POLaR: Per-Allocation Object Layout Randomization

Object Layout Randomization (OLR) is a memory randomization approach that makes unpredictable in-object memory layout by shuffling and relocating each member fields of the object. This defense approach has significant security effect for mitigating various types of memory error attacks. However, the current state-of-the-art enforces OLR while compile time. It makes diversified object layout for each binary, but the layout remains equal across the execution. This approach can be effective in case the program binary is hidden from attackers. However, there are several limitations: (i) the security efficacy is built with the premise that the binary is safely undisclosed from adversaries, (ii) the randomized object layout is identical across multiple executions, and (iii) the programmer should manually specify which objects should be affected by OLR. In this paper, we introduce Per-allocation Object Layout Randomization(POLaR): the first dynamic approach of OLR suited for public binaries. The randomization mechanism of POLaR is applied at runtime, and the randomization makes unique object layout even for the same type of instances. As a result, POLaR achieves two previously unmet security primitives. (i) The randomization does not break upon the exposure of the binary. (ii) Repeating the same attack does not result in deterministic behavior. In addition, we also implemented the TaintClass framework based on DFSan project to optimize/automate the target object selection process. To show the efficacy of POLaR, we use several public open-source software and SPEC2006 benchmark suites.

[1]  Wenke Lee,et al.  Preventing Use-after-free with Dangling Pointers Nullification , 2015, NDSS.

[2]  Insik Shin,et al.  Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing , 2018, NDSS.

[3]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Dongyan Xu,et al.  Polymorphing Software by Randomizing Data Structure Layout , 2009, DIMVA.

[5]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[6]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[7]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[8]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[10]  W. Wong,et al.  Transparent Runtime Shadow Stack : Protection against malicious return address modifications , 2006 .

[11]  Xi Chen,et al.  StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries , 2015, NDSS.

[12]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[13]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[14]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[15]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[16]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[17]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[18]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[19]  Yves Younan,et al.  FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers , 2015, NDSS.

[20]  Mathias Payer,et al.  CFIXX: Object Type Integrity for C++ , 2018, NDSS.

[21]  Koen De Bosschere,et al.  Instruction Set Limitation in Support of Software Diversity , 2009, ICISC.

[22]  Eugene H. Spafford,et al.  Improved kernel security through memory layout randomization , 2013, 2013 IEEE 32nd International Performance Computing and Communications Conference (IPCCC).

[23]  Per Larsen,et al.  Booby trapping software , 2013, NSPW '13.

[24]  Per Larsen,et al.  It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks , 2015, CCS.

[25]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[26]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.