Advertisement

MTD Techniques for Memory Protection Against Zero-Day Attacks

  • Ping ChenEmail author
  • Zhisheng Hu
  • Jun XuEmail author
  • Minghui Zhu
  • Rob Erbacher
  • Sushil Jajodia
  • Peng LiuEmail author
Chapter
  • 243 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11830)

Abstract

During the past 25 years, the arms race between attacks exploiting memory corruption and memory protection techniques has drawn tremendous attention. This book chapter seeks to give an in-depth review of the newest research progress made on applying the MTD methodology to protect memory corruption exploits. The new research progress also represents the current phase of the arms race in the MTD perspective. In particular, on one hand, at the frontier of defending against control-hijacking attacks, we will give an in-depth review on the shift of defense strategy from static ASLR to dynamic ASLR. On the other hand, at the frontier of defending against data-oriented attacks, we will give an in-depth review on the shift of defense strategy from static DSLR to dynamic DSLR.

References

  1. 1.
  2. 2.
  3. 3.
    SPEC CPU benchmark suite (2000). http://www.spec.org/cpu2000/
  4. 4.
  5. 5.
    Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Security Symposium (Security 2014) (2014)Google Scholar
  6. 6.
    Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security Symposium (Security 2003) (2003)Google Scholar
  7. 7.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: USENIX Security Symposium (Security 2005) (2005)Google Scholar
  8. 8.
    Bigelow, D., Hobson, T., Rudd, R., Streilein, W., Okhravi, H.: Timely rerandomization for mitigating memory disclosures. In: Proceedings of the 22nd Conference on Computer and Communications Security (CCS 2015) (2015)Google Scholar
  9. 9.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: 2014 IEEE Symposium on Security and Privacy, Oakland (2014)Google Scholar
  10. 10.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011) (2011)Google Scholar
  11. 11.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI 2006) (2006)Google Scholar
  12. 12.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (CCS 2010) (2010)Google Scholar
  13. 13.
    Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., Kaashoek, M.F.: Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems (2011)Google Scholar
  14. 14.
    Chen, P., et al.: What you see is not what you get! thwarting just-in-time ROP with chameleon. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 451–462. IEEE (2017)Google Scholar
  15. 15.
    Chen, P., Xu, J., Lin, Z., Xu, D., Mao, B., Liu, P.: A practical approach for adaptive data structure layout randomization. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 69–89. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24174-6_4CrossRefGoogle Scholar
  16. 16.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium (Security 2005), vol. 5 (2005) Google Scholar
  17. 17.
    Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016) (2016)Google Scholar
  18. 18.
    Crane, S.: Readactor: practical code randomization resilient to memory disclosure. In: 2015 Symposium on Security and Privacy, Oakland (2015)Google Scholar
  19. 19.
    CVE-2001-0144. SSH CRC-32 compensation attack detector (2001). http://www.securityfocus.com/bid/2347/discuss
  20. 20.
    CVE-2002-0656. Apache openSSL heap overflow exploit (2002). http://www.phreedom.org/research/exploits/apache-openssl/
  21. 21.
    Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Network and Distributed System Security Symposium (NDSS 2015) (2015)Google Scholar
  22. 22.
    Dyninst. Dyninst programmer’s guide (2013). www.dyninst.org/sites/default/files/manuals/dyninst/DyninstAPI.pdf
  23. 23.
    Gionta, J., Enck, W., Ning, P.: HideM: protecting the contents of userspace memory in the face of disclosure vulnerabilities. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY 2015) (2015)Google Scholar
  24. 24.
    Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Conference on Security Symposium (Security 2012) (2012)Google Scholar
  25. 25.
    Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy, Oakland (2014)Google Scholar
  26. 26.
    Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: where’d my gadgets go? In: 2012 IEEE Symposium on Security and Privacy, Oakland (2012)Google Scholar
  27. 27.
    Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: Proceedings of the 24th USENIX Security Symposium (Security 2015) (2015)Google Scholar
  28. 28.
    Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)Google Scholar
  29. 29.
    Kil, C., Jum, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC 2006) (2006)Google Scholar
  30. 30.
    Lin, Z., Riley, R.D., Xu, D.: Polymorphing software by randomizing data structure layout. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 107–126. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-02918-9_7CrossRefGoogle Scholar
  31. 31.
    Lu, K., Nurnberger, S., Backes, M., Lee, W.: How to make ASLR win the clone wars: runtime re-randomization. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS 2016) (2016)Google Scholar
  32. 32.
    Microsoft. A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 (2008). http://support.microsoft.com/kb/875352
  33. 33.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy, Oakland (2012)Google Scholar
  34. 34.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: USENIX Conference on Security (Security 2011) (2011)Google Scholar
  35. 35.
    Seibert, J., Okhravi, H., Söderström, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: ACM SIGSAC Conference on Computer and Communications Security (CCS 2014) (2014)Google Scholar
  36. 36.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS 2007) (2007)Google Scholar
  37. 37.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: 2013 IEEE Symposium on Security and Privacy, Oakland (2013)Google Scholar
  38. 38.
    Song, C., Lee, B., Lu, K., Harris, W.R., Kim, T., Lee, W.: Enforcing kernel security invariants with data flow integrity. In: Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS 2016) (2016)Google Scholar
  39. 39.
    Stanley, D.M., Xu, D., Spafford, E.H.: Improved kernel security through memory layout randomization. In: International Performance Computing and Communications Conference (IPCCC 2013) (2013)Google Scholar
  40. 40.
    Strackx, R., et al.: Breaking the memory secrecy assumption. In: Second European Workshop on System Security (2009)Google Scholar
  41. 41.
    Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015) (2015)Google Scholar
  42. 42.
    PaX Team. PaX address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt
  43. 43.
    PaX Team. PaX non-executable pages design & implementation (2003). http://pax.grsecurity.net/docs/noexec.txt
  44. 44.
    Wartell, R., Mohan, V., Hamlen, K., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)Google Scholar
  45. 45.
    Xin, Z., Chen, H., Han, H., Mao, B., Xie, L.: Misleading malware similarities analysis by automatic data structure obfuscation. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 181–195. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-18178-8_16CrossRefGoogle Scholar
  46. 46.
    Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: International Symposium on Reliable Distributed Systems (SRDS 2003) (2003)Google Scholar
  47. 47.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Conference on Security (Security 2013) (2013)Google Scholar
  48. 48.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.The Pennsylvania State UniversityState CollegeUSA
  2. 2.Stevens Institute of TechnologyHobokenUSA
  3. 3.U.S. Army Research OfficeDurhamUSA
  4. 4.George Mason UniversityFairfaxUSA

Personalised recommendations