More Web Proxy on the site http://driver.im/

research-article

MProbe: Make the code probing meaningless

Authors:

Yeh-Ching Chung,

Guoyuan LinAuthors Info & Claims

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Pages 214 - 226

https://doi.org/10.1145/3564625.3567967

Published: 05 December 2022 Publication History

Abstract

Modern security methods use address space layout randomization (ASLR) to defend against code reuse attacks (CRAs). However, code probing can still obtain the content and address of the code through code probing. Code probing invalidates the widely used ASLR methods, causing researchers to lose confidence in them. On the contrary, we believe the ASLR is still effective, if it has anti-probing capability. To enhance the anti-probing capability of ASLR and defense CRAs, this paper proposes an anti-probing method MProbe. First, it detects the code probing activities of attackers, including address probing and content probing. Next, the execution permission of the probed code will be de-enabled in the original address space. At the same time, the equivalent code block in a random address space will replace the probed code. Finally, new security strategies are used to prevent the probed code blocks from being used as gadgets. Experiments and analysis show that MProbe has a good defense effect against CRAs based on code probing, and only introduces less than 3% performance overhead to the operating system (OS).

References

[1]

Biondo A, Conti M, “The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel {SGX}”. Proc. The 27th USENIX Security Symposium. 2018: 1213-1227.

[2]

He W, Das S, Zhang W, “BBB-CFI: lightweight CFI approach against code-reuse attacks using basic block information”. ACM Transactions on Embedded Computing Systems, 2020, 19(1): 1-22.

Digital Library

[3]

Crane S J, Volckaert S, Schuster F, “It's a TRaP: Table randomization and protection against function-reuse attacks”. Proc. The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 243-255.

Digital Library

[4]

Kayaalp M, Schmitt T, Nomani J, “Signature-based protection from code reuse attacks”. IEEE Transactions on Computers, 2013, 64(2): 533-546.

Digital Library

[5]

DeLozier C, Lakshminarayanan K, Pokam G, “Hurdle: Securing Jump Instructions Against Code Reuse Attacks”. Proc. The 25th International Conference on Architectural Support for Programming Languages and Operating Systems. 2020: 653-666.

Digital Library

[6]

Dang T H Y, Maniatis P, “The performance cost of shadow stacks and stack canaries”. Proc. The 10th ACM Symposium on Information, Computer and Communications Security. 2015: 555-566.

Digital Library

[7]

Marco-Gisbert H, Ripoll. “Address space layout randomization next generation”. Applied Sciences, 2019, 9(14): 2928.

[8]

Wang C, Chen B, Liu Y, “Layered object-oriented programming: Advanced vtable reuse attacks on binary-level defense”. IEEE Transactions on Information Forensics and Security, 2018, 14(3): 693-708.

[9]

Ho J W. “Efficient and robust detection of code-reuse attacks through probabilistic packet inspection in industrial IoT devices”. IEEE Access, 2018, 6: 54343-54354.

[10]

D. Williams-King, G. Gobieski, K. Williams-King, “Shuffler: Fast and deployable continuous code re-randomization,” Proc. The OSDI, 2016.

[11]

Chao Zhang, Tao Wei, “Practical Control Flow Integrity and Randomization for Binary Executables”. Proc. 2013 IEEE Symposium on Security and Privacy. Washington, DC, USA, 559–573.

Digital Library

[12]

Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. “Stitching the Gadgets: On the Ineffectiveness of Coarse-grained Control-flow Integrity Protection”. Proc. The 23rd USENIX Conference on Security Symposium. Berkeley, CA, USA, 401–416.

[13]

Gupta A, Kerr S, Kirkpatrick M S, “Marlin: A fine grained randomization approach to defend against ROP attacks”. Proc. The International Conference on Network and System Security. Springer, Berlin, Heidelberg, 2013: 293-306.

[14]

Hiser J, Nguyen-Tuong A, “ILR: Where'd my gadgets go?” Proc. The IEEE Symposium on Security and Privacy. IEEE, 2012: 571-585.

Digital Library

[15]

Lu† Kangjie, Nürnberger S, Backes M, “How to Make ASLR Win the Clone Wars: Runtime Re-Randomization”. Proc. The 23rd Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 2016.

[16]

Bittau, A., Belay, A., “Hacking Blind”. Proc. The IEEE Security and Privacy, 2014, 227–242.

Digital Library

[17]

Rudd R, Skowyra R, Bigelow D, “Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity.” Proc. NDSS. 2017.

[18]

Gktasgktas E, Gawlik R, “Undermining Information Hiding (And What to do About it)”. Proc. The 25th USENIX Security. 2016.

[19]

Gawlik R, Kollenda B, Koppe P, “Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding”. Proc. The NDSS. 2016, 16: 21-24.

[20]

Göktas E, Razavi K, “Speculative Probing: Hacking Blind in the Spectre Era”. Proc. The 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1871-1885.

Digital Library

[21]

Braden K, Davi L, “Leakage-Resilient Layout Randomization for Mobile Devices”. Proc. The NDSS. 2016, 16: 21-24.

[22]

Chen X, Bos H, Giuffrida C. “CodeArmor: Virtualizing the code space to counter disclosure attacks”. Proc. The IEEE European Symposium on Security and Privacy, 2017: 514-529.

[23]

Kuznetsov V, Szekeres, László, Payer M, “Code-Pointer Integrity”. Proc. The Usenix Symposium on Operating Systems Design & Implementation. 2014.

Digital Library

[24]

Lu K, Song C, Lee B, “ASLR-Guard: Stopping address space leakage for code reuse attacks”. Proc. The 22nd ACM SIGSAC conference on computer and communications security. 2015: 280-291.

Digital Library

[25]

Davi L, Liebchen C, Sadeghi A R, “Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming”. Proc. The Network and Distributed System Security Symposium. 2015.

[26]

Backes M, Nürnberger S. “Oxymoron: Making fine-grained memory randomization practical by allowing code sharing”. Proc. The 23rd USENIX Security Symposium. 2014: 433-447.

[27]

HongHu, ChenxiongQian, “Enforcing Unique Code Target Property for Control-Flow Integrity”. Proc. The 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 1470–1486.

Digital Library

[28]

Caroline Tice, Tom Roeder, “Enforcing Forward-edge Control-flow Integrity in GCC & LLVM”. Proc. The 23rd USENIX Conference on Security Symposium. USENIX Association, Berkeley, CA, USA, 941–955.

[29]

Ben Niu and Gang Tan. “Per-Input Control-Flow Integrity”. Proc. The 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, NY, USA, 914–926.

Digital Library

[30]

Chao Zhang, Chengyu Song, Kevin Zhijie Chen, “VTint: Protecting Virtual Function Tables’ Integrity”. Proc. The Network and Distributed System Security Symposium, 2015.

[31]

Chao Zhang, Dawn Song, Scott A Carr, Mathias Payer, “VTrust: Regaining Trust on Virtual Calls”. Proc. The Network and Distributed System Security Symposium, 2016.

[32]

Criswell J, Dautenhahn N. “KCoFI: Complete control-flow integrity for commodity operating system kernels.” Proc. The IEEE Symposium on Security and Privacy. IEEE, 2014: 292-307.

Digital Library

[33]

Zhang M, Sekar R. “Control flow integrity for {COTS} binaries” Proc. 22nd USENIX Security Symposium. 2013: 337-352. https://doi.org/10.1145/2818000.2818016

Digital Library

[34]

Mohan V, Larsen P, Brunthaler S, “Opaque Control-Flow Integrity” Proc. NDSS. 2015, 26: 27-30.

[35]

Maisuradze G, Backes M, “What cannot be read, cannot be leveraged? revisiting assumptions of JIT-ROP defenses”, Proc. 25th USENIX Security Symposium, 2016: 139-156.

[36]

Yarom Y, Falkner K. “FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack” Proc. 23rd USENIX Security Symposium. 2014: 719-732.

[37]

Gras B, Razavi K, Bosman E, “ASLR on the Line: Practical Cache Attacks on the MMU” Proc. NDSS. 2017, 17: 26.

[38]

Hu H, Shinde S, Adrian S, “Data-oriented programming: On the expressiveness of non-control data attacks”. Proc. IEEE Symposium on Security and Privacy (SP). 2016: 969-986.

[39]

Hu Z, Chen P, “A co-design adaptive defense scheme with bounded security damages against Heartbleed-like attacks”. IEEE Transactions on Information Forensics and Security, 2021, 16: 4691-4704.

Digital Library

[40]

Omotosho A, Welearegai G B, Hammer C. “Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters”. Proc. the 37th ACM/SIGAPP Symposium on Applied Computing. 2022: 510-519.

Digital Library

[41]

Lin K, Xia H, Zhang K, “AddrArmor: An Address-based Runtime Code-reuse Attack Mitigation for Shared Objects at the Binary-level.” Proc. 2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom). 2021: 117-124.

[42]

Wang J, Zhao M, Zeng Q, “Risk assessment of buffer" Heartbleed" over-read vulnerabilities.” Proc. 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2015: 555-562.

Digital Library

[43]

Snow K Z, Monrose F, Davi L, “Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization.” Proc. IEEE Symposium on Security and Privacy. 2013: 574-588.

Digital Library

[44]

Osvik D A, Shamir A, Tromer E. “Cache attacks and countermeasures: the case of AES.” Proc. Cryptographers’ track at the RSA conference. 2006: 1-20.

Digital Library

[45]

Liu, Fangfei, "Last-level cache side-channel attacks are practical." Proc. IEEE symposium on security and privacy. 2015.

[46]

J. Salwan. “ROPgadget–Gadgets Finder and Auto-Roper.” http://shell-storm.org/project/ROPgadget

[47]

Lu K, Xu M, Song C, “Stopping memory disclosures via diversification and replicated execution.” IEEE Transactions on Dependable and Secure Computing, 2018, 18(1): 160-173.

Digital Library

[48]

Oikonomopoulos A, Athanasopoulos E, Bos H, “Poking holes in information hiding.” Proc. USENIX Security Symposium (USENIX Security 16). 2016: 121-138.

[49]

Jan Werner, George Baltas, Rob Dallara, Nathan Otternes, Kevin Snow, Fabian Monrose, and Michalis Polychronakis. 2016. No-Execute-After-Read: Preventing Code Disclosure in Commodity Software. In Proceedings of the 11th ACM Asia Conference on Computer and Communications Security (ASIACCS).

Digital Library

[50]

Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. 2014. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code. In CCS.

[51]

Zhang M, Polychronakis M, Sekar R. Protecting cots binaries from disclosure-guided code reuse attacks[C]//Proceedings of the 33rd Annual Computer Security Applications Conference. 2017: 128-140.

[52]

Tang A, Sethumadhavan S, Stolfo S. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 256-267.

[53]

Crane S, Liebchen C, Homescu A, Readactor: Practical code randomization resilient to memory disclosure[C]//2015 IEEE Symposium on Security and Privacy. IEEE, 2015: 763-780.

[54]

Chen Y, Zhang D, Wang R, NORAX: Enabling execute-only memory for COTS binaries on AArch64[C]//2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017: 304-319.

[55]

Gionta J, Enck W, Ning P. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities[C]//Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. 2015: 325-336.

[56]

Bigelow D, Hobson T, Rudd R, Timely rerandomization for mitigating memory disclosures[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 268-279.

Cited By

Li YJiang SBao YChen PZhou YChung YLuo BLiao XXu JKirda ELie D(2024)Isolate and Detect the Untrusted Driver with a Virtual BoxProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670269(4584-4597)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670269

Index Terms

MProbe: Make the code probing meaningless
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Virtualization and security

Recommendations

KPointer: Keep the code pointers on the stack point to the right code
Abstract
Affected by vulnerabilities, the control data on the stack is easily destroyed, which provides the most convenient conditions for code reuse attacks (CRAs). The operating system (OS) does not impose strict restrictions on the control flow paths. ...
MagBox: Keep the risk functions running safely in a magic box
Abstract
Address space layout randomization (ASLR) has been widely deployed in operating systems (OS) to hide memory layout, which mitigates code reuse attacks (CRAs). Unfortunately, the memory probing techniques can still provide attackers with enough ...
Intel Software Guard Extensions: Introduction and Open Research Challenges
SPRO '16: Proceedings of the 2016 ACM Workshop on Software PROtection

Hardware-enhanced security is an important pillar of secure systems in general and software protection in particular. This presentation will survey the recently announced Intel Software Guard Extensions (Intel SGX) as well as innovative usages for ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

December 2022

1021 pages

ISBN:9781450397599

DOI:10.1145/3564625

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC

ACSAC: Annual Computer Security Applications Conference

December 5 - 9, 2022

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
132
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)1

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YJiang SBao YChen PZhou YChung YLuo BLiao XXu JKirda ELie D(2024)Isolate and Detect the Untrusted Driver with a Virtual BoxProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670269(4584-4597)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670269

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents