Attack Mitigation by Data Structure Randomization

Address Space Layout Randomization (ASLR) and Control Flow Integrity (CFI) have been regarded as the most effective defenses against control flow hijacking attacks. However, researchers have recently shown that data-oriented attacks can circumvent both ASLR and CFI, and are even Turing-complete. These attacks often leverage encapsulated data structures to achieve malicious behaviors. To defeat data structure oriented attacks (DSOA), we propose data structure layout randomization techniques. Our method not only randomizes the data structure layout at compile time, but also inserts the padding bytes to increase entropy. Experimental results show that our method can defeat DSOA with low performance overhead (2.1% on average).

[1]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[2]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[3]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[4]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[6]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[7]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[8]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[9]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[10]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[11]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.

[12]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[13]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[15]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.