SlideShare uma empresa Scribd logo

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Transferir como PPTX, PDF
Yue Chen
Yue Chen

Fine-grained live ASLR (address space layout randomization) during runtime, periodically or with random time intervals. This can significantly leverage the bar of code reuse attack, like return-oriented programming (ROP). In case of information leak, sine it is runtime dynamic ASLR, the memory layout can be changed. keywords for search: control-flow integrity, CFI, memory corruption, Oakland, IEEE S&P, CCS, USENIX Security, NDSS, CODASPY, memory bugs, memory error, buffer overflow, crash, use after free, double free, ptrace

Engenharia
1 de 41
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
Code Reuse Attack • Buffer Overflow -> Code Injection Attack
Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute
Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute • Return-oriented Programming Attack – Discover gadgets from existing code, chain them by ret instruction – Turing complete
Code Reuse Attack Existing Code Chained Gadgets
ASLR Address Space Layout Randomization Executable Library1 Library1 Executable
ASLR - Problem Library1 Executable Pointer Leak
ASLR - Problem Library1 Executable Pointer Leak De-randomized
Goal • Live randomization during runtime • Finer-grained randomization unit • Low performance overhead
Remix Live basic block (BB) randomization within functions
Remix Live basic block (BB) randomization within functions Advantages: No function pointer migration Good spatial locality
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds After 2.13 seconds
Challenges • Chain randomized basic blocks together – Need extra space – Instruction update • Stale pointer migration
Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function
Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret mov … add … mov … mov … add … jle …
Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Before Remix
Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Before Remix After Remix
Extra Space Case 2: Displacement Length One-byte displacement: jmp +0x10 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Four-byte displacement: jmp +0x00001000 Before Remix After Remix
Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed!
Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: • Function alignment • Loop alignment
Instruction Update Q: Which instructions need updating ?
Instruction Update Q: Which instructions need updating ? A: Control-flow related ones
Instruction Update Two-step update (e.g., unconditional direct jmp): Basic Block 1 Basic Block 2 Basic Block 3 Original After BB Reordering Step one: Jumps to Original Address of BB 3 Step two: Jumps to Current Address of BB 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 jmp
Instruction Update • Direct call: Step-one update • Indirect call: No update needed • Direct jump: Step-one and step-two update • Indirect jump: Discussed later • PC-relative addressing: Step-one update
Indirect Jump • Jump to functions – Unmoved – PLT/GOT – Tail/Sibling Call • Jump to basic blocks – See next
Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness
Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness • Where? - Return address - Jump table (switch/case) - Saved context (e.g., setjmp/longjmp) - Kernel exception table …
Optimization  Speed up randomization procedure: • Metadata Maintenance – Basic block information (e.g., location) – Code/data that need updating
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle Randomize
Bundle Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 The bundling layout is different from time to time. – Unpredictable! Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Randomize
Implementation • Compiler – Slightly modified LLVM • Linux userspace applications – Ptrace, an isolated small agent to perform the randomization • Freebsd kernel modules – smp_rendezvous
Evaluation - Security • Finer-grained randomization: – Entropy boost • Live randomization during runtime: – Destroy discovered gadgets immediately Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!
Evaluation - Performance SPEC CPU 2006 Performance Overhead
Evaluation - Performance SPEC CPU 2006 Size Increase
Evaluation - Performance Apache Web Server Performance Overhead (by ApacheBench) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
Evaluation - Performance ReiserFS Performance Overhead (by IOZone) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
Q&A

Recomendados

Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?Pipat Methavanitpong
 
Os lectures
Os lecturesOs lectures
Os lecturesAdnan Ghafoor
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationShivam Mitra
 
BAM experiences in large scale deployments
BAM experiences in large scale deploymentsBAM experiences in large scale deployments
BAM experiences in large scale deploymentsAIMS Innovation
 
Release Cycle Changes
Release Cycle ChangesRelease Cycle Changes
Release Cycle ChangesHPCC Systems
 
Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...Shivam Mitra
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and WhereKernel TLV
 

Recomendados

Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?Pipat Methavanitpong
 
Os lectures
Os lecturesOs lectures
Os lecturesAdnan Ghafoor
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationShivam Mitra
 
BAM experiences in large scale deployments
BAM experiences in large scale deploymentsBAM experiences in large scale deployments
BAM experiences in large scale deploymentsAIMS Innovation
 
Release Cycle Changes
Release Cycle ChangesRelease Cycle Changes
Release Cycle ChangesHPCC Systems
 
Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...Shivam Mitra
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and WhereKernel TLV
 
Rashid new cv 2014
Rashid new cv 2014Rashid new cv 2014
Rashid new cv 2014Rashid Ali
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesA Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesYael Garten
 
White paper hadoop performancetuning
White paper hadoop performancetuningWhite paper hadoop performancetuning
White paper hadoop performancetuningAnil Reddy
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInYael Garten
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL SupportYue Chen
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in ImpalaCloudera, Inc.
 
Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisYue Chen
 
Apache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateApache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateCloudera, Inc.
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialhadooparchbook
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationYael Garten
 
SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsSecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsYue Chen
 
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...Cloudera, Inc.
 
