Advertisement

Safe Trans Loader: Mitigation and Prevention of Memory Corruption Attacks for Released Binaries

  • Takamichi Saito
  • Masahiro Yokoyama
  • Shota Sugawara
  • Kuniyasu Suzaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11049)

Abstract

A variety of countermeasures against memory corruption attacks have been proposed to implement within compilers, linkers, operating systems, and libraries. However, according to our survey, a certain number of executable binaries in Linux distributions are not protected by the countermeasures, even when the countermeasures are applied to these binaries. Further, the countermeasures have some problems including the way of application, the scope of attacks, and the runtime overhead. For example, some require source code or need to update the kernel or specific libraries. These requirements are not acceptable for everyone. In this paper, we propose an application-level loader called Safe Trans Loader (STL) that mitigates or prevents memory corruption attacks. The STL can be applied to already released executable binaries in an operational phase. Note that the STL replaces vulnerable library functions with safe substitute functions when it loads the protected binary. These safe substitute functions mitigate or prevent stack-based buffer overflow attacks, heap-based buffer overflow attacks, and use-after-free attacks. Since the STL has minimal dependencies on the execution environment, it does not require specific changes to the existing operating system or library. Further, through our evaluation, the runtime overhead of the STL is only 1.24%.

Keywords

Memory corruption Stack-based buffer overflow Heap-based buffer overflow Use-after-free Mitigation Prevention Loader 

Notes

Acknowledgments

This work was supported by JSPS KAKENHI Grant Number 18K11305. We are deeply grateful to Y. Kaneko, T. Uehara, Y. Sumida, Y. Hori, T. Baba, H. Miyazaki, B. Wang, R. Watanabe, and S. Kondo for this work.

References

  1. 1.
    Akritidis, P.: Cling: a memory allocator to mitigate dangling pointers. In: Proceedings of the 19th USENIX Conference on Security. In: USENIX Security 2010, p. 12 (2010)Google Scholar
  2. 2.
    Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 51–66 (2009)Google Scholar
  3. 3.
    Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2000, p. 21 (2000)Google Scholar
  4. 4.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., Boneh, D.: Hacking blind. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 227–242 (2014)Google Scholar
  5. 5.
    Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID 2011, pp. 1–20 (2011)Google Scholar
  6. 6.
    Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: NDSS (2015)Google Scholar
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
    CWE: CWE-121: Stack-based buffer overflow. http://cwe.mitre.org/data/definitions/121.html
  12. 12.
    CWE: CWE-122: Heap-based buffer overflow. http://cwe.mitre.org/data/definitions/122.html
  13. 13.
  14. 14.
    Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 40–51 (2011)Google Scholar
  15. 15.
    Dhurjati, D., Adve, V.: Backwards-compatible array bounds checking for C with very low overhead. In: Proceedings of the 28th International Conference on Software Engineering, ICSE 2006, pp. 162–171 (2006)Google Scholar
  16. 16.
    Hiser, J., Nguyen-Tuong, A. Co, M., Hall, M., Davidson, J.W.: ILR: where’d my gadgets go? In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 571–585 (2012)Google Scholar
  17. 17.
    Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: Proceedings of the 3rd International Workshop on Automatic Debugging (AADEBUG 1997), no. 1, pp. 13–26 (1997)Google Scholar
  18. 18.
    Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI 2014, pp. 147–163 (2014)Google Scholar
  19. 19.
    Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: NDSS (2015)Google Scholar
  20. 20.
    Microsoft: A Detailed Description of the Data Execution Prevention (DEP) Feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003. https://support.microsoft.com/en-us/help/875352/a-detailed-description-of-the-data-execution-prevention-dep-feature-in
  21. 21.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. SIGPLAN Not. 44(6), 245–258 (2009)CrossRefGoogle Scholar
  22. 22.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. SIGPLAN Not. 45(8), 31–40 (2010)Google Scholar
  23. 23.
    Novark, G., Berger, E.D.: DieHarder: securing the heap. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 573–584 (2010)Google Scholar
  24. 24.
    OSDev: Buffer overflow protection. https://wiki.osdev.org/Stack_Smashing_Protector
  25. 25.
    PaX: ASLR (Address Space Layout Randomization) - of PaX (2003). http://pax.grsecurity.net/docs/aslr.txt
  26. 26.
    Seacord, R.: Secure Coding in C and C++. SEI Series in Software Engineering (2013)Google Scholar
  27. 27.
    Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC 2012, p. 28 (2012)Google Scholar
  28. 28.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 574–588 (2013)Google Scholar
  29. 29.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 48–62 (2013)Google Scholar
  30. 30.
    Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 941–955 (2014)Google Scholar
  31. 31.
  32. 32.
    Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way (Paperback). Addison-Wesley Professional Computing Series. Addison-Wesley, Reading (2011)Google Scholar
  33. 33.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and Distributed System Security Symposium, pp. 3–17 (2000)Google Scholar
  34. 34.
    Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 157–168 (2012)Google Scholar
  35. 35.
    Williams-King, D., et al.: Shuffler: fast and deployable continuous code re-randomization. In: Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation, OSDI 2016, pp. 367–382 (2016)Google Scholar
  36. 36.
    Yamauchi, T., Ikegami, Y.: HeapRevolver: delaying and randomizing timing of release of freed memory area to prevent use-after-free attacks. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds.) NSS 2016. LNCS, vol. 9955, pp. 219–234. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-46298-1_15CrossRefGoogle Scholar
  37. 37.
    Younan, Y.: Freesentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 8–11 February 2015Google Scholar
  38. 38.
    Younan, Y., Philippaerts, P., Cavallaro, L., Sekar, R., Piessens, F., Joosen, W.: Paricheck: an efficient pointer arithmetic checker for C programs. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 145–156 (2010)Google Scholar
  39. 39.
    Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 559–573 (2013)Google Scholar
  40. 40.
    Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 337–352 (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Takamichi Saito
    • 1
  • Masahiro Yokoyama
    • 1
  • Shota Sugawara
    • 1
  • Kuniyasu Suzaki
    • 2
  1. 1.Meiji UniversityKawasakiJapan
  2. 2.National Institute of Advanced Industrial Science and TechnologyTokyoJapan

Personalised recommendations