Results 1 - 10
of
40
SoK: Automated Software Diversity
"... Abstract—The idea of automatic software diversity is at least two decades old. The deficiencies of currently deployed defenses and the transition to online software distribution (the “App store ” model) for traditional and mobile computers has revived the interest in automatic software diversity. Co ..."
Abstract
-
Cited by 21 (3 self)
- Add to MetaCart
(Show Context)
Abstract—The idea of automatic software diversity is at least two decades old. The deficiencies of currently deployed defenses and the transition to online software distribution (the “App store ” model) for traditional and mobile computers has revived the interest in automatic software diversity. Consequently, the literature on diversity grew by more than two dozen papers since 2008. Diversity offers several unique properties. Unlike other de-fenses, it introduces uncertainty in the target. Precise knowledge of the target software provides the underpinning for a wide range of attacks. This makes diversity a broad rather than narrowly focused defense mechanism. Second, diversity offers probabilistic protection similar to cryptography—attacks may succeed by chance so implementations must offer high entropy. Finally, the design space of diversifying program transformations is large. As a result, researchers have proposed multiple approaches to software diversity that vary with respect to threat models, security, performance, and practicality. In this paper, we systematically study the state-of-the-art in software diversity and highlight fundamental trade-offs between fully automated approaches. We also point to open areas and unresolved challenges. These include “hybrid solutions”, error reporting, patching, and implementation disclosure attacks on diversified software. I.
Code-Pointer Integrity
, 2014
"... Systems code is often written in low-level languages like C/C++, which offer many benefits but also dele-gate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed de-fense mechanisms (e.g., ASLR, DEP) ..."
Abstract
-
Cited by 16 (1 self)
- Add to MetaCart
Systems code is often written in low-level languages like C/C++, which offer many benefits but also dele-gate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed de-fense mechanisms (e.g., ASLR, DEP) are incomplete, and stronger defense mechanisms (e.g., CFI) often have high overhead and limited guarantees [19, 15, 9]. We introduce code-pointer integrity (CPI), a new de-sign point that guarantees the integrity of all code point-ers in a program (e.g., function pointers, saved return ad-dresses) and thereby prevents all control-flow hijack at-tacks, including return-oriented programming. We also introduce code-pointer separation (CPS), a relaxation of CPI with better performance properties. CPI and CPS offer substantially better security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient: on SPEC CPU2006, CPS averages 1.2 % overhead for C and 1.9 % for C/C++, while CPI’s overhead is 2.9 % for C and 8.4 % for C/C++. A prototype implementation of CPI and CPS can be obtained from
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code
- In ACM Conference on Computer and Communications Security (CCS
, 2014
"... Code diversification has been proposed as a technique to mitigate code reuse attacks, which have recently become the predominant way for attackers to exploit memory corruption vulnerabilities. As code reuse attacks require detailed knowledge of where code is in memory, diversification techniques att ..."
Abstract
-
Cited by 12 (2 self)
- Add to MetaCart
(Show Context)
Code diversification has been proposed as a technique to mitigate code reuse attacks, which have recently become the predominant way for attackers to exploit memory corruption vulnerabilities. As code reuse attacks require detailed knowledge of where code is in memory, diversification techniques attempt to mitigate these at-tacks by randomizing what instructions are executed and where code is located in memory. As an attacker cannot read the diversi-fied code, it is assumed he cannot reliably exploit the code. In this paper, we show that the fundamental assumption behind code diversity can be broken, as executing the code reveals infor-mation about the code. Thus, we can leak information without needing to read the code. We demonstrate how an attacker can uti-lize a memory corruption vulnerability to create side channels that leak information in novel ways, removing the need for a memory disclosure vulnerability. We introduce seven new classes of attacks that involve fault analysis and timing side channels, where each allows a remote attacker to learn how code has been diversified.
Readactor: Practical code randomization resilient to memory disclosure
- In IEEE Symposium on Security and Privacy, S&P ’15
, 2015
"... Abstract-Code-reuse attacks such as return-oriented programming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from ..."
Abstract
-
Cited by 11 (2 self)
- Add to MetaCart
(Show Context)
Abstract-Code-reuse attacks such as return-oriented programming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from constructing a reliable code-reuse attack. However, all solutions proposed so far are either vulnerable to memory disclosure or are impractical for deployment on commodity systems. In this paper, we address the deficiencies of existing solutions and present the first practical, fine-grained code randomization defense, called Readactor, resilient to both static and dynamic ROP attacks. We distinguish between direct memory disclosure, where the attacker reads code pages, and indirect memory disclosure, where attackers use code pointers on data pages to infer the code layout without reading code pages. Unlike previous work, Readactor resists both types of memory disclosure. Moreover, our technique protects both statically and dynamically generated code. We use a new compiler-based code generation paradigm that uses hardware features provided by modern CPUs to enable execute-only memory and hide code pointers from leakage to the adversary. Finally, our extensive evaluation shows that our approach is practical-we protect the entire Google Chromium browser and its V8 JIT compiler-and efficient with an average SPEC CPU2006 performance overhead of only 6.4%.
