Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans, Isaac; Fingeret, Sam; González, J.A. Carrazana; Otgonbaatar, Ulziibayar; Tang, Tiffany M.; Shrobe, Howard; Sidiroglou-Douskos, Stelios; Rinard, Martin; Okhravi, Hamed

doi:10.1109/sp.2015.53

Cited by 117 publications

(89 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Kuznetsov et al [39] implement CPI by placing all code pointers in a secure region which (in 64-bit mode) is hidden by randomizing its offset in the virtual address space. However, Evans et al [23] successfully bypass this CPI implementation using side-channel attacks enabled by the large size of the secure region.…”

Section: Introductionmentioning

confidence: 99%

Readactor: Practical Code Randomization Resilient to Memory Disclosure

Crane

Liebchen

Homescu

et al. 2015

2015 IEEE Symposium on Security and Privacy

161

183

View full text Add to dashboard Cite

Code-reuse attacks such as return-oriented programming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from constructing a reliable code-reuse attack. However, all solutions proposed so far are either vulnerable to memory disclosure or are impractical for deployment on commodity systems.In this paper, we address the deficiencies of existing solutions and present the first practical, fine-grained code randomization defense, called Readactor, resilient to both static and dynamic ROP attacks. We distinguish between direct memory disclosure, where the attacker reads code pages, and indirect memory disclosure, where attackers use code pointers on data pages to infer the code layout without reading code pages. Unlike previous work, Readactor resists both types of memory disclosure. Moreover, our technique protects both statically and dynamically generated code. We use a new compiler-based code generation paradigm that uses hardware features provided by modern CPUs to enable execute-only memory and hide code pointers from leakage to the adversary. Finally, our extensive evaluation shows that our approach is practical-we protect the entire Google Chromium browser and its V8 JIT compiler-and efficient with an average SPEC CPU2006 performance overhead of only 6.4%. IEEE Symposium on Security and Privacy

show abstract

Section: Introductionmentioning

confidence: 99%

Readactor: Practical Code Randomization Resilient to Memory Disclosure

Crane

Liebchen

Homescu

et al. 2015

2015 IEEE Symposium on Security and Privacy

161

183

View full text Add to dashboard Cite

show abstract

“…Thus, we used a randomization-based approach to protect the stack. However, all randomization-based approaches must face two major threats: lack of entropy and information disclosure [26]. We address the entropy problem by mapping kernel stack to a unused VA above the logical map (top 256GB).…”

Section: Kernel Stack Randomizationmentioning

confidence: 99%

Enforcing Kernel Security Invariants with Data Flow Integrity

Song¹,

Lee²,

Lu³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-The operation system kernel is the foundation of the whole system and is often the de facto trusted computing base for many higher level security mechanisms. Unfortunately, kernel vulnerabilities are not rare and are continuously being introduced with new kernel features. Once the kernel is compromised, attackers can bypass any access control checks, escalate their privileges, and hide the evidence of attacks. Many protection mechanisms have been proposed and deployed to prevent kernel exploits. However, a majority of these techniques only focus on preventing control-flow hijacking attacks; techniques that can mitigate noncontrol-data attacks either only apply to drivers/modules or impose too much overhead. The goal of our research is to develop a principled defense mechanism against memory-corruption-based privilege escalation attacks. Toward this end, we leverage dataflow integrity to enforce security invariants of the kernel access control system. In order for our protection mechanism to be practical, we develop two new techniques: one for automatically inferring data that are critical to the access control system without manual annotation, and the other for efficient DFI enforcement over the inference results. We have implemented a prototype of our technology for the ARM64 Linux kernel on an Android device. The evaluation results of our prototype implementation show that our technology can mitigate a majority of privilege escalation attacks, while imposing a moderate amount of performance overhead.

show abstract

“…Researchers have shown that brute-force attacks can bypass diversity, especially in services that automatically restart without rerandomization after crashing [6,15,33,34]. We use software booby traps to counter this threat [10].…”

Section: Countering Guessing Attacksmentioning

confidence: 99%

“…However, on x86-64 where segmentation is not fully available, CPI protects the safe region though information hiding or software-fault isolation. Evans et al [15] recently demonstrated a weakness in one of the x86-64 CPI implementations that can be leveraged to locate and compromise the safe region.…”

Section: Control-flow Integritymentioning

confidence: 99%

It's a TRaP

Crane

Volckaert

Schuster

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus on specific code-reuse attack variants such as return-oriented programming (ROP), other attack variants that reuse whole functions, such as the classic return-into-libc, have received much less attention. Mitigating function-level code reuse is highly challenging because one needs to distinguish a legitimate call to a function from an illegitimate one. In fact, the recent counterfeit object-oriented programming (COOP) attack demonstrated that the majority of code-reuse defenses can be bypassed by reusing dynamically bound functions, i.e., functions that are accessed through global offset tables and virtual function tables, respectively.In this paper, we first significantly improve and simplify the COOP attack. Based on a strong adversarial model, we then present the design and implementation of a comprehensive code-reuse defense which is resilient against reuse of dynamically-bound functions. In particular, we introduce two novel defense techniques: (i) a practical technique to randomize the layout of tables containing code pointers resilient to memory disclosure and (ii) booby trap insertion to mitigate the threat of brute-force attacks iterating over the randomized tables. Booby traps serve the dual purpose of preventing fault-analysis side channels and ensuring that each table has sufficiently many possible permutations. Our detailed evaluation demonstrates that our approach is secure, effective, and practical. We prevent realistic, COOP-style attacks against the Chromium web browser and report an average overhead of 1.1% on the SPEC CPU2006 benchmarks.

show abstract

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Cited by 117 publications

References 39 publications

Readactor: Practical Code Randomization Resilient to Memory Disclosure

Readactor: Practical Code Randomization Resilient to Memory Disclosure

Enforcing Kernel Security Invariants with Data Flow Integrity

It's a TRaP

Contact Info

Product

Resources

About