Abstract
The wide adoption of non-executable page protections has given rise to attacks that employ return-oriented programming (ROP) to achieve arbitrary code execution without the injection of any code. Existing defenses against ROP exploits either require source code or symbolic debugging information, or impose a significant runtime overhead, which limits their applicability for the protection of third-party applications. Aiming for a practical mitication against ROP attacks, we introduce in-place code randomization, a software diversification technique that can be applied directly on third-party software. Our method uses various narrow-scope code transformations that can be applied statically, without changing the location of basic blocks, allowing the safe randomization of stripped binaries even with partial disassembly coverage. We demonstrate how in-place code randomization can prevent the exploitation of vulnerable Windows 7 applications, including Adobe Reader, as well as the automated construction of reliable ROP payloads.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
stosb (Store Byte to String) copies the least significant byte from the eax register to the memory location pointed by the edi register and increments edi’s value by one. The rep prefix repeats this instruction until ecx’s value reaches zero, while decreasing it after each repetition.
References
Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow. http://www.exploit-db.com/exploits/16619/.
Immunity Debugger. http://www.immunityinc.com/products-immdbg.shtml.
Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module). http://www.exploit-db.com/exploits/15016/.
MPlayer (r33064 Lite) Buffer Overflow + ROP exploit. http://www.exploit-db.com/exploits/17124/.
/ORDER (put functions in order). http://msdn.microsoft.com/en-us/library/00kh39zz.aspx.
Profile-guided optimizations. http://msdn.microsoft.com/en-us/library/e7k32f4k.aspx.
Syzygy - profile guided, post-link executable reordering. http://code.google.com/p/sawbuck/wiki/SyzygyDesign.
White Phosphorus Exploit Pack. http://www.whitephosphorus.org/.
Wine. http://www.winehq.org.
Intel 64 and IA-32 Architectures Software Developer’s Manual. Volume 2 (2A & 2B): Instruction Set Reference, A-Z. 2011. http://www.intel.com/Assets/PDF/manual/325383.pdf.
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and Communications Security (CCS), 2005.
A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools (2nd Edition). Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2006.
E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM conference on Computer and Communications Security (CCS), 2003.
K. Baumgartner. The ROP pack. In Proceedings of the 20th Virus Bulletin International Conference (VB), 2010.
E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, 2003.
S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, August 2005.
T. Bletsch, X. Jiang, V. Freeh, and Z. Liang. Jump-oriented programming: A new class of code-reuse attack. In Proceedings of the 6th Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
F. Bouchez. A Study of Spilling and Coalescing in Register Allocation as Two Separate Phases. PhD thesis, École normale supérieure de Lyon, April 2009.
E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM conference on Computer and Communications Security (CCS), 2008.
S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM conference on Computer and Communications Security (CCS), 2010.
S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? the case of return-oriented programming and the AVC advantage. In Proceedings of the 2009 conference on Electronic Voting Technology/Workshop on Trustworthy Elections (EVT/WOTE), 2009.
P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In Proceedings of the 5th International Conference on Information Systems Security (ICISS), 2009.
F. B. Cohen. Operating system protection through program evolution. Computers and Security, 12:565–584, Oct. 1993.
Corelan Team. Corelan ROPdb. https://www.corelan.be/index.php/security/corelan-ropdb/.
Corelan Team. Mona. http://redmine.corelan.be/projects/mona.
L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In Proceedings of the 2009 ACM workshop on Scalable Trusted Computing (STC), 2009.
L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A practical protection tool to protect against return-oriented programming. In Proceedings of the 6th Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
S. Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/63.
T. Dullien, T. Kornau, and R.-P. Weinmann. A framework for automated architecture-independent gadget search. In Proceedings of the 4th USENIX Workshop on Offensive Technologies (WOOT), 2010.
R. El-Khalil and A. D. Keromytis. Hydan: Hiding information in program binaries. In Proceedings of the International Conference on Information and Communications Security, (ICICS), 2004.
Ú. Erlingsson. Low-level software security: Attack and defenses. Technical Report MSR-TR-07-153, Microsoft Research, 2007. http://research.microsoft.com/pubs/64363/tr-2007-153.pdf.
A. Fog. Calling conventions for different C++ compilers and operating systems. http://agner.org/optimize/calling_conventions.pdf.
S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), 1997.
G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), 2009.
I. Guilfanov. Jump tables. http://www.hexblog.com/?p=68.
I. Guilfanov. Decompilers and beyond. Black Hat USA, 2008.
L. C. Harris and B. P. Miller. Practical analysis of stripped binary code. SIGARCH Comput. Archit. News, 33:63–68, December 2005.
