DiffGuard: Obscuring Sensitive Information in Canary Based Protections

Memory Corruption attacks have monopolized the headlines in the security research community for the past two decades. NX/XD, ASLR, and canary-based protections have been introduced to defend effectively against memory corruption attacks. Most of these techniques rely on keeping secret in some key information needed by the attackers to build the exploit. Unfortunately, due to the inherent limitations of these defenses, it is relatively difficult to restrain trained attackers to find those secrets and create effective exploits. Through an information disclosure vulnerability, attackers could leak stack data of the runtime process and scan out canary word without crashing the program. We present DiffGuard, a modification of the canary based protections which eliminates stack sweep attacks against the canary and proposes a more robust countermeasures against the byte-by-byte discovery of stack canaries in forking programs. We have implemented a compiler-based DiffGuard which consists of a plugin for the GCC and a PIC dynamic shared library that gets linked with the running application via LD PRELOAD. DiffGuard incurs an average runtime overhead of 3.2%, meanwhile, ensures application correctness and seamless integration with third-party software.

[1]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[2]  Herbert Bos,et al.  Memory Errors: The Past, the Present, and the Future , 2012, RAID.

[3]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  David R. O'Hallaron,et al.  Computer systems : a programmer's perspective beta version , 2003 .

[5]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[6]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[7]  W. Wong,et al.  Transparent Runtime Shadow Stack : Protection against malicious return address modifications , 2006 .

[8]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[9]  Ismael Ripoll,et al.  Preventing Brute Force Attacks Against Stack Canary Protection on Networking Servers , 2013, 2013 IEEE 12th International Symposium on Network Computing and Applications.

[10]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[11]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[12]  David R. O'Hallaron,et al.  Computer Systems: A Programmer's Perspective , 1991 .

[13]  Gyungho Lee,et al.  Repairing return address stack for buffer overflow protection , 2004, CF '04.

[14]  Amir Roth,et al.  Using DISE to protect return addresses from attack , 2005, CARN.

[15]  Angelos D. Keromytis,et al.  DynaGuard: Armoring Canary-based Protections against Brute-force Attacks , 2015, ACSAC.

[16]  Gerardo Richarte Four dierent tricks to bypass StackShield and StackGuard protection , 2002, WWW 2002.