Fine-grained live ASLR (address space layout randomization) during runtime, periodically or with random time intervals.
This can significantly leverage the bar of code reuse attack, like return-oriented programming (ROP).
In case of information leak, sine it is runtime dynamic ASLR, the memory layout can be changed.
keywords for search: control-flow integrity, CFI, memory corruption, Oakland, IEEE S&P, CCS, USENIX Security, NDSS, CODASPY, memory bugs, memory error, buffer overflow, crash, use after free, double free, ptrace
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
1. Remix: On-demand Live Randomization
Yue Chen, Zhi Wang, David Whalley, Long Lu
Florida State University
Stony Brook University
6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
11. Remix
Live basic block (BB) randomization within functions
Advantages:
No function pointer migration
Good spatial locality
12. Remix
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Space for
Alignment
Other Functions
…
Function A
13. Remix
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Space for
Alignment
Other Functions
…
Function A
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Other Functions
…
Function A
After
0.86 seconds
14. Remix
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Space for
Alignment
Other Functions
…
Function A
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Other Functions
…
Function A
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Other Functions
…
Function A
After
0.86 seconds
After
2.13 seconds
15. Challenges
• Chain randomized basic blocks together
– Need extra space
– Instruction update
• Stale pointer migration
16. Extra Space
Case 1: Extra Jmp
Basic Block 1
Basic Block 2
Basic Block 3
Jmp to BB1
(1) At the Beginning of a Function
17. Extra Space
Case 1: Extra Jmp
Basic Block 1
Basic Block 2
Basic Block 3
Jmp to BB1
(1) At the Beginning of a Function (2) At the End of a Basic Block that does
not end with instructions like Jmp/Ret
mov …
add …
mov …
mov …
add …
jle …
18. Extra Space
Case 2: Displacement Length
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Jump to BB3
Before Remix
19. Extra Space
Case 2: Displacement Length
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Jump to BB3 Jump to BB3
Before Remix After Remix
20. Extra Space
Case 2: Displacement Length
One-byte displacement:
jmp +0x10
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Jump to BB3 Jump to BB3
Four-byte displacement:
jmp +0x00001000
Before Remix After Remix
21. Extra Space
Solution
With Source Code:
Modify the compiler to:
1. Insert an extra 5-byte NOP
instruction after each basic block
2. Only generate instructions with
4-byte displacement
Enough Space Guaranteed!
22. Extra Space
Solution
With Source Code:
Modify the compiler to:
1. Insert an extra 5-byte NOP
instruction after each basic block
2. Only generate instructions with
4-byte displacement
Enough Space Guaranteed!
Without Source Code:
Leverage existing NOP paddings:
• Function alignment
• Loop alignment
34. Bundle
Optimization
Speed up execution:
• Probabilistic Loop Bundling
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Loop
Basic Block 1
Bundled BB
Basic Block 4
Basic Block 5
The bundling layout is different from time to time. – Unpredictable!
Basic Block 1
Bundled BB
Basic Block 4
Basic Block 5
Randomize
35. Implementation
• Compiler
– Slightly modified LLVM
• Linux userspace applications
– Ptrace, an isolated small agent to perform the
randomization
• Freebsd kernel modules
– smp_rendezvous
36. Evaluation - Security
• Finer-grained randomization:
– Entropy boost
• Live randomization during runtime:
– Destroy discovered gadgets immediately
Software Apache nginx lighttpd
Average Basic Block Number
per Function
15.3 18.8 14.4
Average NOP Space (bytes)
per Function
19.3 26.2 22.1
Want more entropy? – Insert more NOP space!
39. Evaluation - Performance
Apache Web Server Performance Overhead (by ApacheBench)
Randomization Time Interval
Randomization time interval can be random !Performance depends on hardware speed.
40. Evaluation - Performance
ReiserFS Performance Overhead (by IOZone)
Randomization Time Interval
Randomization time interval can be random !Performance depends on hardware speed.