Remix: On-demand Live Randomization

Code randomization is an effective defense against code reuse attacks. It scrambles program code to prevent attackers from locating useful functions or gadgets. The key to secure code randomization is achieving high entropy. A practical approach to boost entropy is on-demand live randomization that works on running processes. However, enabling live randomization is challenging in that it often requires manual efforts to solve ambiguity in identifying function pointers. In this paper, we propose Remix, an efficient and practical live randomization system for both user processes and kernel modules. Remix randomly shuffles basic blocks within their respective functions. By doing so, it avoids the complexity of migrating stale function pointers, and allows mixing randomized and non-randomized code to strike a balance between performance and security. Remix randomizes a running process in two steps: it first randomly reorders its basic blocks, and then comprehensively migrates live pointers to basic blocks. Our experiments show that Remix can significantly increase randomness with low performance overhead on both CPU and I/O intensive benchmarks and kernel modules, even at very short randomization intervals.

[1]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[2]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[3]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[5]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[7]  Ben Niu,et al.  RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity , 2014, CCS.

[8]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[9]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[10]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[12]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[13]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[14]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[16]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[17]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[18]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[19]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[20]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[21]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[22]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Xiangyu Zhang,et al.  Precise dynamic slicing algorithms , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[24]  user surfaces,et al.  Data Execution Prevention , 2011 .

[25]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[26]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[27]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[28]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  John R. White,et al.  Linkers and Loaders , 1972, CSUR.

[30]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.

[31]  Mark Russinovich,et al.  Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer) , 2004 .

[32]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[33]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[34]  Cristina Cifuentes,et al.  Recovery of jump table case statements from binary code , 1999, Proceedings Seventh International Workshop on Program Comprehension.

[35]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[36]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[37]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[38]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[39]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[40]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.

[41]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[42]  Peng Ning,et al.  HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities , 2015, CODASPY.

[43]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[44]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[45]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.