  Per Larsen,et al.  Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks , 2015, CCS.

[31]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[32]  Mingwei Zhang,et al.  Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks , 2015, ACSAC 2015.