Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2012, Pages 157-168

  Wartell, Richard ^a   Mohan, Vishwath ^a   Hamlen, Kevin W ^a   Lin, Zhiqiang ^a  

^a The University of Texas at Dallas   (United States)

Author keywords

Obfuscation; Randomization; Return oriented programming; Software security

Indexed keywords

ADDRESS SPACE; BASIC BLOCKS; BINARY FEATURES; BINARY TRANSFORMATION; DYNAMIC LINKING; LIBRARY CODES; LINUX PLATFORM; NATIVE CODE; OBFUSCATION; RANDOMIZATION; REALISTIC APPLICATIONS; RUNTIMES; SOFTWARE SECURITY; SOURCE CODES;

BINARY CODES; COMPUTER OPERATING SYSTEMS; METADATA; RANDOM PROCESSES;

SECURITY OF DATA;

EID: 84869451043     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2382196.2382216     Document Type: Conference Paper

References (61)

1. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Trans. Information and System Security, 13(1), 2009.
2. I. Aktug and K. Naliuka. ConSpec - a formal language for policy specification. In Proc. Workshop on Run Time Enforcement for Mobile and Distributed Systems, pages 45-58, 2007.
3. B. Anckaert, M. Jakubowski, R. Venkatesan, and K. D. Bosschere. Run-time randomization to mitigate tampering. In Proc. 2nd Int. Conf. on Advances in Information and Computer Security, pages 153-168, 2007.
4. S. Andersen. Part 3: Memory protection technologies. In V. Abella, editor, Changes in Functionality in Windows XP Service Pack 2. Microsoft TechNet, 2004. http://technet.microsoft.com/en-us/library/bb457155.aspx.
5. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proc. 10th ACM Conf. on Computer and Communications Security, pages 281-289, 2003.
6. L. Bauer, J. Ligatti, and D. Walker. Composing security policies with Polymer. In Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation, pages 305-314, 2005.
7. E. D. Berger and B. G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation, pages 158-168, 2006.
8. S. Bhatkar and R. Sekar. Data space randomization. In Proc. Int. Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 1-22, 2008.
9. S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proc. 12th USENIX Security Symposium, pages 105-120, 2003.
10. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proc. 14th USENIX Security Symposium, pages 255-270, 2005.
11. D. Bruschi, L. Cavallaro, and A. Lanzi. Diversified process replicæ for defeating memory error exploits. In Proc. IEEE Int. Performance, Computing, and Communications Conf., pages 434-441, 2007.
12. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proc. 15th ACM Conf. on Computer and Communications Security, pages 27-38, 2008.
13. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. In Proc. 13th ACM Conf. on Computer and Communications Security, pages 322-335, 2006.
14. C. Cadar, P. Akritidis, M. Costa, J.-P. Martin, and M. Castro. Data randomization. Technical Report MSR-TR-2008-120, Microsoft Research, 2008.
15. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proc. 17th ACM Conf. on Computer and Communications Security, pages 559-572, 2010.
16. F. Chen and G. Roşu. Java-MOP: A monitoring oriented programming environment for Java. In Proc. 11th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems, pages 546-550, 2005.
17. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In Proc. 5th Int. Conf. on Information Systems Security, pages 163-177, 2009.
18. W. Cheng, Q. Zhao, B. Yu, and S. Hiroshige. TaintTrace: Efficient flow tracing with dynamic binary rewriting. In Proc. 11th IEEE Symposium on Computers and Communications, pages 749-754, 2006.
19. M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical Report CMU-CS-02-197, Carnegie Mellon University, 2002.
20. Corelan Team. Mona, 2012. http://redmine.corelan.be/projects/mona.
21. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuardTM: Protecting pointers from buffer overflow vulnerabilities. In Proc. 12th USENIX Security Symposium, pages 91-104, 2003.
22. B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser. N-Variant Systems: A secretless framework for security through diversity. In Proc. 15th USENIX Security Symposium, 2006.
23. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proc. 6th ACM Symposium on Information, Computer and Communications Security, pages 40-51, 2011.
24. U. Drepper. Security enhancements in Red Hat Enterprise Linux (beside SELinux), version 1.6, section 5: Position independent executables, December 2005. http://www.akkadia.org/drepper/nonselsec.pdf.
25. Ú. Erlingsson and F. B. Schneider. SASI enforcement of security policies: A retrospective. In Proc. New Security Paradigms Workshop, 1999.
26. S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Proc. 6th Workshop on Hot Topics in Operating Systems, page 67, 1997.
27. P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In Proc. 15th Annual Network and Distributed System Security Symposium, 2008.
28. Hex-Rays. The IDA Pro disassembler and debugger, 2012. http://www.hex-rays.com/idapro.
29. J. D. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In Proc. IEEE Symposium on Security and Privacy, pages 571-585, 2012.
30. G. Hoglund and J. Butler. Rootkits: Subverting the Windows Kernel, chapter 4: The Age-Old Art of Hooking, pages 73-74. Pearson Education, Inc., 2006.
31. J. K. Hollingsworth, B. P. Miller, and J. Cargille. Dynamic program instrumentation for scalable performance tools. In Proc. Scalable High Performance Computing Conf., pages 841-850, 1994.
32. G. Hunt and D. Brubacher. Detours: Binary interception of Win32 functions. In Proc. 3rd USENIX Windows NT Symposium, 1999.
33. X. Jiang, H. J. Wang, D. Xu, and Y.-M. Wang. RandSys: Thwarting code injection attacks with system service interface randomization. In Proc. 26th IEEE Int. Symposium on Reliable Distributed Systems, pages 209-218, 2007.
34. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. 10th ACM Conf. on Computer and Communications Security, pages 272-280, 2003.
35. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proc. 11th USENIX Security Symposium, 2002.
36. M. O. Lam, J. K. Hollingsworth, and G. W. Stewart. Dynamic floating-point cancellation detection. In Proc. 1st Int. Workshop on High-performance Infrastructure for Scalable Tools, 2011.
37. D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In Proc. 10th USENIX Security Symposium, 2001.
38. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "Return-less" kernels. In Proc. 5th European Conf. on Computer Systems, pages 195-208, 2010.
39. S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Proc. 15th USENIX Security Symposium, pages 209-224, 2006.
40. G. Novark, E. D. Berger, and B. G. Zorn. Exterminator: Automatically correcting memory errors with high probability. In Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation, pages 1-11, 2007.
41. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: Defeating return-oriented programming through gadget-less binaries. In Proc. 26th Annual Computer Security Applications Conf., pages 49-58, 2010.
42. Oracle Corporation. Position-independent code. In Linker and Libraries Guide. 2010. http://docs.oracle.com/cd/E19082-01/819-0690/chapter4-29405/index. html.
43. P. O'Sullivan, K. Anand, A. Kotha, M. Smithson, R. Barua, and A. D. Keromytis. Retrofitting security in COTS software with binary rewriting. In Proc. Int. Information Security Conf., pages 154-172, 2011.
44. V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proc. IEEE Symposium on Security and Privacy, pages 601-615, 2012.
45. PaX Team. PaX address space layout randomization (ASLR), 2003. http://pax.grsecurity.net/docs/aslr.txt.
46. G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proc. 25th Annual Computer Security Applications Conf., pages 60-69, 2009.
47. B. Salamat, T. Jackson, A. Gal, and M. Franz. Orchestra: Intrusion detection using parallel execution and monitoring of program variants in user-space. In Proc. 4th ACM European Conf. on Computer Systems, pages 33-46, 2009.
48. J. Salwan. ROPgadget, 2012. http://shell-storm.org/project/ROPgadget.
49. F. B. Schneider. Enforceable security policies. ACM Trans. Information and Systems Security, 3(1):30-50, 2000.
50. E. J. Schwartz, T. Avgerinos, and D. Brumley. Q: Exploit hardening made easy. In Proc. 20th USENIX Security Symposium, 2011.
51. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proc. 14th ACM Conf. on Computer and Communications Security, pages 552-561, 2007.
52. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proc. 11th ACM Conf. on Computer and Communications Security, pages 298-307, 2004.
53. C. Small and M. I. Seltzer. A comparison of OS extension technologies. In Proc. USENIX Annual Technical Conf., pages 41-54, 1996.
54. M. Smithson, K. Anand, A. Kotha, K. Elwazeer, N. Giles, and R. Barua. Binary rewriting without relocation information. Technical report, U. Maryland, November 2010.
55. Solar Designer. "return-to-libc" attack. Bugtraq, August 1997.
56. B. D. Sutter, B. D. Bus, and K. D. Bosschere. Link-time binary rewriting techniques for program compaction. ACM Trans. Programming Languages and Systems, 27(5):882-945, 2005.
57. A. van de Ven. New security enhancements in Red Hat Enterprise Linux v.3, update 3. Whitepaper WHP0006US, Red Hat, 2004. http://people.redhat.com/mingo/ exec-shield/docs/WHP0006US-Execshield.pdf.
58. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proc. 14th ACM Symposium on Operating Systems Principles, pages 203-216, 1993.
59. R. Wartell, Y. Zhou, K. W. Hamlen, M. Kantarcioglu, and B. Thuraisingham. Differentiating code from data in x86 binaries. In Proc. European Conf. on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, volume 3, pages 522-536, 2011.
60. J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In Proc. 22nd Int. Symposium on Reliable Distributed Systems, pages 260-269, 2003.
61. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In Proc. 30th IEEE Symposium on Security and Privacy, pages 79-93, 2009.