Fine-Grained Address Space Layout Randomization on Program Load

Abstract

Software vulnerabilities are a serious security threat. It is important to develop protection mechanisms preventing their exploitation, especially with a rapid increase of ROP attacks. State of the art protection mechanisms have some drawbacks that can be used by attackers. In this paper, we propose fine-grained address space layout randomization on program load that is able to protect from such kind of attacks. During the static linking stage, the executable and library files are supplemented with information about function boundaries and relocations. A system dynamic linker/loader uses this information to perform permutation of functions. The proposed method was implemented for 64-bit programs on CentOS 7 operating system. The implemented method has shown good resistance to ROP attacks evaluated by two metrics: the number of survived gadgets and the exploitability estimation of ROP chain examples. The implementation presented in this article is applicable across the entire operating system and has no compatibility problems affecting the program performance. The working capacity of proposed approach was demonstrated on real programs. The further research can cover forking randomization and finer granularity than on the function level. It also makes sense to implement the randomization of short functions placement taking into account the relationships between them. The close arrangement of functions that often call each other can improve the performance of individual programs.

This is a preview of subscription content, access via your institution.

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.

REFERENCES

  1. 1

    CVE Details website: Vulnerabilities by date. http:// www.cvedetails.com/browse-by-date.php

  2. 2

    Roemer, R., Bbuchanan, E., Shacham, H., and Savage, S., “Return-oriented programming: Systems, languages, and applications,” ACM Trans. Inf. Syst. Secur. 2012, vol. 15, no. 1, pp. 2–34. https://doi.acm.org/ 10.1145/2133375.2133377

    Article  Google Scholar 

  3. 3

    Sadeghi, A., Niksefat, S., and Rostamipour, M., “Pure-Call oriented programming (PCOP): Chaining the gadgets using call instructions,” J. Comput. Virology Hacking Techniques, 2017, no. 434, pp. 1–18. https:// doi.org/ doi 10.1007/s11416-017-0299-1

  4. 4

    Bletsch, T., Jiang, X., Freeh, V., Liang, W., and Liang, Zh., “Jump-oriented programming: A new class of code-reuse attack,” Proc. of the 6th ACM Symposium on Information, Computer and Communications Security,” 2011, pp. 30–40. https://doi.acm.org/10.1145/1966913. 1966919

    Google Scholar 

  5. 5

    Hu, H., Shinde, Sh., Adrian, S., Chua, Z.L., Saxena, P., and Liang, Zh., “Data-Oriented programming: On the expressiveness of non-control data attacks,” IEEE Symposium on Security and Privacy (SP), 2016,pp. 969–986. https://doi.org/ doi 10.1109/SP.2016.6210.1109/ SP.2016.62

  6. 6

    Shacham, H., “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proc. of the 14th ACM Conf. on Computer and communications security, 2007, pp. 552–561. https:// doi.org/doi10.1145/1315245.131531310.1145/1315245. 1315313

  7. 7

    Bittau, A., Belay, A., Mashtizadeh, A., et al., “Hacking blind,” in Proc. of the 2014 IEEE Symposium on Security and Privacy, 2014, pp. 227–242. https://dx.doi.org/ doi 10.1109/SP.2014.2210.1109/SP.2014.22

  8. 8

    Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J., “Control-flow integrity principles, implementations, and applications,” ACM Trans. Inf. Syst. Secur., 2009, vol. 13, no. 1, pp. 4–40. https://doi.acm.org/10.1145/ 1609956.1609960

    Article  Google Scholar 

  9. 9

    Mashtizadeh, A.J., Bittau, A., Boneh, D., and Mazieres, D., “Ccfi: Cryptographically enforced control flow integrity,” in Proc. of the Sixth ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 941–951. https://doi.acm.org/10.1145/ 2810103. 2813676

  10. 10

    Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S., “Hcfi: Hardware-enforced control-flow integrity,” in Proc. of the Sixth ACM Conference on Data and Application Security and Privacy, 2016, pp. 38–49. https://doi.acm.org/10.1145/2857705.2857722

  11. 11

    Carlini, N., Barresi, A., Payer, M., et al., “Control-flow bending: On the effectiveness of control-flow integrity,” in Proc. of the 24th USENIX Conference on Security Symposium, 2015, pp. 161–176. http://dl.acm. org/citation.cfm?id(31143.2831154

  12. 12

    Lu, K., Nürnberger, S., Backes, M., and Lee, W., “How to make ASLR win the clone wars: Runtime re-randomization,” 23nd Annual Network and Distributed System Security Symposium, 2016.