Nested Types in Impala
Nested Types in ImpalaNested Types in Impala
Nested Types in ImpalaCloudera, Inc.
 
Architecting next generation big data platform
Architecting next generation big data platformArchitecting next generation big data platform
Architecting next generation big data platformhadooparchbook
 
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionFaster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionCloudera, Inc.
 
What no one tells you about writing a streaming app
What no one tells you about writing a streaming appWhat no one tells you about writing a streaming app
What no one tells you about writing a streaming apphadooparchbook
 
Hoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoopHoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoopPrasanna Rajaperumal
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
Streaming architecture patterns
Streaming architecture patternsStreaming architecture patterns
Streaming architecture patternshadooparchbook
 
Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreTechExeter
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 

Mais conteúdo relacionado

Destaque

Rashid new cv 2014
Rashid new cv 2014Rashid new cv 2014
Rashid new cv 2014Rashid Ali
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesA Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesYael Garten
 
White paper hadoop performancetuning
White paper hadoop performancetuningWhite paper hadoop performancetuning
White paper hadoop performancetuningAnil Reddy
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInYael Garten
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL SupportYue Chen
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in ImpalaCloudera, Inc.
 
Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisYue Chen
 
Apache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateApache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateCloudera, Inc.
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialhadooparchbook
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationYael Garten
 
SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsSecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsYue Chen
 
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...Cloudera, Inc.
 
Nested Types in Impala
Nested Types in ImpalaNested Types in Impala
Nested Types in ImpalaCloudera, Inc.
 
Architecting next generation big data platform
Architecting next generation big data platformArchitecting next generation big data platform
Architecting next generation big data platformhadooparchbook
 
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionFaster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionCloudera, Inc.
 
What no one tells you about writing a streaming app
What no one tells you about writing a streaming appWhat no one tells you about writing a streaming app
What no one tells you about writing a streaming apphadooparchbook
 
Hoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoopHoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoopPrasanna Rajaperumal
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
Streaming architecture patterns
Streaming architecture patternsStreaming architecture patterns
Streaming architecture patternshadooparchbook
 

Destaque (20)

Rashid new cv 2014
Rashid new cv 2014Rashid new cv 2014
Rashid new cv 2014
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesA Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
 
White paper hadoop performancetuning
White paper hadoop performancetuningWhite paper hadoop performancetuning
White paper hadoop performancetuning
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedIn
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL Support
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in Impala
 
Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and Analysis
 
Apache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateApache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance Update
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorial
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organization
 
SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsSecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security Systems
 
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
 
Nested Types in Impala
Nested Types in ImpalaNested Types in Impala
Nested Types in Impala
 
Architecting next generation big data platform
Architecting next generation big data platformArchitecting next generation big data platform
Architecting next generation big data platform
 
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionFaster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
 
What no one tells you about writing a streaming app
What no one tells you about writing a streaming appWhat no one tells you about writing a streaming app
What no one tells you about writing a streaming app
 
Hoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoopHoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoop
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applications
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applications
 
Streaming architecture patterns
Streaming architecture patternsStreaming architecture patterns
Streaming architecture patterns
 

Semelhante a Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreTechExeter
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 
Exploiting the windows kernel
Exploiting the windows kernelExploiting the windows kernel
Exploiting the windows kernelJapneet Singh
 
Search at Twitter: Presented by Michael Busch, Twitter
Search at Twitter: Presented by Michael Busch, TwitterSearch at Twitter: Presented by Michael Busch, Twitter
Search at Twitter: Presented by Michael Busch, TwitterLucidworks
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafka
Kafka Summit NYC 2017 - Deep Dive Into Apache KafkaKafka Summit NYC 2017 - Deep Dive Into Apache Kafka
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafkaconfluent
 
Asynchronous Programming in Kotlin with Coroutines
Asynchronous Programming in Kotlin with CoroutinesAsynchronous Programming in Kotlin with Coroutines
Asynchronous Programming in Kotlin with CoroutinesTobias Schürg
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Lucas Leong
 
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...Blue Raster
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthFelipe Prado
 
Chapter 02 modified
Chapter 02 modifiedChapter 02 modified
Chapter 02 modifiedJugal Doshi
 
Kafka replication apachecon_2013
Kafka replication apachecon_2013Kafka replication apachecon_2013
Kafka replication apachecon_2013Jun Rao
 
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...Brian Vandegriend
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProChester Chen
 

Semelhante a Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime) (20)

Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John Blackmore
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Exploiting the windows kernel
Exploiting the windows kernelExploiting the windows kernel
Exploiting the windows kernel
 
Search at Twitter: Presented by Michael Busch, Twitter
Search at Twitter: Presented by Michael Busch, TwitterSearch at Twitter: Presented by Michael Busch, Twitter
Search at Twitter: Presented by Michael Busch, Twitter
 
es_hardware_handout
es_hardware_handoutes_hardware_handout
es_hardware_handout
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafka
Kafka Summit NYC 2017 - Deep Dive Into Apache KafkaKafka Summit NYC 2017 - Deep Dive Into Apache Kafka
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafka
 
Asynchronous Programming in Kotlin with Coroutines
Asynchronous Programming in Kotlin with CoroutinesAsynchronous Programming in Kotlin with Coroutines
Asynchronous Programming in Kotlin with Coroutines
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...
 
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depth
 
Chapter 02 modified
Chapter 02 modifiedChapter 02 modified
Chapter 02 modified
 
Ch5 process synchronization
Ch5 process synchronizationCh5 process synchronization
Ch5 process synchronization
 
Kafka replication apachecon_2013
Kafka replication apachecon_2013Kafka replication apachecon_2013
Kafka replication apachecon_2013
 
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a Pro
 

Mais de Yue Chen

KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingYue Chen
 
EncExec: Secure In-Cache Execution
EncExec: Secure In-Cache ExecutionEncExec: Secure In-Cache Execution
EncExec: Secure In-Cache ExecutionYue Chen
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesYue Chen
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Yue Chen
 
Inside Parquet Format
Inside Parquet FormatInside Parquet Format
Inside Parquet FormatYue Chen
 
Inside HDFS Append
Inside HDFS AppendInside HDFS Append
Inside HDFS AppendYue Chen
 
How Impala Works
How Impala WorksHow Impala Works
How Impala WorksYue Chen
 

Mais de Yue Chen (7)

KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
 
EncExec: Secure In-Cache Execution
EncExec: Secure In-Cache ExecutionEncExec: Secure In-Cache Execution
EncExec: Secure In-Cache Execution
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing Vulnerabilities
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)
 
Inside Parquet Format
Inside Parquet FormatInside Parquet Format
Inside Parquet Format
 
Inside HDFS Append
Inside HDFS AppendInside HDFS Append
Inside HDFS Append
 
How Impala Works
How Impala WorksHow Impala Works
How Impala Works
 

Último

Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxhumanexperienceaaa
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...ranjana rawat
 

Último (20)

Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
 

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

  • 1. Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
  • 2. Code Reuse Attack • Buffer Overflow -> Code Injection Attack
  • 3. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute
  • 4. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute • Return-oriented Programming Attack – Discover gadgets from existing code, chain them by ret instruction – Turing complete
  • 5. Code Reuse Attack Existing Code Chained Gadgets
  • 6. ASLR Address Space Layout Randomization Executable Library1 Library1 Executable
  • 9. Goal • Live randomization during runtime • Finer-grained randomization unit • Low performance overhead
  • 10. Remix Live basic block (BB) randomization within functions
  • 11. Remix Live basic block (BB) randomization within functions Advantages: No function pointer migration Good spatial locality
  • 12. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A
  • 13. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds
  • 14. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds After 2.13 seconds
  • 15. Challenges • Chain randomized basic blocks together – Need extra space – Instruction update • Stale pointer migration
  • 16. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function
  • 17. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret mov … add … mov … mov … add … jle …
  • 18. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Before Remix
  • 19. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Before Remix After Remix
  • 20. Extra Space Case 2: Displacement Length One-byte displacement: jmp +0x10 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Four-byte displacement: jmp +0x00001000 Before Remix After Remix
  • 21. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed!
  • 22. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: • Function alignment • Loop alignment
  • 23. Instruction Update Q: Which instructions need updating ?
  • 24. Instruction Update Q: Which instructions need updating ? A: Control-flow related ones
  • 25. Instruction Update Two-step update (e.g., unconditional direct jmp): Basic Block 1 Basic Block 2 Basic Block 3 Original After BB Reordering Step one: Jumps to Original Address of BB 3 Step two: Jumps to Current Address of BB 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 jmp
  • 26. Instruction Update • Direct call: Step-one update • Indirect call: No update needed • Direct jump: Step-one and step-two update • Indirect jump: Discussed later • PC-relative addressing: Step-one update
  • 27. Indirect Jump • Jump to functions – Unmoved – PLT/GOT – Tail/Sibling Call • Jump to basic blocks – See next
  • 28. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness
  • 29. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness • Where? - Return address - Jump table (switch/case) - Saved context (e.g., setjmp/longjmp) - Kernel exception table …
  • 30. Optimization  Speed up randomization procedure: • Metadata Maintenance – Basic block information (e.g., location) – Code/data that need updating
  • 31. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop
  • 32. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle
  • 33. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle Randomize
  • 34. Bundle Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 The bundling layout is different from time to time. – Unpredictable! Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Randomize
  • 35. Implementation • Compiler – Slightly modified LLVM • Linux userspace applications – Ptrace, an isolated small agent to perform the randomization • Freebsd kernel modules – smp_rendezvous
  • 36. Evaluation - Security • Finer-grained randomization: – Entropy boost • Live randomization during runtime: – Destroy discovered gadgets immediately Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!
  • 37. Evaluation - Performance SPEC CPU 2006 Performance Overhead
  • 38. Evaluation - Performance SPEC CPU 2006 Size Increase
  • 39. Evaluation - Performance Apache Web Server Performance Overhead (by ApacheBench) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  • 40. Evaluation - Performance ReiserFS Performance Overhead (by IOZone) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  • 41. Q&A