Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding

Gawlik, Robert; Kollenda, Benjamin; Koppe, Philipp; Garmany, Behrad; Holz, Thorsten

doi:10.14722/ndss.2016.23262

Cited by 49 publications

(49 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Breaking "security by memory obscurity". DrK can also be applied to launch an undetectable, crash-resistant memory mapping probing [19]. Some system protection mechanisms, such as CPI [35], ASLR-Guard [39], and Kenali [54], assume a secret memory location that the attacker cannot know to store sensitive information for integrity protection.…”

Section: Discussionmentioning

confidence: 99%

“…Module detection. As mentioned in §4.2.3, DrK detected a larger number of drivers (97) than the prior attack (5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)(21). This is because DrK has better accuracy than the prior attack and DrK is able to use not only size signatures but also executable mapping status.…”

Section: Comparison With the Prior Attackmentioning

confidence: 96%

“…One of the advantages of DrK is that it does not generate a crash when probing the kernel's address space. Recently, Gawlik et al [19] have shown a similar web attack for crash-resistant memory probing. They found that memory access violations by some JavaScript methods do not crash modern web browsers having fault-tolerant functionality, which allows for memory probing without a browser crash.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Breaking Kernel Address Space Layout Randomization with Intel TSX

Jang

Lee

Kim

2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

109

View full text Add to dashboard Cite

Kernel hardening has been an important topic since many applications and security mechanisms often consider the kernel as part of their Trusted Computing Base (TCB). Among various hardening techniques, Kernel Address Space Layout Randomization (KASLR) is the most effective and widely adopted defense mechanism that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory leak vulnerability exists and high entropy is ensured. In this paper, we introduce a highly stable timing attack against KASLR, called DrK, that can precisely de-randomize the memory layout of the kernel without violating any such assumptions. DrK exploits a hardware feature called Intel Transactional Synchronization Extension (TSX) that is readily available in most modern commodity CPUs. One surprising behavior of TSX, which is essentially the root cause of this security loophole, is that it aborts a transaction without notifying the underlying kernel even when the transaction fails due to a critical error, such as a page fault or an access violation, which traditionally requires kernel intervention. DrK turned this property into a precise timing channel that can determine the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged kernel address space. In addition to its surprising accuracy and precision, DrK is universally applicable to all OSes, even in virtualized environments, and generates no visible footprint, making it difficult to detect in practice. We demonstrated that DrK can break the KASLR of all major OSes (i.e., Windows, Linux, and OS X) with near-perfect accuracy in under a second. Finally, we propose potential countermeasures that can effectively prevent or mitigate the DrK attack. We urge our community to be aware of the potential threat of having Intel TSX, which is present in most recent Intel CPUs-100% in workstation and 60% in high-end Intel CPUs since Skylake-and is even available on Amazon EC2 (X1).

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Comparison With the Prior Attackmentioning

confidence: 96%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Breaking Kernel Address Space Layout Randomization with Intel TSX

Jang

Lee

Kim

2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

109

View full text Add to dashboard Cite

show abstract

“…Although ASLR has a wider scope than these schemes (e.g., use-after-free bugs), it can only provide probabilistic safety at best, whereas Delta Pointers provide deterministic (spatial) memory safety guarantees on the upper bound. Because of its probabilistic nature, ASLR has proven to be easily circumventable by memory massaging [16,33] or side channels [5,15,17] whereas this is not possible for deterministic defenses such as Delta Pointers. Moreover, the impact of address space reduction is limited in certain application domains.…”

Section: Pointermentioning

confidence: 99%

Delta pointers

Kroes

Koning

Kouwe

et al. 2018

Proceedings of the Thirteenth EuroSys Conference

View full text Add to dashboard Cite

Despite decades of research, buffer overflows still rank among the most dangerous vulnerabilities in unsafe languages such as C and C++. Compared to other memory corruption vulnerabilities, buffer overflows are both common and typically easy to exploit. Yet, they have proven so challenging to detect in real-world programs that existing solutions either yield very poor performance, or introduce incompatibilities with the C/C++ language standard.We present Delta Pointers, a new solution for buffer overflow detection based on efficient pointer tagging. By carefully altering the pointer representation, without violating language specifications, Delta Pointers use existing hardware features to detect both contiguous and non-contiguous overflows on dereferences, without a single check incurring extra branch or memory access operations. By focusing on buffer overflows rather than other vulnerabilities (e.g., underflows), Delta Pointers offer a unique checkless design to provide high performance while still maintaining compatibility. We show that Delta Pointers are effective in detecting arbitrary buffer overflows and, at 35% overhead on SPEC, offer much better performance than competing solutions. CCS CONCEPTS· Security and privacy → Systems security; Software and application security;

show abstract

“…However, recent runtime attacks [22,26,37] undermine the security property of dual stacks. Both SafeStack and AG-Stack rely on information hiding and conceal the location of their safe stacks by means of Address Space Layout Randomisation (ASLR).…”

Section: Introductionmentioning

confidence: 99%

A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow Integrity

Zieris

Horsch

2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Manipulations of return addresses on the stack are the basis for a variety of attacks on programs written in memory unsafe languages. Dual stack schemes for protecting return addresses promise an efficient and effective defense against such attacks. By introducing a second, safe stack to separate return addresses from potentially unsafe stack objects, they prevent attacks that, for example, maliciously modify a return address by overflowing a buffer. However, the security of dual stacks is based on the concealment of the safe stack in memory. Unfortunately, all current dual stack schemes are vulnerable to information disclosure attacks that are able to reveal the safe stack location, and therefore effectively break their promised security properties. In this paper, we present a new, leakresilient dual stack scheme capable of withstanding sophisticated information disclosure attacks. We carefully study previous dual stack schemes and systematically develop a novel design for stack separation that eliminates flaws leading to the disclosure of safe stacks. We show the feasibility and practicality of our approach by presenting a full integration into the LLVM compiler framework with support for the x86-64 and ARM64 architectures. With an average of 2.7% on x86-64 and 0.0% on ARM64, the performance overhead of our implementation is negligible. CCS CONCEPTS• Security and privacy → Software and application security;

show abstract

Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding

Cited by 49 publications

References 21 publications

Breaking Kernel Address Space Layout Randomization with Intel TSX

Breaking Kernel Address Space Layout Randomization with Intel TSX

Delta pointers

A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow Integrity

Contact Info

Product

Resources

About