A Function Level Randomization Technique to Mitigate ROP Attacks

ROP (Return-Oriented Programming) is a kind of attack technique which makes use of the existing binary code of target systems. ASLR (Address Space Layout Randomization) is widely used to protect systems from buffer-overflow attacks by introducing artificial diversity to software. With ASLR software can be immune from ROP attacks to some extent. Due to the fact that ASLR cant randomize base addresses of executables code segments and its utility on 32-bit architectures is limited by the number of bits available for address randomization, attackers can successfully exploit a target system by using brute force in limited time. Thus, we proposed FLR, a function level randomization technique to mitigate ROP attacks. FLR randomly permutes functions in executables, making attackers assumptions on executables incorrect. We implemented a prototype of FLR and randomized ten executables. ROP attacks succeeded without FLR and failed with FLR.

[1]  Arash Baratloo,et al.  Libsafe: Protecting Critical Elements of Stacks , 2003 .

[2]  Vasilis Pappas,et al.  kBouncer : Efficient and Transparent ROP Mitigation , 2012 .

[3]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[4]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[5]  Mehmet Kayaalp,et al.  Branch regulation: Low-overhead protection from code reuse attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[6]  Mehmet Kayaalp,et al.  SCRAP: Architecture for signature-based protection from Code Reuse Attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[7]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[8]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[9]  Barton P. Miller,et al.  Detecting Code Reuse Attacks with a Model of Conformant Program Execution , 2014, ESSoS.

[10]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[11]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[12]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[13]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[14]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[15]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.