Skip to main content
SpringerLink
Log in

Defeating Zombie Gadgets by Re-randomizing Code upon Disclosure

  • Conference paper
  • First Online:
Book cover Engineering Secure Software and Systems (ESSoS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10379))

Included in the following conference series:

Abstract

Over the past few years, return-oriented programming (ROP) attacks have emerged as a prominent strategy for hijacking control of software. The full power and flexibility of ROP attacks was recently demonstrated using just-in-time ROP tactics (JIT-ROP), whereby an adversary repeatedly leverages a memory disclosure vulnerability to identify useful instruction sequences and compile them into a functional ROP payload at runtime. Since the advent of just-in-time code reuse attacks, numerous proposals have surfaced for mitigating them, the most practical of which involve the re-randomization of code at runtime or the destruction of gadgets upon their disclosure. Even so, several avenues exist for performing code inference, which allows JIT-ROP attacks to infer values at specific code locations without directly reading the memory contents of those bytes. This is done by reloading code of interest or implicitly determining the state of randomized code. These so-called “zombie gadgets” completely undermine defenses that rely on destroying code bytes once they are read. To mitigate these attacks, we present a low-overhead, binary-compatible defense which ensures an attacker is unable to execute gadgets that were identified through code reloading or code inference. We have implemented a prototype of the proposed defense for closed-source Windows binaries, and demonstrate that our approach effectively prevents zombie gadget attacks with negligible runtime overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    That said, as hardware support [22] is added for more fine-grained control of the memory protections applied to individual pages, we expect the hypervisor component of execute-only-memory based defenses to become obsolete.

  2. 2.

    Our thin hypervisor and kernel module are built upon the code provided by [32] as part of their work on destructive reads.

  3. 3.

    Failure of our system to swap a given range of code indicates that this range was not randomized through ORP, and thus is not vulnerable to inference attacks. Note that destructive read enforcement still protects these memory areas.

  4. 4.

    In our evaluation with the benchmark programs there was not a single instance were there was an EPT fault in a range of code that was marked by ORP as randomizable code.

References

  1. ROPEME - ROP exploit made easy (2016). https://github.com/packz/ropeme

  2. Control-flow enforcement technology preview (2016). https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

  3. Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: bypassing defenses in browser JIT engines. In: Symposium on Network and Distributed System Security (2015)

    Google Scholar 

  4. Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Security Symposium, pp. 433–447 (2014)

    Google Scholar 

  5. Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., Pewny, J.: You can run but you can’t read: preventing disclosure exploits in executable code. In: ACM Conference on Computer and Communications Security, pp. 1342–1353 (2014)

    Google Scholar 

  6. Bigelow, D., Hobson, T., Rudd, R., Streilein, W., Okhravi, H.: Timely rerandomization for mitigating memory disclosures. In: ACM Conference on Computer and Communications Security, pp. 268–279. ACM (2015)

    Google Scholar 

  7. Braden, K., Crane, S., Davi, L., Franz, M., Larsen, P., Liebchen, C., Sadeghi, A.-R.: Leakage-resilient layout randomization for mobile devices. In: Symposium on Network and Distributed System Security (2016)

    Google Scholar 

  8. Brookes, S., Denz, R., Osterloh, M., Taylor, S.: Exoshim: preventing memory disclosure using execute-only kernel code. In: International Conference on Cyber Warfare and Security (2016, to appear)

    Google Scholar 

  9. Chen, P., Xu, J., Wang, J., Liu, P.: Instantly obsoleting the address-code associations: a new principle for defending advanced code reuse attack. arXiv preprint arXiv:1507.02786 (2015)

  10. Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 50–61. ACM (2016)

    Google Scholar 

  11. Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: Symposium on Network and Distributed System Security (2015)

    Google Scholar 

  12. Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.-R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE Symposium on Security and Privacy, pp. 763–780 (2015)

    Google Scholar 

  13. Crane, S.J., Volckaert, S., Schuster, F., Liebchen, C., Larsen, P., Davi, L., Sadeghi, A.-R., Holz, T., De Sutter, B., Franz, M.: It’s a trap: table randomization and protection against function-reuse attacks. In: ACM Conference on Computer and Communications Security, pp. 243–255 (2015)

    Google Scholar 

  14. Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: ACM Asia Conference on Computer and Communications Security, pp. 555–566 (2015)

    Google Scholar 

  15. Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Symposium on Network and Distributed System Security (2015)

    Google Scholar 

  16. Evans, D., Nguyen-Tuong, A., Knight, J.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats. Springer, New York (2011)

    Google Scholar 

  17. Fu, Y., Rhee, J., Lin, Z., Li, Z., Zhang, H., Jiang, G.: Detecting stack layout corruptions with robust stack unwinding. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 71–94. Springer, Cham (2016). doi:10.1007/978-3-319-45719-2_4