Hex-Rays. IDA Pro Disassembler. http://www.hex-rays.com/idapro/.
X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), 2009.
R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium, 2009.
R. Johnson. A castle made of sand: Adobe Reader X sandbox. CanSecWest, 2011.
G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM conference on Computer and Communications Security (CCS), 2003.
C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), 2006.
S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://www.suse.de/~krahmer/no-nx.pdf.
C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium, 2004.
H. Li. Understanding and exploiting Flash ActionScript vulnerabilities. CanSecWest, 2011.
J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with “return-less” kernels. In Proceedings of the 5th European conference on Computer Systems (EuroSys), 2010.
Microsoft. Enhanced Mitigation Experience Toolkit v2.1. http://www.microsoft.com/download/en/details.aspx?id=1677.
M. Miller, T. Burrell, and M. Howard. Mitigating software vulnerabilities, July 2011. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788.
S. S. Muchnick. Advanced compiler design and implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1997.
S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. Bird: Binary interpretation using runtime disassembly. In Proceedings of the International Symposium on Code Generation and Optimization (CGO), 2006.
Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack, 11(58), Dec. 2001.
T. Newsham. Non-exec stack, 2000. http://seclists.org/bugtraq/2000/May/90.
K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010.
V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 33rd IEEE Symposium on Security & Privacy (S&P), May 2012.
M. Parkour. An overview of exploit packs (update 9) April 5 2011. http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html.
M. Pietrek. An in-depth look into the Win32 portable executable file format, part 2. http://msdn.microsoft.com/en-us/magazine/cc301808.aspx.
P. Saxena, R. Sekar, and V. Puranik. Efficient fine-grained binary instrumentation with applications to taint-tracking. In Proceedings of the 6th annual IEEE/ACM international symposium on Code Generation and Optimization (CGO), 2008.
E. J. Schwartz, T. Avgerinos, and D. Brumley. Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Security Symposium, 2011.
F. J. Serna. CVE-2012-0769: the case of the perfect info leak, Apr. 2012. http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf.
H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), 2007.
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and Communications Security (CCS), 2004.
Skape. Locreate: An anagram for relocate. Uninformed, 6, 2007.
Skape and Skywing. Bypassing Windows hardware-enforced DEP. Uninformed, 2, Sept. 2005.
M. Smithson, K. Anand, A. Kotha, K. Elwazeer, N. Giles, and R. Barua. Binary rewriting without relocation information. Technical report, University of Maryland, 2010. http://www.ece.umd.edu/~barua/without-relocation-technical-report10.pdf.
P. Solé. Defeating DEP, the Immunitiy Debugger way. http://www.immunitysec.com/downloads/DEPLIB.pdf.
P. Solé. Hanging on a ROPe. http://www.immunitysec.com/downloads/DEPLIB20_ekoparty.pdf.
P. Ször. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, February 2005.
Y. L. Varol and D. Rotem. An algorithm to generate all topological sorting arrangements. Comput. J., 24(1):83–84, 1981.
P. Vreugdenhil. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit. http://vreugdenhilresearch.nl/Pwn2Ownl2010-Windows7-InternetExplorer8.pdf.
D. A. D. Zovi. Mac OS X return-oriented exploitation. RECON, 2010.
D. A. D. Zovi. Practical return-oriented programming. SOURCE Boston, 2010.
Acknowledgements
We are grateful to the authors of Q for making it available to us, and especially to Edward Schwartz for his assistance. We also thank Úlfar Erlingsson and Periklis Akritidis for their valuable feedback. This work was supported by DARPA and the US Air Force through Contracts DARPA-FA8750-10-2-0253 and AFRL-FA8650-10-C-7024, respectively, and by the FP7-PEOPLE-2009-IOF project MALCODE, funded by the European Commission under Grant Agreement No. 254116. Any opinions, findings, conclusions, or recommendations expressed herein are those of the authors, and do not necessarily reflect those of the US Government, DARPA, or the Air Force.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Pappas, V., Polychronakis, M., Keromytis, A.D. (2013). Practical Software Diversification Using In-Place Code Randomization. In: Jajodia, S., Ghosh, A., Subrahmanian, V., Swarup, V., Wang, C., Wang, X. (eds) Moving Target Defense II. Advances in Information Security, vol 100. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5416-8_9
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5416-8_9
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5415-1
Online ISBN: 978-1-4614-5416-8
eBook Packages: Computer ScienceComputer Science (R0)