Fine-grained address space layout randomization on program load

Program vulnerabilities are a serious security threat. It is important to develop defenses preventing their exploitation, especially with a rapid increase of ROP attacks. State of the art defenses have some drawbacks that can be used by attackers. In this paper we propose fine-grained address space layout randomization on program load that is able to protect from such kind of attacks. During the static linking stage executable and library files are supplemented with information about function boundaries and relocations. A system dynamic linker/loader uses this information to perform functions permutation. The proposed method was implemented for 64-bit programs on CentOS 7 operating system. The implemented method has shown good resistance to ROP attacks based on two metrics: the number of survived gadgets and the exploitability estimation of ROP chain examples. The implementation presented in this article is applicable across the entire operating system and has shown 1.5 % time overhead. The working capacity of proposed approach was demonstrated on real programs. The further research can cover forking randomization and finer granularity than on the function level. It also makes sense to implement the randomization of short functions placement, taking into account the relationships between them. The close arrangement of functions that often call each other can improve the performance of individual programs.

address space layout randomization, diversification, ASLR, ROP

1. CVE Details website: vulnerabilities by date. Accessed 10.04.2017. http://www.cvedetails.com/browse-by-date.php

2. R. Roemer, E. Bbuchanan, H. Shacham, S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., vol. 15, no. 1, 2012, pp. 2:1-2:34.

3. A. Sadeghi, S. Niksefat, M. Rostamipour, Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions. Journal of Computer Virology and Hacking Techniques, no. 434, 2017, pp. 1-18

4. T. Bletsch, X. Jiang, V. Freeh, W. Liang, Zh. Liang. Jump-oriented Programming: A New Class of Code-reuse Attack. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, pp. 30-40.

5. H. Hu, Sh. Shinde, S. Adrian, Z.L. Chua, P. Saxena, Zh. Liang. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. IEEE Symposium on Security and Privacy (SP), 2016, pp. 969-986.

6. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Proceedings of the 14th ACM conference on Computer and communications security, 2007, pp 552-561.

7. A. Bittau, A. Belay, A. Mashtizadeh et al. Hacking blind. Proceedings of the 2014 IEEE Symposium on Security and Privacy, 2014, pp. 227-242.

8. M. Abadi, M. Budiu, ´U. Erlingsson, J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur, vol. 13, no. 1, 2009, pp. 4:1-4:40.

9. A.J. Mashtizadeh, A. Bittau, D. Boneh, D. Mazi`eres, Ccfi: Cryptographically enforced control flow integrity. Proceedings of the Sixth ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 941-951.

10. N. Christoulakis, G. Christou, E. Athanasopoulos, S. Ioannidis. Hcfi: Hardware-enforced control-flow integrity. Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, 2016, pp. 38-49.

11. N. Carlini, A. Barresi, M. Payer et al. Control-flow bending: On the effectiveness of control-flow integrity. Proceedings of the 24th USENIX Conference on Security Symposium, 2015, pp. 161-176.

12. K. Lu, S. N¨urnberger, M. Backes, W. Lee. How to make ASLR win the clone wars: Runtime re-randomization. 23nd Annual Network and Distributed System Security Symposium, 2016.

13. A. Nurmukhametov, Sh. Kurmangaleev, V. Kaushan, S. Gaissaryan. Application of compiler transformations against software vulnerabilities exploitation. Programming and Computer Software, vol. 41, no. 4, 2015, pp. 231-236. DOI: 10.1134/S0361768815040052

14. A. Gupta, S. Kerr, M. Kirkpatrick, E. Bertino. Marlin: A fine grained randomization approach to defend against ROP attacks. Network and System Security, 7 th International Conference, 2013.

15. M. Conti, S. Crane, T. Frassetto et al. Selfrando: Securing the tor browser against de-anonymization exploits. PoPETs, no. 4, 2016, pp. 454-469.

16. L. Davi, A. Dmitrienko, S. N¨urnberger, A. Sadeghi. Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and ARM, 8th ACM Symposium on Information, Computer and Communications Security, 2013.

17. M. Backes, S. Nurberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. Proceedings of the 23rd USENIX Security Symposium, 2014, pp. 433-447.

18. S. Crane, A. Homescu, P. Larsen. Code randomization: Haven’t we solved this problem yet? Cybersecurity Development (SecDev), IEEE, 2016.

19. D. Bigelow, T. Hobson, R. Rudd et al. Timely rerandomization for mitigating memory disclosures, Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 268-279.

20. D. Williams-King, G. Gobieski, K. Williams-King et al. Shuffler: Fast and deployable continuous code re-randomization. Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation, 2016, pp. 367-382.

21. M. Payer. Too much PIE is bad for performance. Technical report.

22. J. Coffman, C. Wellons, C.C. Wellons. ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes. Proceedings of the 2016 ACM Workshop on Software PROtection, 2016, pp. 15-26.

23. Vishnyakov A.V. Classification of ROP gadgets. Trudy ISP RAN/Proc. ISP RAS, vol. 28, issue 6, 2016, pp. 27-36 (in Russian). DOI: 10.15514/ISPRAS-2016-28(6)-2

24. ROPgadget. https://github.com/JonathanSalwan/ROPgadget. Accessed 16.10.2017