    Chapter  Google Scholar 

  18. Gawlik, R., Kollenda, B., Koppe, P., Garmany, B., Holz, T.: Enabling client-side crash-resistance to overcome diversification and information hiding. In: Symposium on Network and Distributed System Security (2016)

    Google Scholar 

  19. Gionta, J., Enck, W., Ning, P.: HideM: protecting the contents of userspace memory in the face of disclosure vulnerabilities. In: ACM Conference on Data and Application Security and Privacy, pp. 325–336 (2015)

    Google Scholar 

  20. Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Security Symposium, pp. 475–490 (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/giuffrida

  21. Goues, C.L., Nguyen-Tuong, A., Chen, H., Davidson, J.W., Forrest, S., Hiser, J.D., Knight, J.C., Van Gundy, M.: Moving target defenses in the helix self-regenerative architecture. In: Jajodia, S., Ghosh, A., Subrahmanian, V., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense II. Advances in Information Security, vol. 100. Springer, New York (2013). doi:10.1007/978-1-4614-5416-8_7. ISBN:978-1-4614-5416-8. http://dx.doi.org/10.1007/978-1-4614-5416-8_7

    Chapter  Google Scholar 

  22. Hansen, D.: [RFC] x86: Memory protection keys (2015). https://lwn.net/Articles/643617/

  23. Koo, H., Polychronakis, M.: Juggling the gadgets: binary-level code randomization using instruction displacement. In: ACM Asia Conference on Computer and Communications Security, May 2016

    Google Scholar 

  24. Lu, K., Nürnberger, S., Backes, M., Lee, W.: How to make aslr win the clone wars: runtime re-randomization. In: Symposium on Network and Distributed System Security (2016)

    Google Scholar 

  25. Maisuradze, G., Backes, M., Rossow, C.: What cannot be read, cannot be leveraged? revisiting assumptions of JIT-ROP defenses. In: USENIX Security Symposium (2016)

    Google Scholar 

  26. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy, pp. 601–615 (2012)

    Google Scholar 

  27. Snow, K., Rogowski, R., Werner, J., Koo, H., Monrose, F., Polychronakis, M.: Return to the zombie gadgets: undermining destructive code reads via code inference attacks. In: IEEE Symposium on Security and Privacy (2016)

    Google Scholar 

  28. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy, pp. 574–588 (2013)

    Google Scholar 

  29. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy, pp. 48–62 (2013)

    Google Scholar 

  30. Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: ACM Conference on Computer and Communications Security, pp. 256–267 (2015)

    Google Scholar 

  31. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security, pp. 157–168 (2012)

    Google Scholar 

  32. Werner, J., Baltas, G., Dallara, R., Otterness, N., Snow, K.Z., Monrose, F., Polychronakis, M.: No-execute-after-read: preventing code disclosure in commodity software. In: ACM Asia Conference on Computer and Communications Security (2016)

    Google Scholar 

  33. Williams-King, D., Gobieski, G., Williams-King, K., Blake, J.P., Yuan, X., Colp, P., Zheng, M., Kemerlis, V.P., Yang, J., Aiello, W.: Shuffler: fast and deployable continuous code re-randomization. In: USENIX Symposium on Operating Systems Design and Implementation, pp. 367–382 (2016)

    Google Scholar 

Download references

Acknowledgments

We are grateful to the anonymous reviewers and our shepherd, Stefan Brunthaler, for their insightful comments. This work was supported in part by the Office of Naval Research (ONR) under award no. N00014-15-1-2378, and the National Science Foundation (NSF) awards no. 1421703 and 1617902. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the view of the US government, ONR or NSF.

Author information

Authors and Affiliations

  1. University of North Carolina at Chapel Hill, Chapel Hill, NC, USA

    Micah Morton, Forrest Li & Fabian Monrose

  2. Stony Brook University, Stony Brook, NY, USA

    Hyungjoon Koo & Michalis Polychronakis

  3. ZeroPoint Dynamics, Cary, NC, USA

    Kevin Z. Snow

Authors
  1. Micah Morton
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyungjoon Koo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Forrest Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kevin Z. Snow
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Fabian Monrose
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Micah Morton .

Editor information

Editors and Affiliations

  1. University of Paderborn, Paderborn, Germany

    Eric Bodden

  2. Purdue University, West Lafayette, USA

    Mathias Payer

  3. University of Cyprus, Nicosia, Cyprus

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Morton, M., Koo, H., Li, F., Snow, K.Z., Polychronakis, M., Monrose, F. (2017). Defeating Zombie Gadgets by Re-randomizing Code upon Disclosure. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2017. Lecture Notes in Computer Science(), vol 10379. Springer, Cham. https://doi.org/10.1007/978-3-319-62105-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-62105-0_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-62104-3

  • Online ISBN: 978-3-319-62105-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation