[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3564625.3567967acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

MProbe: Make the code probing meaningless

Published: 05 December 2022 Publication History

Abstract

Modern security methods use address space layout randomization (ASLR) to defend against code reuse attacks (CRAs). However, code probing can still obtain the content and address of the code through code probing. Code probing invalidates the widely used ASLR methods, causing researchers to lose confidence in them. On the contrary, we believe the ASLR is still effective, if it has anti-probing capability. To enhance the anti-probing capability of ASLR and defense CRAs, this paper proposes an anti-probing method MProbe. First, it detects the code probing activities of attackers, including address probing and content probing. Next, the execution permission of the probed code will be de-enabled in the original address space. At the same time, the equivalent code block in a random address space will replace the probed code. Finally, new security strategies are used to prevent the probed code blocks from being used as gadgets. Experiments and analysis show that MProbe has a good defense effect against CRAs based on code probing, and only introduces less than 3% performance overhead to the operating system (OS).

References

[1]
Biondo A, Conti M, “The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel {SGX}”. Proc. The 27th USENIX Security Symposium. 2018: 1213-1227.
[2]
He W, Das S, Zhang W, “BBB-CFI: lightweight CFI approach against code-reuse attacks using basic block information”. ACM Transactions on Embedded Computing Systems, 2020, 19(1): 1-22.
[3]
Crane S J, Volckaert S, Schuster F, “It's a TRaP: Table randomization and protection against function-reuse attacks”. Proc. The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 243-255.
[4]
Kayaalp M, Schmitt T, Nomani J, “Signature-based protection from code reuse attacks”. IEEE Transactions on Computers, 2013, 64(2): 533-546.
[5]
DeLozier C, Lakshminarayanan K, Pokam G, “Hurdle: Securing Jump Instructions Against Code Reuse Attacks”. Proc. The 25th International Conference on Architectural Support for Programming Languages and Operating Systems. 2020: 653-666.
[6]
Dang T H Y, Maniatis P, “The performance cost of shadow stacks and stack canaries”. Proc. The 10th ACM Symposium on Information, Computer and Communications Security. 2015: 555-566.
[7]
Marco-Gisbert H, Ripoll. “Address space layout randomization next generation”. Applied Sciences, 2019, 9(14): 2928.
[8]
Wang C, Chen B, Liu Y, “Layered object-oriented programming: Advanced vtable reuse attacks on binary-level defense”. IEEE Transactions on Information Forensics and Security, 2018, 14(3): 693-708.
[9]
Ho J W. “Efficient and robust detection of code-reuse attacks through probabilistic packet inspection in industrial IoT devices”. IEEE Access, 2018, 6: 54343-54354.
[10]
D. Williams-King, G. Gobieski, K. Williams-King, “Shuffler: Fast and deployable continuous code re-randomization,” Proc. The OSDI, 2016.
[11]
Chao Zhang, Tao Wei, “Practical Control Flow Integrity and Randomization for Binary Executables”. Proc. 2013 IEEE Symposium on Security and Privacy. Washington, DC, USA, 559–573.
[12]
Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. “Stitching the Gadgets: On the Ineffectiveness of Coarse-grained Control-flow Integrity Protection”. Proc. The 23rd USENIX Conference on Security Symposium. Berkeley, CA, USA, 401–416.
[13]
Gupta A, Kerr S, Kirkpatrick M S, “Marlin: A fine grained randomization approach to defend against ROP attacks”. Proc. The International Conference on Network and System Security. Springer, Berlin, Heidelberg, 2013: 293-306.
[14]
Hiser J, Nguyen-Tuong A, “ILR: Where'd my gadgets go?” Proc. The IEEE Symposium on Security and Privacy. IEEE, 2012: 571-585.
[15]
Lu† Kangjie, Nürnberger S, Backes M, “How to Make ASLR Win the Clone Wars: Runtime Re-Randomization”. Proc. The 23rd Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 2016.
[16]
Bittau, A., Belay, A., “Hacking Blind”. Proc. The IEEE Security and Privacy, 2014, 227–242.
[17]
Rudd R, Skowyra R, Bigelow D, “Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity.” Proc. NDSS. 2017.
[18]
Gktasgktas E, Gawlik R, “Undermining Information Hiding (And What to do About it)”. Proc. The 25th USENIX Security. 2016.
[19]
Gawlik R, Kollenda B, Koppe P, “Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding”. Proc. The NDSS. 2016, 16: 21-24.
[20]
Göktas E, Razavi K, “Speculative Probing: Hacking Blind in the Spectre Era”. Proc. The 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1871-1885.
[21]
Braden K, Davi L, “Leakage-Resilient Layout Randomization for Mobile Devices”. Proc. The NDSS. 2016, 16: 21-24.
[22]
Chen X, Bos H, Giuffrida C. “CodeArmor: Virtualizing the code space to counter disclosure attacks”. Proc. The IEEE European Symposium on Security and Privacy, 2017: 514-529.
[23]
Kuznetsov V, Szekeres, László, Payer M, “Code-Pointer Integrity”. Proc. The Usenix Symposium on Operating Systems Design & Implementation. 2014.
[24]
Lu K, Song C, Lee B, “ASLR-Guard: Stopping address space leakage for code reuse attacks”. Proc. The 22nd ACM SIGSAC conference on computer and communications security. 2015: 280-291.
[25]
Davi L, Liebchen C, Sadeghi A R, “Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming”. Proc. The Network and Distributed System Security Symposium. 2015.
[26]
Backes M, Nürnberger S. “Oxymoron: Making fine-grained memory randomization practical by allowing code sharing”. Proc. The 23rd USENIX Security Symposium. 2014: 433-447.
[27]
HongHu, ChenxiongQian, “Enforcing Unique Code Target Property for Control-Flow Integrity”. Proc. The 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 1470–1486.
[28]
Caroline Tice, Tom Roeder, “Enforcing Forward-edge Control-flow Integrity in GCC & LLVM”. Proc. The 23rd USENIX Conference on Security Symposium. USENIX Association, Berkeley, CA, USA, 941–955.
[29]
Ben Niu and Gang Tan. “Per-Input Control-Flow Integrity”. Proc. The 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, NY, USA, 914–926.
[30]
Chao Zhang, Chengyu Song, Kevin Zhijie Chen, “VTint: Protecting Virtual Function Tables’ Integrity”. Proc. The Network and Distributed System Security Symposium, 2015.
[31]
Chao Zhang, Dawn Song, Scott A Carr, Mathias Payer, “VTrust: Regaining Trust on Virtual Calls”. Proc. The Network and Distributed System Security Symposium, 2016.
[32]
Criswell J, Dautenhahn N. “KCoFI: Complete control-flow integrity for commodity operating system kernels.” Proc. The IEEE Symposium on Security and Privacy. IEEE, 2014: 292-307.
[33]
Zhang M, Sekar R. “Control flow integrity for {COTS} binaries” Proc. 22nd USENIX Security Symposium. 2013: 337-352. https://doi.org/10.1145/2818000.2818016
[34]
Mohan V, Larsen P, Brunthaler S, “Opaque Control-Flow Integrity” Proc. NDSS. 2015, 26: 27-30.
[35]
Maisuradze G, Backes M, “What cannot be read, cannot be leveraged? revisiting assumptions of JIT-ROP defenses”, Proc. 25th USENIX Security Symposium, 2016: 139-156.
[36]
Yarom Y, Falkner K. “FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack” Proc. 23rd USENIX Security Symposium. 2014: 719-732.
[37]
Gras B, Razavi K, Bosman E, “ASLR on the Line: Practical Cache Attacks on the MMU” Proc. NDSS. 2017, 17: 26.
[38]
Hu H, Shinde S, Adrian S, “Data-oriented programming: On the expressiveness of non-control data attacks”. Proc. IEEE Symposium on Security and Privacy (SP). 2016: 969-986.
[39]
Hu Z, Chen P, “A co-design adaptive defense scheme with bounded security damages against Heartbleed-like attacks”. IEEE Transactions on Information Forensics and Security, 2021, 16: 4691-4704.
[40]
Omotosho A, Welearegai G B, Hammer C. “Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters”. Proc. the 37th ACM/SIGAPP Symposium on Applied Computing. 2022: 510-519.
[41]
Lin K, Xia H, Zhang K, “AddrArmor: An Address-based Runtime Code-reuse Attack Mitigation for Shared Objects at the Binary-level.” Proc. 2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom). 2021: 117-124.
[42]
Wang J, Zhao M, Zeng Q, “Risk assessment of buffer" Heartbleed" over-read vulnerabilities.” Proc. 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2015: 555-562.
[43]
Snow K Z, Monrose F, Davi L, “Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization.” Proc. IEEE Symposium on Security and Privacy. 2013: 574-588.
[44]
Osvik D A, Shamir A, Tromer E. “Cache attacks and countermeasures: the case of AES.” Proc. Cryptographers’ track at the RSA conference. 2006: 1-20.
[45]
Liu, Fangfei, "Last-level cache side-channel attacks are practical." Proc. IEEE symposium on security and privacy. 2015.
[46]
J. Salwan. “ROPgadget–Gadgets Finder and Auto-Roper.” http://shell-storm.org/project/ROPgadget
[47]
Lu K, Xu M, Song C, “Stopping memory disclosures via diversification and replicated execution.” IEEE Transactions on Dependable and Secure Computing, 2018, 18(1): 160-173.
[48]
Oikonomopoulos A, Athanasopoulos E, Bos H, “Poking holes in information hiding.” Proc. USENIX Security Symposium (USENIX Security 16). 2016: 121-138.
[49]
Jan Werner, George Baltas, Rob Dallara, Nathan Otternes, Kevin Snow, Fabian Monrose, and Michalis Polychronakis. 2016. No-Execute-After-Read: Preventing Code Disclosure in Commodity Software. In Proceedings of the 11th ACM Asia Conference on Computer and Communications Security (ASIACCS).
[50]
Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. 2014. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code. In CCS.
[51]
Zhang M, Polychronakis M, Sekar R. Protecting cots binaries from disclosure-guided code reuse attacks[C]//Proceedings of the 33rd Annual Computer Security Applications Conference. 2017: 128-140.
[52]
Tang A, Sethumadhavan S, Stolfo S. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 256-267.
[53]
Crane S, Liebchen C, Homescu A, Readactor: Practical code randomization resilient to memory disclosure[C]//2015 IEEE Symposium on Security and Privacy. IEEE, 2015: 763-780.
[54]
Chen Y, Zhang D, Wang R, NORAX: Enabling execute-only memory for COTS binaries on AArch64[C]//2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017: 304-319.
[55]
Gionta J, Enck W, Ning P. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities[C]//Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. 2015: 325-336.
[56]
Bigelow D, Hobson T, Rudd R, Timely rerandomization for mitigating memory disclosures[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 268-279.

Cited By

View all
  • (2024)Isolate and Detect the Untrusted Driver with a Virtual BoxProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670269(4584-4597)Online publication date: 2-Dec-2024

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference
December 2022
1021 pages
ISBN:9781450397599
DOI:10.1145/3564625
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Integrity
  2. Security and Protection
  3. System architectures

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ACSAC

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)26
  • Downloads (Last 6 weeks)2
Reflects downloads up to 11 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Isolate and Detect the Untrusted Driver with a Virtual BoxProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670269(4584-4597)Online publication date: 2-Dec-2024

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media