Stack Layout Randomization with Minimal Rewriting of Android Binaries

  • Yu Liang
  • Xinjie Ma
  • Daoyuan Wu
  • Xiaoxiao Tang
  • Debin Gao
  • Guojun Peng
  • Chunfu Jia
  • Huanguo Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9558)

Abstract

Stack-based attacks typically require that attackers have a good understanding of the stack layout of the victim program. In this paper, we leverage specific features on ARM architecture and propose a practical technique that introduces randomness to the stack layout when an Android application executes. We employ minimal binary rewriting on the Android app that produces randomized executable of the same size which can be executed on an unmodified Android operating system. Our experiments on applying this randomization on the most popular 20 free Android apps on Google Play show that the randomization coverage of functions increases from 65 % (by a state-of-the-art randomization approach) to 97.6 % with, on average, 4 and 7 bits of randomness applied to each 16-bit and 32-bit function, respectively. We also show that it is effective in defending against stack-based memory vulnerabilities and real-world ROP attacks.

Keywords

Memory layout randomization Android security 

References

  1. 1.
    One, A.: Smashing the stack for fun and profit. Phrack Magazine (1996)Google Scholar
  2. 2.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the ACM CCS (2007)Google Scholar
  3. 3.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the ACM CCS (2010)Google Scholar
  4. 4.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the ACM ASIACCS (2011)Google Scholar
  5. 5.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the IEEE Symposium on Security and Privacy (2013)Google Scholar
  6. 6.
    Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the USENIX Security (2014)Google Scholar
  7. 7.
    Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: Proceedings of the USENIX Security (2014)Google Scholar
  8. 8.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the ACM CCS (2008)Google Scholar
  9. 9.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the ACM CCS (2008)Google Scholar
  10. 10.
    Team, P.: Pax address space layout randomization(ASLR) (2003). https://pax.grsecurity.net/docs/aslr.txt
  11. 11.
  12. 12.
    Google: security enhancements in android 1.5through 4.1. https://source.android.com/devices/tech/security/enhancements/enhancements41.html
  13. 13.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the ACM CCS (2004)Google Scholar
  14. 14.
    Durden, T.: Bypassing pax ALSR protection. Phrack Magazine (2002)Google Scholar
  15. 15.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the USENIX Security (2003)Google Scholar
  16. 16.
    Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: Proceedings of the ISOC NDSS (2015)Google Scholar
  17. 17.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the USENIX Security (2005)Google Scholar
  18. 18.
    Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the ACM CCS (2012)Google Scholar
  19. 19.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the IEEE Symposium on Security and Privacy (2013)Google Scholar
  20. 20.
    O’Sullivan, P., Anand, K., Kotha, A., Smithson, M., Barua, R., Keromytis, A.D.: Retrofitting security in COTS software with binary rewriting. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 154–172. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)Google Scholar
  22. 22.
  23. 23.
    Horn, J.: CVE-2014-7911: Android \(<\) 5.0 Privilege Escalation using ObjectInputStream (2014). http://seclists.org/fulldisclosure/2014/Nov/51
  24. 24.
    Lavi, Y., Markus, N.: CVE-2014-7911: A deep dive analysis of android system service vulnerability and exploitation (2015). http://goo.gl/XMCM2J
  25. 25.
    retme7: Local root exploit for Nexus5 Android 4.4.4 (KTU84p) (2015).https://github.com/retme7/CVE-2014-7911_poc
  26. 26.
    Li, X.: Emerging stack pivoting exploits bypass common security (2013). https://goo.gl/4FbVlF
  27. 27.
    Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: Ilr: where’d my gadgets go?. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)Google Scholar
  28. 28.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the ACM CCS (2003)Google Scholar
  29. 29.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM CCS (2003)Google Scholar
  30. 30.
    Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Proceedings of the ISOC NDSS (2015)Google Scholar
  31. 31.
    Microsoft: /GS (buffer security check). https://msdn.microsoft.com/en-us/library/8dbf701c.aspx
  32. 32.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguard tm: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the USENIX Security (2003)Google Scholar
  33. 33.
    Vendicator: stack shield (2000). http://www.angelfire.com/sk/stackshield/

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Yu Liang
    • 1
  • Xinjie Ma
    • 2
  • Daoyuan Wu
    • 3
  • Xiaoxiao Tang
    • 3
  • Debin Gao
    • 3
  • Guojun Peng
    • 1
  • Chunfu Jia
    • 2
  • Huanguo Zhang
    • 1
  1. 1.Wuhan UniversityWuhanChina
  2. 2.Nankai UniversityTianjinChina
  3. 3.Singapore Management UniversitySingaporeSingapore

Personalised recommendations