Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2014: Research in Attacks, Intrusions and Defenses pp 68–87Cite as

Dynamic Reconstruction of Relocation Information for Stripped Binaries

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8688))

Abstract

Address Space Layout Randomization (ASLR) is a widely used technique for the prevention of code reuse attacks. The basic concept of ASLR is to randomize the base address of executable modules at load time. Changing the load address of modules is also often needed for resolving conflicts among shared libraries with the same preferred base address. In Windows, loading a module at an arbitrary address depends on compiler-generated relocation information, which specifies the absolute code or data addresses in the module that must be adjusted due to the module’s relocation at a non-preferred base address. Relocation information, however, is often stripped from production builds of legacy software, making it more susceptible to code-reuse attacks, as ASLR is not an option.

In this paper, we introduce a technique to enable ASLR for executables with stripped relocation information by incrementally adjusting stale absolute addresses at runtime. The technique relies on runtime monitoring of memory accesses and control flow transfers to the original location of a relocated module using page table manipulation techniques. Depending on the instruction and memory access type, the system identifies stale offsets, reconstructs their relocation information, and adjusts them so that subsequent accesses to the same locations proceed directly, without any intervention. To improve performance further, the reconstructed relocation information is preserved across subsequent runs of the same program. We have implemented a prototype of the proposed technique for Windows XP, which is transparently applicable to third-party stripped binaries, and have experimentally evaluated its performance and effectiveness. Our results demonstrate that incremental runtime relocation patching is practical, incurs modest runtime overhead for initial runs of protected programs, and has negligible overhead on subsequent runs.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ATMs Face Deadline to Upgrade From Windows XP, http://www.businessweek.com/articles/2014-01-16/atms-face-deadline-to-upgrade-from-windows-xp

  2. /ORDER (put functions in order), http://msdn.microsoft.com/en-us/library/00kh39zz.aspx

  3. Profile-guided optimizations, http://msdn.microsoft.com/en-us/library/e7k32f4k.aspx

  4. SPEC CPU2006 Benchmark, http://www.spec.org/cpu2006 .

  5. Syzygy - profile guided, post-link executable reordering, http://code.google.com/p/sawbuck/wiki/SyzygyDesign

  6. UK government pays Microsoft 5.5m to extend Windows XP support, http://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector

  7. Windows, X.P.: SP3 and Office, Support Ends (April 8, 2003), http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx

  8. MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit (2013), http://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up---webkit-exploit/

  9. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS (2005)

    Google Scholar 

  10. Bennett, J., Lin, Y., Haq, T.: The Number of the Beast (2013), http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html

  11. Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium (2003)

    Google Scholar 

  12. Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium (August 2005)

    Google Scholar 

  13. Cohen, F.B.: Operating system protection through program evolution. Computers and Security 12, 565–584 (1993)

    Article  Google Scholar 

  14. Cozzie, A., Stratton, F., Xue, H., King, S.T.: Digging for data structures. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 255–266. USENIX Association, Berkeley (2008)

    Google Scholar 

  15. Designer, S.: Getting around non-executable stack (and fix), http://seclists.org/bugtraq/1997/Aug/63

  16. Forrest, S., Somayaji, A., Ackley, D.: Building diverse computer systems. In: Proceedings of the 6th Workshop on Hot Topics in Operating Systems, HotOS-VI (1997)

    Google Scholar 

  17. Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC (2009)

    Google Scholar 

  18. Guo, P.J., Perkins, J.H., McCamant, S., Ernst, M.D.: Dynamic inference of abstract types. In: Proceedings of the 2006 International Symposium on Software Testing and Analysis (ISSTA), Portland, ME, USA, July18-20, pp. 255–265 (2006)

    Google Scholar 

  19. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go? In: Proceedings of the 33rd IEEE Symposium on Security & Privacy, S&P (2012)

    Google Scholar 

  20. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 34th IEEE Symposium on Security & Privacy, S&P (2013)

    Google Scholar 

  21. Johnson, R.: A castle made of sand: Adobe Reader X sandbox. CanSecWest (2011)

    Google Scholar 

  22. Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC (2006)

