Skip to main content
SpringerLink
Log in

Practical Software Diversification Using In-Place Code Randomization

  • Conference paper
  • First Online:
Moving Target Defense II

Part of the book series: Advances in Information Security ((ADIS,volume 100))

Abstract

The wide adoption of non-executable page protections has given rise to attacks that employ return-oriented programming (ROP) to achieve arbitrary code execution without the injection of any code. Existing defenses against ROP exploits either require source code or symbolic debugging information, or impose a significant runtime overhead, which limits their applicability for the protection of third-party applications. Aiming for a practical mitication against ROP attacks, we introduce in-place code randomization, a software diversification technique that can be applied directly on third-party software. Our method uses various narrow-scope code transformations that can be applied statically, without changing the location of basic blocks, allowing the safe randomization of stripped binaries even with partial disassembly coverage. We demonstrate how in-place code randomization can prevent the exploitation of vulnerable Windows 7 applications, including Adobe Reader, as well as the automated construction of reliable ROP payloads.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The code of all examples throughout this chapter comes from icucnv36.dll, included in Adobe Reader v9.3.4. This DLL was used for the ROP code of a DEP-bypass exploit for CVE-2010-2883 [1] (see Table 9.2).

  2. 2.

    stosb (Store Byte to String) copies the least significant byte from the eax register to the memory location pointed by the edi register and increments edi’s value by one. The rep prefix repeats this instruction until ecx’s value reaches zero, while decreasing it after each repetition.

References

  1. Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow. http://www.exploit-db.com/exploits/16619/.

  2. Immunity Debugger. http://www.immunityinc.com/products-immdbg.shtml.

  3. Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module). http://www.exploit-db.com/exploits/15016/.

  4. MPlayer (r33064 Lite) Buffer Overflow + ROP exploit. http://www.exploit-db.com/exploits/17124/.

  5. /ORDER (put functions in order). http://msdn.microsoft.com/en-us/library/00kh39zz.aspx.

  6. Profile-guided optimizations. http://msdn.microsoft.com/en-us/library/e7k32f4k.aspx.

  7. Syzygy - profile guided, post-link executable reordering. http://code.google.com/p/sawbuck/wiki/SyzygyDesign.

  8. White Phosphorus Exploit Pack. http://www.whitephosphorus.org/.

  9. Wine. http://www.winehq.org.

  10. Intel 64 and IA-32 Architectures Software Developer’s Manual. Volume 2 (2A & 2B): Instruction Set Reference, A-Z. 2011. http://www.intel.com/Assets/PDF/manual/325383.pdf.

  11. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and Communications Security (CCS), 2005.

    Google Scholar 

  12. A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools (2nd Edition). Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2006.

    Google Scholar 

  13. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM conference on Computer and Communications Security (CCS), 2003.

    Google Scholar 

  14. K. Baumgartner. The ROP pack. In Proceedings of the 20th Virus Bulletin International Conference (VB), 2010.

    Google Scholar 

  15. E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, 2003.

    Google Scholar 

  16. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, August 2005.

    Google Scholar 

  17. T. Bletsch, X. Jiang, V. Freeh, and Z. Liang. Jump-oriented programming: A new class of code-reuse attack. In Proceedings of the 6th Symposium on Information, Computer and Communications Security (ASIACCS), 2011.

    Google Scholar 

  18. F. Bouchez. A Study of Spilling and Coalescing in Register Allocation as Two Separate Phases. PhD thesis, École normale supérieure de Lyon, April 2009.

    Google Scholar 

  19. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM conference on Computer and Communications Security (CCS), 2008.

    Google Scholar 

  20. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM conference on Computer and Communications Security (CCS), 2010.

    Google Scholar 

  21. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? the case of return-oriented programming and the AVC advantage. In Proceedings of the 2009 conference on Electronic Voting Technology/Workshop on Trustworthy Elections (EVT/WOTE), 2009.

    Google Scholar 

  22. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In Proceedings of the 5th International Conference on Information Systems Security (ICISS), 2009.

    Google Scholar 

  23. F. B. Cohen. Operating system protection through program evolution. Computers and Security, 12:565–584, Oct. 1993.

    Google Scholar 

  24. Corelan Team. Corelan ROPdb. https://www.corelan.be/index.php/security/corelan-ropdb/.

  25. Corelan Team. Mona. http://redmine.corelan.be/projects/mona.

  26. L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In Proceedings of the 2009 ACM workshop on Scalable Trusted Computing (STC), 2009.

    Google Scholar 

  27. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A practical protection tool to protect against return-oriented programming. In Proceedings of the 6th Symposium on Information, Computer and Communications Security (ASIACCS), 2011.

    Google Scholar 

  28. S. Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/63.

  29. T. Dullien, T. Kornau, and R.-P. Weinmann. A framework for automated architecture-independent gadget search. In Proceedings of the 4th USENIX Workshop on Offensive Technologies (WOOT), 2010.

    Google Scholar 

  30. R. El-Khalil and A. D. Keromytis. Hydan: Hiding information in program binaries. In Proceedings of the International Conference on Information and Communications Security, (ICICS), 2004.

    Google Scholar 

  31. Ú. Erlingsson. Low-level software security: Attack and defenses. Technical Report MSR-TR-07-153, Microsoft Research, 2007. http://research.microsoft.com/pubs/64363/tr-2007-153.pdf.

  32. A. Fog. Calling conventions for different C++ compilers and operating systems. http://agner.org/optimize/calling_conventions.pdf.

  33. S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), 1997.

    Google Scholar 

  34. G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), 2009.

    Google Scholar 

  35. I. Guilfanov. Jump tables. http://www.hexblog.com/?p=68.

  36. I. Guilfanov. Decompilers and beyond. Black Hat USA, 2008.

    Google Scholar 

  37. L. C. Harris and B. P. Miller. Practical analysis of stripped binary code. SIGARCH Comput. Archit. News, 33:63–68, December 2005.

    Google Scholar 

  38. Hex-Rays. IDA Pro Disassembler. http://www.hex-rays.com/idapro/.

  39. X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), 2009.

    Google Scholar 

  40. R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium, 2009.

    Google Scholar 

  41. R. Johnson. A castle made of sand: Adobe Reader X sandbox. CanSecWest, 2011.

    Google Scholar 

  42. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM conference on Computer and Communications Security (CCS), 2003.

    Google Scholar 

  43. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), 2006.

    Google Scholar 

  44. S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://www.suse.de/~krahmer/no-nx.pdf.

  45. C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium, 2004.

    Google Scholar 

  46. H. Li. Understanding and exploiting Flash ActionScript vulnerabilities. CanSecWest, 2011.

    Google Scholar 

  47. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with “return-less” kernels. In Proceedings of the 5th European conference on Computer Systems (EuroSys), 2010.

    Google Scholar 

  48. Microsoft. Enhanced Mitigation Experience Toolkit v2.1. http://www.microsoft.com/download/en/details.aspx?id=1677.

  49. M. Miller, T. Burrell, and M. Howard. Mitigating software vulnerabilities, July 2011. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788.

  50. S. S. Muchnick. Advanced compiler design and implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1997.

    Google Scholar 

  51. S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. Bird: Binary interpretation using runtime disassembly. In Proceedings of the International Symposium on Code Generation and Optimization (CGO), 2006.

    Google Scholar 

  52. Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack, 11(58), Dec. 2001.

    Google Scholar 

  53. T. Newsham. Non-exec stack, 2000. http://seclists.org/bugtraq/2000/May/90.

  54. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010.

    Google Scholar 

  55. V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 33rd IEEE Symposium on Security & Privacy (S&P), May 2012.

    Google Scholar 

  56. M. Parkour. An overview of exploit packs (update 9) April 5 2011. http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html.

  57. M. Pietrek. An in-depth look into the Win32 portable executable file format, part 2. http://msdn.microsoft.com/en-us/magazine/cc301808.aspx.

  58. P. Saxena, R. Sekar, and V. Puranik. Efficient fine-grained binary instrumentation with applications to taint-tracking. In Proceedings of the 6th annual IEEE/ACM international symposium on Code Generation and Optimization (CGO), 2008.

    Google Scholar 

  59. E. J. Schwartz, T. Avgerinos, and D. Brumley. Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Security Symposium, 2011.

    Google Scholar 

  60. F. J. Serna. CVE-2012-0769: the case of the perfect info leak, Apr. 2012. http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf.

  61. H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), 2007.

    Google Scholar 

  62. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and Communications Security (CCS), 2004.

    Google Scholar 

  63. Skape. Locreate: An anagram for relocate. Uninformed, 6, 2007.

    Google Scholar 

  64. Skape and Skywing. Bypassing Windows hardware-enforced DEP. Uninformed, 2, Sept. 2005.

    Google Scholar 

  65. M. Smithson, K. Anand, A. Kotha, K. Elwazeer, N. Giles, and R. Barua. Binary rewriting without relocation information. Technical report, University of Maryland, 2010. http://www.ece.umd.edu/~barua/without-relocation-technical-report10.pdf.

  66. P. Solé. Defeating DEP, the Immunitiy Debugger way. http://www.immunitysec.com/downloads/DEPLIB.pdf.

  67. P. Solé. Hanging on a ROPe. http://www.immunitysec.com/downloads/DEPLIB20_ekoparty.pdf.

  68. P. Ször. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, February 2005.

    Google Scholar 

  69. Y. L. Varol and D. Rotem. An algorithm to generate all topological sorting arrangements. Comput. J., 24(1):83–84, 1981.

    Google Scholar 

  70. P. Vreugdenhil. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit. http://vreugdenhilresearch.nl/Pwn2Ownl2010-Windows7-InternetExplorer8.pdf.

  71. D. A. D. Zovi. Mac OS X return-oriented exploitation. RECON, 2010.

    Google Scholar 

  72. D. A. D. Zovi. Practical return-oriented programming. SOURCE Boston, 2010.

    Google Scholar 

Download references

Acknowledgements

We are grateful to the authors of Q for making it available to us, and especially to Edward Schwartz for his assistance. We also thank Úlfar Erlingsson and Periklis Akritidis for their valuable feedback. This work was supported by DARPA and the US Air Force through Contracts DARPA-FA8750-10-2-0253 and AFRL-FA8650-10-C-7024, respectively, and by the FP7-PEOPLE-2009-IOF project MALCODE, funded by the European Commission under Grant Agreement No. 254116. Any opinions, findings, conclusions, or recommendations expressed herein are those of the authors, and do not necessarily reflect those of the US Government, DARPA, or the Air Force.

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, New York, NY, 10027-7003, USA

    Vasilis Pappas, Michalis Polychronakis & Angelos D. Keromytis

Authors
  1. Vasilis Pappas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vasilis Pappas .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, Fairfax, 22030-4444, Virginia, USA

    Sushil Jajodia

  2. Center for Secure Information Systems, George Mason University, University Drive, Fairfax, 22030-4422, Virginia, USA

    Anup K. Ghosh

  3. Inst. Advanced Computer Studies, Dept. Computer Science, University of Maryland, Paint Branch Dr, College Park, 20742, Maryland, USA

    V.S. Subrahmanian

  4. The MITRE Corporation, Colshire Drive 7515, McLean, 22102-7508, Virginia, USA

    Vipin Swarup

  5. Computing & Information Sci Div, Triangle Park, 27709-2211, North Carolina, USA

    Cliff Wang

  6. Fudan University, Shanghai, 200433, China, People's Republic

    X. Sean Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Science+Business Media New York

About this paper

Cite this paper

Pappas, V., Polychronakis, M., Keromytis, A.D. (2013). Practical Software Diversification Using In-Place Code Randomization. In: Jajodia, S., Ghosh, A., Subrahmanian, V., Swarup, V., Wang, C., Wang, X. (eds) Moving Target Defense II. Advances in Information Security, vol 100. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5416-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-5416-8_9

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-5415-1

  • Online ISBN: 978-1-4614-5416-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation