Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization

Fei Yan; Kai Wang

doi:10.26599/TST.2018.9010128

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Journals A - Z

About Us

Publish with Us

Support

PDF (2.1 MB)

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

AI Chat Paper

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Open Access

Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization

Fei Yan(

), Kai Wang

Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China???. Email: blankaiwang@whu.edu.cn.

Show Author Information

Abstract

Code reuse attacks pose a severe threat to modern applications. These attacks reuse existing code segments of vulnerable applications as attack payloads and hijack the control flow of a victim application. With high code entropy and a relatively low performance overhead, Address Space Layout Randomization (ASLR) has become the most widely explored defense against code reuse attacks. However, a single memory disclosure vulnerability is able to compromise this defense. In this paper, we present Memory Protection Extensions (MPX)-assisted Address Space Layout Randomization (M-ASLR), a novel code-space randomization scheme. M-ASLR uses several characteristics of Intel MPX to restrict code pointers in memory. We have developed a fully functioning prototype of M-ALSR, and our evaluation results show that M-ASLR: (1) offers no interference with normal operation; (2) protects against buffer overflow attacks, code reuse attacks, and other sophisticated modern attacks; and (3) adds a very low performance overhead (3.3%) to C/C++ applications.

Keywords

Address Space Layout Randomization (ASLR)Intel Memory Protection Extensions (MPX)code reuse attack

References

[1]

S. Andersen and V. Abella, Data execution prevention, changes to functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory protection technologies, https://docs.microsoft.com/en-us/windows/desktop/memory/data-execution-prevention, 2004.

[2]

M. Tran, M. Etheridge, T. Bletsch, X. X. Jiang, V. Freeh, and P. Ning, On the expressiveness of return-into-libc attacks, in International Workshop on Recent Advances in Intrusion Detection, Berlin, Germany, 2011, pp. 121-141.

Crossref Google Scholar

[3]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage, When good instructions go bad: Generalizing return-oriented programming to RISC, in Proceedings of 15th ACM Conference on Computer and Communications Security (CCS’08), Alexandria, VA, USA, 2008, pp. 27-38.

Crossref

[4]

H. Shacham, The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), in Proceedings of 14th ACM Conference on Computer and Communications Security (CCS’07), Alexandria, VA, USA, 2007, pp. 552-561.

Crossref

[5]

J. C. Tang, M. Xu, S. J. Fu, and K. Huang, A scheduling optimization technique based on reuse in spark to defend against APT attack, Tsinghua Science and Technology, vol. 23, no. 9, pp. 550-560, 2018.

Crossref Google Scholar

[6]

PaX Team, PaX Address Space Layout Randomization (ASLR), https://pax.grsecurity.net/docs/aslr.txt, 2003.

[7]

L. Davi, A. R. Sadeghi, and M. Winandy, ROP defender: A detection tool to defend against return-oriented programming attacks, in Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS’11), Hong Kong, China, 2011, pp. 40-51.

Crossref

[8]

V. Pappas, M. Polychronakis, and A. D. Keromytis, Transparent ROP exploit mitigation using indirect branch tracing, in Proceedings of 22nd USENIX Security Symposium (USENIX’13), Washington, DC, USA, 2013, pp. 447-462.

[9]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh, Hacking blind, in Proceedings of 2014 IEEE Symposium on Security and Privacy (S&P 14), San Jose, CA, USA, 2014, pp. 227-242.

Crossref

[10]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, Code-pointer integrity, in Proceedings of 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI’14), Broomfield, CO, USA, 2014, pp. 147-163.

[11]

H. Shacham, M. Page, B. Pfaff, E. J. Goh, N. Modadugu, and D. Boneh, On the effectiveness of address-space randomization, in Proceedings of 11th ACM Conference on Computer and Communications Security (CCS’04), Washington, DC, USA, 2004, pp. 298-307.

Crossref

[12]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. R. Sadeghi, Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization, in Proceedings of 2013 IEEE Symposium on Security and Privacy (S&P’13), San Francisco, CA, USA, 2013, pp. 574-588.

Crossref

[13]

K. J. Lu, C. Y. Song, B. Lee, S. P. Chung, T. Kim, and W. K. Lee, ASLR-Guard: Stopping address space leakage for code reuse attacks, in Proceedings of 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15), Denver, CO, USA, 2015, pp. 280-291.

Crossref

[14]

Intel, Intel® 64 and IA-32 architectures software developer’s manuals, https://software.intel.com/en-us/articles/intel-sdm, 2016.

[15]

S. Ramakesavan and J. Rodriguez, Intel® memory protection extensions enabling guide, https://software. intel.com/en-us/articles/intel-memory-protection-extensions-enabling-guide, 2016.

[16]

O. Oleksenko, D. Kuvaiskii, P. Bhatotia, P. Felber, and C. Fetzer, Intel MPX explained: An empirical study of intel MPX and software-based bounds checking approaches, arXiv preprint arXiv:1702.00719, 2017.

Google Scholar

[17]

Y. Chen, Z. Wang, D. Whalley, and L. Lu, Remix: On-demand live randomization, in Proceedings of 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16), New Orleans, LA, USA, 2016, pp. 50-61.

Crossref

[18]

L. Davi, C. Liebchen, A. R. Sadeghi, K. Z. Snow, and F. Monrose, Isomeron: Code randomization resilient to (just-in-time) return-oriented programming, presented at 2015 Network and Distributed System Security Symposium (NDSS’15), San Diego, CA, USA, 2015.

[19]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson, ILR: Where’d my gadgets go? in Proceedings of 2012 IEEE Symposium on Security and Privacy (S&P’12), San Francisco, CA, USA, 2012, pp. 571-585.

Crossref

[20]

C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning, Address Space Layout Permutation (ASLP): Towards fine-grained randomization of commodity software, in Proceedings of 22nd Annual Computer Security Applications Conference (ACSAC’06), Miami, FL, USA, 2006, pp. 339-348.

Crossref

[21]

K. J. Lu, W. K. Lee, S. Nürnberger, and M. Backes, How to make ASLR win the clone wars: Runtime re-randomization, Presented at the 2016 Network and Distributed System Security Symposium (NDSS’16), San Diego, CA, USA, 2016.

[22]

M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, Meltdown, arXiv preprint arXiv:1801.01207, 2018.

Google Scholar

[23]

P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, Spectre attacks: Exploiting speculative execution, arXiv preprint arXiv:1801.01203, 2018.

Google Scholar

[24]

C. Zhang, T. Wei, Z. F. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, Practical control flow integrity and randomization for binary executables, in Proceedings of 2013 IEEE Symposium on Security and Privacy (S&P’13), San Francisco, CA, USA, 2013, pp. 559-573.

[25]

M. W. Zhang and R. Sekar, Control flow integrity for COTS binaries, in Proceedings of 22nd USENIX Security Symposium (USENIX’13), Washington, DC, USA, 2013, pp. 337-352.

[26]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, Out of control: Overcoming control-flow integrity, in Proceedings of 2014 IEEE Symposium on Security and Privacy (S&P’14), San Jose, CA, USA, 2014, pp. 575-589.

Crossref

[27]

M. Larabel and M. Tippett, Phoronix test suite, http://www.phoronix-test-suite.com, 2011.

[28]

V. Pappas, kBouncer: Efficient and transparent ROP mitigation, http://www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf, 2012.

[29]

S. Liang, Y. Zhang, B. Li, X. J. Guo, C. F. Jia, and Z. L. Liu, SecureWeb: Protecting sensitive information through the web browser extension with a security token, Tsinghua Science and Technology, vol. 23, no. 5, pp. 526-538, 2018.

Crossref Google Scholar

[30]

Intel, Introduction to Intel® memory protection extensions, https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, 2013.

Tsinghua Science and Technology

Volume 24 Issue 5,
October 2019

Pages 546-556

DOI: 10.26599/TST.2018.9010128

Cite this article:

Yan F, Wang K. Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization. Tsinghua Science and Technology, 2019, 24(5): 546-556. https://doi.org/10.26599/TST.2018.9010128

530

Views

Downloads

Crossref

N/A

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 12 October 2018

Accepted: 10 November 2018

Published: 29 April 2019