Compiler protection techniques against software vulnerabilities exploitation

Software vulnerabilities are critical for security. All C/C++ programs contain significant amount of vulnerabilities. Some of them can be successfully exploitable by attacker to gain control of the execution flow. In this article we propose several compiler protection techniques against vulnerability exploitation: function reordering, insertion of additional dummy variables into stack, local variables permutation on the stack. These transformations were implemented in GCC. It successfully diversifies whole operational system including Linux kernel. We suggest to generate diversified population of binary application files with these transformations. Diversified applications can be easily distributed via the application stores. Every client downloads the unique copy of application. The proposed method complicates and increases the cost of ROP-attacks. After downloading of the binary copy attacker can create ROP-exploit for this copy but it would not be exploitable for another application copy. The diversified transformations decrease application performance about 15% and increase code size about 5%.

vulnerability, compiler transformations, ROP-attacks, exploit

1. Dazhi Z., Detecting Program Vulnerabilities Using Trace-Based Security Testing, Ph. D. Dissertation, University of Texas at Arlington, Arlington, TX, USA, Advisor(s) Donggang L, AAI3474008, 2011.

2. A. Avetisyan, A. Belevantsev, A. Borodin, V. Nesov. Ispol'zovanie staticheskogo analiza dlya poiska uyazvimostej i kriticheskikh oshibok v iskhodnom kode program [The usage of static analysis for searching vulnerabilities and critical errors in source code]. Trudy ISP RАN [The Proceedings of ISP RAS], vol. 21, 2011. p. 23-38.

3. N. Stojanovski, M. Gusev, D. Gligoroski, S. Knapskog. Bypassing Data Execution Prevention on MicrosoftWindows XP SP2. Proceedings of the The Second International Conference on Availability, Reliability and Security, ARES '07, 2007, p. 1222-1226. doi:10.1109/ARES.2007.54

4. H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, D. Boneh. On the Effectiveness of Address-space Randomization. Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, 2004, p. 298-307. doi:10.1145/1030083.1030124

5. P. Wagle, C. Cowan. Stackguard: Simple stack smash protection for GCC. Proc. of the GCC Developers Summit, 2003, p. 243-255.

6. J. Jelinek. Object size checking to prevent (some) buffer overflows, 2004 https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

7. S. Sinnadurai, Q. Zhao, W. Wong. Transparent runtime shadow stack: Protection against malicious return address modifications, 2008.

8. StackShield: A “stack smashing” technique protection tool for Linux. (http:/www.angelfire.com/sk/stackshield)

9. H. Ozdoganoglu, T. N. Vijaykumar, C. E. Brodley, A. Jalote, B. A. Kuperman. “SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address.” Technical Report TR-ECE 03-13, Purdue University, February 2004.

10. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, E. Kirda. G-Free: Defeating Return-oriented Programming Through Gadget-less Binaries. Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, 2010, p. 49-58. doi:10.1145/1920261.1920269

11. J. Li, Z. Wang, X. Jiang, M. Grace, S. Bahram. Defeating Return-oriented Rootkits with "Return-Less" Kernels. Proceedings of the 5th European Conference on Computer Systems, EuroSys '10, 2010, p. 195-208. doi:10.1145/1755913.1755934

12. V.Ivannikov, SH. Kurmangaleev, А. Belevantsev, А. Nurmukhametov, V. Savchenko, R. Matevosyan, А. Аvetisyan. Realizatsiya zaputyvayushhikh preobrazovanij v kompilyatornoj infrastrukture LLVM [Implementing Obfuscating Transformations in the LLVM Compiler Infrastructure]. Trudy ISP RАN [The Proceedings of ISP RAS], vol. 26, iss.1, 2014. p. 327-342. doi: 10.15514/ISPRAS-2014-26(1)-12

13. M Stewart. Algorithmic Diversity for Software Security. (http://arxiv.org/abs/1312.3891)

14. M. Franz. E unibus pluram: Massive-Scale Software Diversity as a Defense Mechanism. In Proceedings of the 2010 Workshop on New Security Paradigms, NSPW ’10, p. 7–16. doi:10.1145/1900546.1900550