Defending ROP Attacks Using Basic Block Level Randomization

Code reuse attacks such as return-oriented programming, one of the most powerful threats to software system, rely on the absolute address of instructions. Therefore, address space randomization should be an effective defending method. However, current randomization techniques either are lack of enough entropy or have significant time or space overhead. In this paper, we present a novel fine-grained randomization technique at basic block level. In contrast to previous work, our technique dealt with critical technical challenges including indirect branches, callbacks and position independent codes properly at least cost. We implement an efficient prototype randomization system which supports Linux ELF file format and x86 architecture. Our evaluation demonstrated that it can defend ROP attacks with tiny performance overhead (4% on average) successfully.

[1]  Elisa Bertino,et al.  Marlin: A Fine Grained Randomization Approach to Defend against ROP Attacks , 2013, NSS.

[2]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[3]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[5]  Xuxian Jiang,et al.  On the Expressiveness of Return-into-libc Attacks , 2011, RAID.

[6]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Norman Rubin,et al.  A Profile-Directed Binary Translator , 1998 .

[8]  Johannes Kinder,et al.  Static Analysis of x86 Executables , 2010 .

[9]  Ahmad-Reza Sadeghi,et al.  Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM , 2013, ASIA CCS '13.

[10]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[11]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Cristina Cifuentes,et al.  Intraprocedural static slicing of binary executables , 1997, 1997 Proceedings International Conference on Software Maintenance.

[13]  George Danezis,et al.  Proceedings of the 2012 ACM conference on Computer and communications security , 2012, CCS 2012.

[14]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[15]  R. Barua,et al.  Binary Rewriting without Relocation Information , 2010 .

[16]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[17]  John Yates,et al.  FX!32 a profile-directed binary translator , 1998, IEEE Micro.

[18]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[19]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[20]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[21]  Bart Demoen,et al.  On the Static Analysis of Indirect Control Transfers in Binaries , 2000, PDPTA.