Software vulnerabilities are a serious security threat. It is important to develop protection mechanisms preventing their exploitation, especially with a rapid increase of ROP attacks. State of the art protection mechanisms have some drawbacks that can be used by attackers. In this paper, we propose fine-grained address space layout randomization on program load that is able to protect from such kind of attacks. During the static linking stage, the executable and library files are supplemented with information about function boundaries and relocations. A system dynamic linker/loader uses this information to perform permutation of functions. The proposed method was implemented for 64-bit programs on CentOS 7 operating system. The implemented method has shown good resistance to ROP attacks evaluated by two metrics: the number of survived gadgets and the exploitability estimation of ROP chain examples. The implementation presented in this article is applicable across the entire operating system and has no compatibility problems affecting the program performance. The working capacity of proposed approach was demonstrated on real programs. The further research can cover forking randomization and finer granularity than on the function level. It also makes sense to implement the randomization of short functions placement taking into account the relationships between them. The close arrangement of functions that often call each other can improve the performance of individual programs.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
CVE Details website: Vulnerabilities by date. http:// www.cvedetails.com/browse-by-date.php
Roemer, R., Bbuchanan, E., Shacham, H., and Savage, S., “Return-oriented programming: Systems, languages, and applications,” ACM Trans. Inf. Syst. Secur. 2012, vol. 15, no. 1, pp. 2–34. https://doi.acm.org/ 10.1145/2133375.2133377
Sadeghi, A., Niksefat, S., and Rostamipour, M., “Pure-Call oriented programming (PCOP): Chaining the gadgets using call instructions,” J. Comput. Virology Hacking Techniques, 2017, no. 434, pp. 1–18. https:// doi.org/ doi 10.1007/s11416-017-0299-1
Bletsch, T., Jiang, X., Freeh, V., Liang, W., and Liang, Zh., “Jump-oriented programming: A new class of code-reuse attack,” Proc. of the 6th ACM Symposium on Information, Computer and Communications Security,” 2011, pp. 30–40. https://doi.acm.org/10.1145/1966913. 1966919
Hu, H., Shinde, Sh., Adrian, S., Chua, Z.L., Saxena, P., and Liang, Zh., “Data-Oriented programming: On the expressiveness of non-control data attacks,” IEEE Symposium on Security and Privacy (SP), 2016,pp. 969–986. https://doi.org/ doi 10.1109/SP.2016.6210.1109/ SP.2016.62
Shacham, H., “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proc. of the 14th ACM Conf. on Computer and communications security, 2007, pp. 552–561. https:// doi.org/doi10.1145/1315245.131531310.1145/1315245. 1315313
Bittau, A., Belay, A., Mashtizadeh, A., et al., “Hacking blind,” in Proc. of the 2014 IEEE Symposium on Security and Privacy, 2014, pp. 227–242. https://dx.doi.org/ doi 10.1109/SP.2014.2210.1109/SP.2014.22
Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J., “Control-flow integrity principles, implementations, and applications,” ACM Trans. Inf. Syst. Secur., 2009, vol. 13, no. 1, pp. 4–40. https://doi.acm.org/10.1145/ 1609956.1609960
Mashtizadeh, A.J., Bittau, A., Boneh, D., and Mazieres, D., “Ccfi: Cryptographically enforced control flow integrity,” in Proc. of the Sixth ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 941–951. https://doi.acm.org/10.1145/ 2810103. 2813676
Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S., “Hcfi: Hardware-enforced control-flow integrity,” in Proc. of the Sixth ACM Conference on Data and Application Security and Privacy, 2016, pp. 38–49. https://doi.acm.org/10.1145/2857705.2857722
Carlini, N., Barresi, A., Payer, M., et al., “Control-flow bending: On the effectiveness of control-flow integrity,” in Proc. of the 24th USENIX Conference on Security Symposium, 2015, pp. 161–176. http://dl.acm. org/citation.cfm?id(31143.2831154
Lu, K., Nürnberger, S., Backes, M., and Lee, W., “How to make ASLR win the clone wars: Runtime re-randomization,” 23nd Annual Network and Distributed System Security Symposium, 2016.
Nurmukhametov, A., Kurmangaleev, Sh., Kaushan, V., and Gaissaryan, S., “Application of compiler transformations against software vulnerabilities exploitation,” Program. Comput. Software, 2015, vol. 41, no. 4, pp. 231–236. https://doi.org/ doi 10.1134/ S0361768815040052
Gupta, S., Kerr, M., Kirkpatrick, E., and Bertino, E., “Marlin: A fine grained randomization approach to defend against ROP attacks,” in Proc. of the 7th Int. Conf. on Network and System Security, 2013.
Conti, M., Crane, S., Frassetto, T., et al., “Selfrando: Securing the Tor browser against de-anonymization exploits,” PoPETs, 2016, no. 4, pp. 454–469. http://dx. doi.org/. doi 10.1515/popets-2016-0050
Davi, L., Dmitrienko, A., Nürnberger, S., and Sadeghi, A., “Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and AR,” in Proc. of the 8th ACM Symposium on Information, Computer and Communications Security, 2013.
Backes, M. and Nurberger, S., “Oxymoron: Making fine-grained memory randomization practical by allowing code sharing,” in Proc. of the 23rd USENIX Security Symposium, 2014, pp. 433–447.
Crane, S., and Homescu, A., and Larsen, P., “Code randomization: Haven’t we solved this problem yet?” Cybersecurity Development (SecDev), IEEE, 2016.
Bigelow, D., Hobson, T., Rudd, R., et al. “Timely rerandomization for mitigating memory disclosures,” in Proc. of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 268–279. http://doi.acm.org/10.1145/2810103.2813691.
Williams-King, D., Gobieski, G., Williams-King, K., et al. “Shuffler: Fast and deployable continuous code re-randomization,” in Proc. of the 12th USENIX Conference on Operating Systems Design and Implementation, 2016, pp. 367–382. http://dl.acm.org/citation. cfm?id026877.3026906.
Payer, M., “Too much PIE is bad for performance,” Technical report. http://dx.doi.org/ doi 10.3929/ethz-a-007316742
Coffman, J., Wellons, C., and Christopher, C., “ROP gadget prevalence and survival under compiler-based binary diversification schemes,” in Proc. of the 2016 ACM Workshop on Software Protection, 2016, pp. 15–26.
Vishnyakov, A.V., “Classification of ROP gadgets,” Trudy ISP RAN, 2016, vol. 28, no. 6, pp. 27–36. http:// doi.acm.org/10.1145/2995306.2995309
This work was supported by the Russian Foundation for Basic Research, project no. 17-01-00600 А.
Translated by A.Klimontovich
About this article
Cite this article
Nurmukhametov, A.R., Zhabotinskiy, E.A., Kurmangaleev, S.F. et al. Fine-Grained Address Space Layout Randomization on Program Load. Program Comput Soft 44, 363–370 (2018). https://doi.org/10.1134/S0361768818050080
- address space layout randomization