  13. 13

    Nurmukhametov, A., Kurmangaleev, Sh., Kaushan, V., and Gaissaryan, S., “Application of compiler transformations against software vulnerabilities exploitation,” Program. Comput. Software, 2015, vol. 41, no. 4, pp. 231–236. https://doi.org/ doi 10.1134/ S0361768815040052

    Article  Google Scholar 

  14. 14

    Gupta, S., Kerr, M., Kirkpatrick, E., and Bertino, E., “Marlin: A fine grained randomization approach to defend against ROP attacks,” in Proc. of the 7th Int. Conf. on Network and System Security, 2013.

  15. 15

    Conti, M., Crane, S., Frassetto, T., et al., “Selfrando: Securing the Tor browser against de-anonymization exploits,” PoPETs, 2016, no. 4, pp. 454–469. http://dx. doi.org/. doi 10.1515/popets-2016-0050

  16. 16

    Davi, L., Dmitrienko, A., Nürnberger, S., and Sadeghi, A., “Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and AR,” in Proc. of the 8th ACM Symposium on Information, Computer and Communications Security, 2013.

  17. 17

    Backes, M. and Nurberger, S., “Oxymoron: Making fine-grained memory randomization practical by allowing code sharing,” in Proc. of the 23rd USENIX Security Symposium, 2014, pp. 433–447.

  18. 18

    Crane, S., and Homescu, A., and Larsen, P., “Code randomization: Haven’t we solved this problem yet?” Cybersecurity Development (SecDev), IEEE, 2016.

    Google Scholar 

  19. 19

    Bigelow, D., Hobson, T., Rudd, R., et al. “Timely rerandomization for mitigating memory disclosures,” in Proc. of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 268–279. http://doi.acm.org/10.1145/2810103.2813691.

  20. 20

    Williams-King, D., Gobieski, G., Williams-King, K., et al. “Shuffler: Fast and deployable continuous code re-randomization,” in Proc. of the 12th USENIX Conference on Operating Systems Design and Implementation, 2016, pp. 367–382. http://dl.acm.org/citation. cfm?id026877.3026906.

  21. 21

    Payer, M., “Too much PIE is bad for performance,” Technical report. http://dx.doi.org/ doi 10.3929/ethz-a-007316742

  22. 22

    Coffman, J., Wellons, C., and Christopher, C., “ROP gadget prevalence and survival under compiler-based binary diversification schemes,” in Proc. of the 2016 ACM Workshop on Software Protection, 2016, pp. 15–26.

  23. 23

    Vishnyakov, A.V., “Classification of ROP gadgets,” Trudy ISP RAN, 2016, vol. 28, no. 6, pp. 27–36. http:// doi.acm.org/10.1145/2995306.2995309

  24. 24

    ROPgadget. https://github.com/JonathanSalwan/ROPgadget

Download references

ACKNOWLEDGMENTS

This work was supported by the Russian Foundation for Basic Research, project no. 17-01-00600 А.

Author information

Affiliations

Authors

Corresponding authors

Correspondence to A. R. Nurmukhametov or E. A. Zhabotinskiy or Sh. F. Kurmangaleev or S. S. Gaissaryan or A. V. Vishnyakov.

Additional information

Translated by A.Klimontovich

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Nurmukhametov, A.R., Zhabotinskiy, E.A., Kurmangaleev, S.F. et al. Fine-Grained Address Space Layout Randomization on Program Load. Program Comput Soft 44, 363–370 (2018). https://doi.org/10.1134/S0361768818050080

Download citation

Keywords:

  • address space layout randomization
  • diversification
  • ASLR
  • ROP