Making Code Re-randomization Practical with MARDU

Defense techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) were the early role models preventing primitive code injection and return-oriented programming (ROP) attacks. Notably, these techniques did so in an elegant and utilitarian manner, keeping performance and scalability in the forefront, making them one of the few widely-adopted defense techniques. As code re-use has evolved in complexity from JIT-ROP, to BROP and data-only attacks, defense techniques seem to have tunneled on defending at all costs, losing-their-way in pragmatic defense design. Some fail to provide comprehensive coverage, being too narrow in scope, while others provide unrealistic overheads leaving users willing to take their chances to maintain performance expectations. We present Mardu, an on-demand system-wide re-randomization technique that improves re-randomization and refocuses efforts to simultaneously embrace key characteristics of defense techniques: security, performance, and scalability. Our code sharing with diversification is achieved by implementing reactive and scalable, rather than continuous or one-time diversification while the use of hardware supported eXecute-only Memory (XoM) and shadow stack prevent memory disclosure; entwining and enabling code sharing further minimizes needed tracking, patching costs, and memory overhead. Mardu's evaluation shows performance and scalability to have low average overhead in both compute-intensive (5.5% on SPEC) and real-world applications (4.4% on NGINX). With this design, Mardu demonstrates that strong and scalable security guarantees are possible to achieve at a practical cost to encourage deployment.

[1]  Salvatore J. Stolfo,et al.  Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads , 2015, CCS.

[2]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[3]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[4]  Michalis Polychronakis,et al.  No-Execute-After-Read: Preventing Code Disclosure in Commodity Software , 2016, AsiaCCS.

[5]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[6]  Yutao Liu,et al.  Transparent and Efficient CFI Enforcement with Intel Processor Trace , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[7]  Bryan C. Ward,et al.  The Leakage-Resilience Dilemma , 2019, ESORICS.

[8]  Angelos D. Keromytis,et al.  kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse , 2017, EuroSys.

[9]  Sharad Malik,et al.  Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn , 2019, ASPLOS.

[10]  Claudia Eckert,et al.  τCFI: Type-Assisted Control Flow Integrity for x86-64 Binaries , 2018, RAID.

[11]  Per Larsen,et al.  Leakage-Resilient Layout Randomization for Mobile Devices , 2016, NDSS.

[12]  Herbert Bos,et al.  Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[13]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[14]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Per Larsen,et al.  Librando: transparent code randomization for just-in-time compilers , 2013, CCS.

[16]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[17]  Mathias Payer,et al.  SoK: Shining Light on Shadow Stacks , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[18]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[19]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Xi Chen,et al.  CodeArmor: Virtualizing the Code Space to Counter Disclosure Attacks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[21]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[22]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[24]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[25]  Ismael Ripoll,et al.  Address Space Layout Randomization Next Generation , 2019, Applied Sciences.

[26]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.

[27]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[28]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[30]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[32]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.

[33]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[34]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[35]  Peng Ning,et al.  HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities , 2015, CODASPY.

[36]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[37]  Xiangyu Zhang,et al.  ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks , 2017, VEE.

[38]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[39]  Wenke Lee,et al.  How to Make ASLR Win the Clone Wars: Runtime Re-Randomization , 2016, NDSS.

[40]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[41]  Per Larsen,et al.  Selfrando: Securing the Tor Browser against De-anonymization Exploits , 2016, Proc. Priv. Enhancing Technol..

[42]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[43]  Xi Chen,et al.  The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later , 2017, CCS.

[44]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[45]  Herbert Bos,et al.  Undermining Information Hiding (and What to Do about It) , 2016, USENIX Security Symposium.

[46]  Per Larsen,et al.  Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity , 2017, NDSS.

[47]  Michalis Polychronakis,et al.  Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement , 2016, AsiaCCS.

[48]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[49]  Per Larsen,et al.  It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks , 2015, CCS.

[50]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[51]  Zhiqiang Lin,et al.  PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace , 2017, CODASPY.

[52]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[53]  Lucas Davi,et al.  Breaking and Fixing Destructive Code Read Defenses , 2017, ACSAC.

[54]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[55]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[56]  Thorsten Holz,et al.  Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding , 2016, NDSS.

[57]  William W. Streilein,et al.  Timely Rerandomization for Mitigating Memory Disclosures , 2015, CCS.

[58]  Heng Yin,et al.  vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries , 2015, NDSS.

[59]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[60]  Michalis Polychronakis,et al.  Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[61]  Herbert Bos,et al.  Poking Holes in Information Hiding , 2016, USENIX Security Symposium.