Address-space layout randomization using code islands

Address-Space Layout Randomization (ASLR) techniques prevent intruders from locating target functions by randomizing the process layout. Prior ASLR techniques defended against single-target brute force attacks, which work by locating a single, omnipotent system library function such as execve(). These techniques are not sufficient to defend against chained return-into-lib(c) attacks that call a sequence of system library functions. In this paper, we describe the Island Code Transformation (ICT) that addresses chained return-into-lib(c) attacks. A code island is a block of code that is isolated in the address space from other code blocks. Island code not only randomizes the base pointers used in memory mapping, but also maximizes the entropy in function layout (that is, knowing the location and extent of one function gains the attacker little knowledge as to the memory location of other functions). We also provide an efficacy analysis of randomization schemes based on combinations of available ASLR techniques. Our analysis shows that ICT is exponentially more effective than any prior ASLR technique in defending against brute-force searches for addresses of multiple target functions - a key component of chained return-into-lib(c) attacks. ICT uses a predefined rerandomization threshold, that determines how frequently (in terms of failed attacks) the process layout is re-randomized to balance security and availability. Our overhead measurement on some well-known GNU applications shows that it takes less than 0.05 second to load/rerandomize a process with the necessary C system library functions in code islands, and our technique introduces a 3-10% run-time overhead caused by inter-island control transfers. We, therefore, conclude that ICT is well-suited for dedicated servers.

[1]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[2]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[3]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[4]  Ulrich Drepper,et al.  How To Write Shared Libraries , 2005 .

[5]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[6]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[7]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[8]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[9]  Peng Ning,et al.  Automatic diagnosis and response to memory corruption vulnerabilities , 2005, CCS '05.

[10]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[11]  Massimo Bernaschi,et al.  Enhancements to the Linux Kernel for Blocking Buffer Overflow Based Attacks , 2000, Annual Linux Showcase & Conference.

[12]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[13]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[14]  Zhenkai Liang,et al.  Fast and automated generation of attack signatures: a basis for building self-protecting servers , 2005, CCS '05.

[15]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.