    Google Scholar 

  23. Li, H.: Understanding and exploiting Flash ActionScript vulnerabilities. CanSecWest (2011)

    Google Scholar 

  24. Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS 2010), San Diego, CA (February 2010)

    Google Scholar 

  25. Microsoft. Enhanced Mitigation Experience Toolkit, http://www.microsoft.com/emet

  26. Microsoft. Windows Debugging API, http://msdn.microsoft.com/en-us/library/windows/desktop/ms679303v=vs.85.aspx

  27. Miller, M., Burrell, T., Howard, M.: Mitigating software vulnerabilities (July 2011), http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788

  28. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: Proceedings of the 33rd IEEE Symposium on Security & Privacy, S&P (2012)

    Google Scholar 

  29. PaX Team. Address space layout randomization (2003), http://pax.grsecurity.net/docs/aslr.txt

  30. PaX Team. Non-executable pages design & implementation (2003), http://pax.grsecurity.net/docs/noexec.txt

  31. PaX Team. Non-relocatable executable file randomization (2003), http://pax.grsecurity.net/docs/randexec.txt

  32. Pietrek, M.: An in-depth look into the Win32 portable executable file format, part 2, http://msdn.microsoft.com/en-us/magazine/cc301808.aspx

  33. Ramalingam, G., Field, J., Tip, F.: Aggregate structure identification and its application to program analysis. In: Symposium on Principles of Programming Languages (POPL), pp. 119–132 (1999)

    Google Scholar 

  34. Rescorla, E.: Security holes.. Who cares? In: Proceedings of the 12th USENIX Security Symposium, pp. 75–90 (August 2003)

    Google Scholar 

  35. Serna, F.J.: CVE-2012-0769, the case of the perfect info leak (February 2012), http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf

  36. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS (2007)

    Google Scholar 

  37. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS (2004)

    Google Scholar 

  38. Skape.: Locreate: An anagram for relocate. Uninformed, 6 (2007)

    Google Scholar 

  39. Slowinska, A., Stancescu, T., Bos, H.: Dde: Dynamic data structure excavation. In: Proceedings of the 1st ACM SIGCOMM Asia-Pacific Workshop on Systems (ApSys), pp. 13–18 (2010)

    Google Scholar 

  40. Slowinska, A., Stancescu, T., Bos, H.: Howard: A dynamic excavator for reverse engineering data structures. In: Proceedings of the Network and Distributed System Security Symposium, NDSS (2011)

    Google Scholar 

  41. Smithson, M., Anand, K., Kotha, A., Elwazeer, K., Giles, N., Barua, R.: Binary rewriting without relocation information. University of Maryland, Tech. Rep. (2010)

    Google Scholar 

  42. Snow, K.Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: Proceedings of the 34th IEEE Symposium on Security & Privacy, S&P (2013)

    Google Scholar 

  43. Vreugdenhil, P.: Pwn2Own (2010), Windows 7 Internet Explorer 8 exploit, http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf

  44. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 157–168 (October 2012)

    Google Scholar 

  45. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity & randomization for binary executables. In: Proceedings of the 34th IEEE Symposium on Security & Privacy, S&P (2013)

    Google Scholar 

  46. Zhang, M., Sekar, R.: Control flow integrity for cots binaries. Presented as part of the 22nd USENIX Security Symposium, pp. 337–352. USENIX, Berkeley (2013)

    Google Scholar 

  47. Zovi, D.A.D.: Practical return-oriented programming. SOURCE Boston (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Columbia University, USA

    Vasilis Pappas, Michalis Polychronakis & Angelos D. Keromytis

Authors
  1. Vasilis Pappas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Angelos Stavrou

  2. VU University Amsterdam, The Netherlands

    Herbert Bos

  3. Stevens Institute of Technology, NJ, USA

    Georgios Portokalidis

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Pappas, V., Polychronakis, M., Keromytis, A.D. (2014). Dynamic Reconstruction of Relocation Information for Stripped Binaries. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11379-1_4

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11378-4

  • Online ISBN: 978-3-319-11379-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation