Code-reuse and data-oriented attacks are increasingly concerned, with which attackers can exploit traditional vulnerabilities (e.g., buffer overflow) to easily compromise remote servers to control them or steal sensitive data. Address Space Layout Randomization (ASLR) is the most widely deployed defense, which is supported in all modern OSes. Unfortunately, recent attacks showed that ASLR can often be bypassed. To defense against these attacks, we first identified two fundamental problems with ASLR, and then proposed multiple novel mechanisms to address these problems. The evaluation results showed that our defenses are effective to prevent all existing attacks and efficient to be practical tools.
The first problem with ASLR is that attackers can leverage information leak vulnerabilities to leak the randomized addresses, and such vulnerabilities are not hard to find. We propose ASLR-Guard to hide or encrypt code pointers. This way, either the attacker cannot leak the code pointers, or the leak of code pointers is useless to attackers. As a follow-up work of ASLR-Guard, we propose a dual-execution system, which protects both code address and data address. More importantly, it does not require source code or modification of kernel code.
The second problem with ASLR is that traditional ASLR techniques only perform one-time randomization at load-time, thus enabling so-called clone-probing attacks (e.g., Blind ROP). We propose RuntimeASLR, an automated runtime re-randomization mechanism, to defeat against such attacks.
- ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks (ACM CCS 2015) [paper]
- How to Make ASLR Win the Clone Wars: Runtime Re-Randomization (NDSS 2016)
This video shows how function pointers are encrypted by ASLR-Guard. This hello world program prints out the function pointer of hello(). In the original program (before.out), the plaintext function pointer value is printed out: 0x7f39df77b7c5. However, after applying ASLR-Guard to it, the hardened program (guard.out) prints out the encrypted value: 0xf9795d000002240, in which 0xf9795d0 is the random nonce and 0x2240 is the offset into the random mapping table. Leaking this value cannot reveal the real address of hello().
This video shows that when running Nginx web server with RuntimeASLR, BlindROP attack cannot bypass ASLR.
- Kangjie Lu
- Chengyu Song
- Byoungyoung Lee
- Meng Xu
- Simon Chung
- Taesoo Kim
- Wenke Lee
- Stefan Nürnberger (MPI-SWS)
- Michael Backes (MPI-SWS)