The Performance Cost of Shadow Stacks and Stack Canaries
"... Control flow defenses against ROP either use strict, expen-sive, but strong protection against redirected RET instruc-tions with shadow stacks, or much faster but weaker pro-tections without. In this work we study the inherent over-heads of shadow stack schemes. We find that the overhead is roughly ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Control flow defenses against ROP either use strict, expen-sive, but strong protection against redirected RET instruc-tions with shadow stacks, or much faster but weaker pro-tections without. In this work we study the inherent over-heads of shadow stack schemes. We find that the overhead is roughly 10 % for a traditional shadow stack. We then design a new scheme, the parallel shadow stack, and show that its performance cost is significantly less: 3.5%. Our measure-ments suggest it will not be easy to improve performance on current x86 processors further, due to inherent costs as-sociated with RET and memory load/store instructions. We conclude with a discussion of the design decisions in our shadow stack instrumentation, and possible lighter-weight alternatives.
Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs
"... Web browsers are one of the most used, complex, and popu-lar software systems nowadays. They are prone to dangling pointers that result in use-after-free vulnerabilites and this is the de-facto way to exploit them. From a technical point of view, an attacker uses a technique called vtable hijacking ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Web browsers are one of the most used, complex, and popu-lar software systems nowadays. They are prone to dangling pointers that result in use-after-free vulnerabilites and this is the de-facto way to exploit them. From a technical point of view, an attacker uses a technique called vtable hijacking to exploit such bugs. More specifically, she crafts bogus vir-tual tables and lets a freed C++ object point to it in order to gain control over the program at virtual function call sites. In this paper, we present a novel approach towards miti-gating and detecting such attacks against C++ binary code. We propose a static binary analysis technique to extract virtual function call site information in an automated way. Leveraging this information, we instrument the given bi-nary executable and add runtime policy enforcements to thwart the illegal usage of these call sites. We implemented the proposed techniques in a prototype called T-VIP and successfully hardened three versions of Microsoft’s Internet Explorer and Mozilla Firefox. An evaluation with several zero-day exploits demonstrates that our method prevents all of them. Performance benchmarks both on micro and macro level indicate that the overhead is reasonable with about 2.2 %, which is only slightly higher compared to re-cent compiler-based approaches that address this problem. 1.
VC3: Trustworthy Data Analytics in the Cloud
"... We present VC3, the first practical framework that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodified Hadoop, but crucially keeps Hadoop, the operating sy ..."
Abstract
-
Cited by 5 (1 self)
- Add to MetaCart
We present VC3, the first practical framework that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodified Hadoop, but crucially keeps Hadoop, the operating system and the hypervisor out of the TCB; thus, confidentiality and integrity are preserved even if these large components are compromised. VC3 relies on SGX processors to isolate memory regions on individual computers, and to deploy new protocols that secure distributed MapReduce computations. VC3 optionally enforces region self-integrity invariants for all MapReduce code running within isolated regions, to prevent attacks due to unsafe memory reads and writes. Experimental results on common benchmarks show that VC3 performs well compared with unprotected Hadoop; VC3’s average runtime overhead is negligible for its base security guarantees, 4.5 % with write integrity and 8 % with read/write integrity. *Work done while interning at Microsoft Research; affiliated with Ruhr-Universität Bochum.
VC3: Trustworthy data analytics in the cloud using SGX.
- In IEEE Symposium on Security and Privacy,
, 2015
"... Abstract-We present VC3, the first system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodified Hadoop, but crucially keeps Hadoop, the operating syste ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract-We present VC3, the first system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodified Hadoop, but crucially keeps Hadoop, the operating system and the hypervisor out of the TCB; thus, confidentiality and integrity are preserved even if these large components are compromised. VC3 relies on SGX processors to isolate memory regions on individual computers, and to deploy new protocols that secure distributed MapReduce computations. VC3 optionally enforces region self-integrity invariants for all MapReduce code running within isolated regions, to prevent attacks due to unsafe memory reads and writes. Experimental results on common benchmarks show that VC3 performs well compared with unprotected Hadoop: VC3's average runtime overhead is negligible for its base security guarantees, 4.5% with write integrity and 8% with read/write integrity.
WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking
"... Lack of memory safety in C is the root cause of a multitude of seri-ous bugs and security vulnerabilities. Numerous software-only and hardware-based schemes have been proposed to enforce memory safety. Among these approaches, pointer-based checking, which maintains per-pointer metadata in a disjoint ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Lack of memory safety in C is the root cause of a multitude of seri-ous bugs and security vulnerabilities. Numerous software-only and hardware-based schemes have been proposed to enforce memory safety. Among these approaches, pointer-based checking, which maintains per-pointer metadata in a disjoint metadata space, has been recognized as providing comprehensive memory safety. Soft-ware approaches for pointer-based checking have high performance overheads. In contrast, hardware approaches introduce a myriad of hardware structures and widgets to mitigate those performance overheads. This paper proposes WatchdogLite, an ISA extension that pro-vides hardware acceleration for a compiler implementation of pointer-based checking. This division of labor between the com-piler and the hardware allows for hardware acceleration while us-ing only preexisting architectural registers. By leveraging the com-piler to identify pointers, perform check elimination, and insert the new instructions, this approach attains performance similar to prior hardware-intensive approaches without adding any hardware structures for tracking metadata.
Micro-Policies Formally Verified, Tag-Based Security Monitors
"... Abstract—Recent advances in hardware design have demon-strated mechanisms allowing a wide range of low-level secu-rity policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Recent advances in hardware design have demon-strated mechanisms allowing a wide range of low-level secu-rity policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level “symbolic machine, ” and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy’s rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller. Index Terms—security; dynamic enforcement; reference mon-itors; low-level code; tagged hardware architecture; metadata; formal verification; refinement; machine-checked proofs; Coq; dynamic sealing; compartmentalization; isolation; least privilege; memory safety; control-flow integrity 1
