AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
PDF (2.1 MB)
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Open Access

Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization

Fei Yan( )Kai Wang
Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China???. Email: blankaiwang@whu.edu.cn.
Show Author Information

Abstract

Code reuse attacks pose a severe threat to modern applications. These attacks reuse existing code segments of vulnerable applications as attack payloads and hijack the control flow of a victim application. With high code entropy and a relatively low performance overhead, Address Space Layout Randomization (ASLR) has become the most widely explored defense against code reuse attacks. However, a single memory disclosure vulnerability is able to compromise this defense. In this paper, we present Memory Protection Extensions (MPX)-assisted Address Space Layout Randomization (M-ASLR), a novel code-space randomization scheme. M-ASLR uses several characteristics of Intel MPX to restrict code pointers in memory. We have developed a fully functioning prototype of M-ALSR, and our evaluation results show that M-ASLR: (1) offers no interference with normal operation; (2) protects against buffer overflow attacks, code reuse attacks, and other sophisticated modern attacks; and (3) adds a very low performance overhead (3.3%) to C/C++ applications.

References

[1]
S. Andersen and V. Abella, Data execution prevention, changes to functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory protection technologies, https://docs.microsoft.com/en-us/windows/desktop/memory/data-execution-prevention, 2004.
[2]
M. Tran, M. Etheridge, T. Bletsch, X. X. Jiang, V. Freeh, and P. Ning, On the expressiveness of return-into-libc attacks, in International Workshop on Recent Advances in Intrusion Detection, Berlin, Germany, 2011, pp. 121-141.
[3]
E. Buchanan, R. Roemer, H. Shacham, and S. Savage, When good instructions go bad: Generalizing return-oriented programming to RISC, in Proceedings of 15th ACM Conference on Computer and Communications Security (CCS’08), Alexandria, VA, USA, 2008, pp. 27-38.
[4]
H. Shacham, The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), in Proceedings of 14th ACM Conference on Computer and Communications Security (CCS’07), Alexandria, VA, USA, 2007, pp. 552-561.
[5]
J. C. Tang, M. Xu, S. J. Fu, and K. Huang, A scheduling optimization technique based on reuse in spark to defend against APT attack, Tsinghua Science and Technology, vol. 23, no. 9, pp. 550-560, 2018.
[6]
PaX Team, PaX Address Space Layout Randomization (ASLR), https://pax.grsecurity.net/docs/aslr.txt, 2003.
[7]
L. Davi, A. R. Sadeghi, and M. Winandy, ROP defender: A detection tool to defend against return-oriented programming attacks, in Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS’11), Hong Kong, China, 2011, pp. 40-51.
[8]
V. Pappas, M. Polychronakis, and A. D. Keromytis, Transparent ROP exploit mitigation using indirect branch tracing, in Proceedings of 22nd USENIX Security Symposium (USENIX’13), Washington, DC, USA, 2013, pp. 447-462.
[9]
A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh, Hacking blind, in Proceedings of 2014 IEEE Symposium on Security and Privacy (S&P 14), San Jose, CA, USA, 2014, pp. 227-242.
[10]
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, Code-pointer integrity, in Proceedings of 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI’14), Broomfield, CO, USA, 2014, pp. 147-163.
[11]
H. Shacham, M. Page, B. Pfaff, E. J. Goh, N. Modadugu, and D. Boneh, On the effectiveness of address-space randomization, in Proceedings of 11th ACM Conference on Computer and Communications Security (CCS’04), Washington, DC, USA, 2004, pp. 298-307.
[12]
K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. R. Sadeghi, Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization, in Proceedings of 2013 IEEE Symposium on Security and Privacy (S&P’13), San Francisco, CA, USA, 2013, pp. 574-588.
[13]
K. J. Lu, C. Y. Song, B. Lee, S. P. Chung, T. Kim, and W. K. Lee, ASLR-Guard: Stopping address space leakage for code reuse attacks, in Proceedings of 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15), Denver, CO, USA, 2015, pp. 280-291.
[14]
Intel, Intel® 64 and IA-32 architectures software developer’s manuals, https://software.intel.com/en-us/articles/intel-sdm, 2016.
[15]
S. Ramakesavan and J. Rodriguez, Intel® memory protection extensions enabling guide, https://software. intel.com/en-us/articles/intel-memory-protection-extensions-enabling-guide, 2016.
[16]
O. Oleksenko, D. Kuvaiskii, P. Bhatotia, P. Felber, and C. Fetzer, Intel MPX explained: An empirical study of intel MPX and software-based bounds checking approaches, arXiv preprint arXiv:1702.00719, 2017.
[17]
Y. Chen, Z. Wang, D. Whalley, and L. Lu, Remix: On-demand live randomization, in Proceedings of 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16), New Orleans, LA, USA, 2016, pp. 50-61.
[18]
L. Davi, C. Liebchen, A. R. Sadeghi, K. Z. Snow, and F. Monrose, Isomeron: Code randomization resilient to (just-in-time) return-oriented programming, presented at 2015 Network and Distributed System Security Symposium (NDSS’15), San Diego, CA, USA, 2015.
[19]
J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson, ILR: Where’d my gadgets go? in Proceedings of 2012 IEEE Symposium on Security and Privacy (S&P’12), San Francisco, CA, USA, 2012, pp. 571-585.
[20]
C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning, Address Space Layout Permutation (ASLP): Towards fine-grained randomization of commodity software, in Proceedings of 22nd Annual Computer Security Applications Conference (ACSAC’06), Miami, FL, USA, 2006, pp. 339-348.
[21]
K. J. Lu, W. K. Lee, S. Nürnberger, and M. Backes, How to make ASLR win the clone wars: Runtime re-randomization, Presented at the 2016 Network and Distributed System Security Symposium (NDSS’16), San Diego, CA, USA, 2016.
[22]
M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, Meltdown, arXiv preprint arXiv:1801.01207, 2018.
[23]
P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, Spectre attacks: Exploiting speculative execution, arXiv preprint arXiv:1801.01203, 2018.
[24]
C. Zhang, T. Wei, Z. F. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, Practical control flow integrity and randomization for binary executables, in Proceedings of 2013 IEEE Symposium on Security and Privacy (S&P’13), San Francisco, CA, USA, 2013, pp. 559-573.
[25]
M. W. Zhang and R. Sekar, Control flow integrity for COTS binaries, in Proceedings of 22nd USENIX Security Symposium (USENIX’13), Washington, DC, USA, 2013, pp. 337-352.
[26]
E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, Out of control: Overcoming control-flow integrity, in Proceedings of 2014 IEEE Symposium on Security and Privacy (S&P’14), San Jose, CA, USA, 2014, pp. 575-589.
[27]
M. Larabel and M. Tippett, Phoronix test suite, http://www.phoronix-test-suite.com, 2011.
[28]
V. Pappas, kBouncer: Efficient and transparent ROP mitigation, http://www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf, 2012.
[29]
S. Liang, Y. Zhang, B. Li, X. J. Guo, C. F. Jia, and Z. L. Liu, SecureWeb: Protecting sensitive information through the web browser extension with a security token, Tsinghua Science and Technology, vol. 23, no. 5, pp. 526-538, 2018.
[30]
Tsinghua Science and Technology
Pages 546-556
Cite this article:
Yan F, Wang K. Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization. Tsinghua Science and Technology, 2019, 24(5): 546-556. https://doi.org/10.26599/TST.2018.9010128

573

Views

31

Downloads

2

Crossref

N/A

Web of Science

4

Scopus

2

CSCD

Altmetrics

Received: 12 October 2018
Accepted: 10 November 2018
Published: 29 April 2019
© The author(s) 2019
Return