It's a TRaP: Table randomization and protection against function-reuse attacks

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 2015-October, Issue , 2015, Pages 243-255

  Crane, Stephen ^a   Volckaert, Stijn ^b   Schuster, Felix ^c   Liebchen, Christopher ^d   Larsen, Per ^a   Davi, Lucas ^d   Sadeghi, Ahmad Reza ^d   Holz, Thorsten ^c   De Sutter, Bjorn ^b   Franz, Michael ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b GHENT UNIVERSITY   (Belgium)

^c RUHR UNIVERSITY BOCHUM   (Germany)

^d DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

Author keywords

C++; Code reuse; Compilers; COOP; Diversity; Exploits; Mitigations; Randomization

Indexed keywords

C (PROGRAMMING LANGUAGE); CESIUM; CODES (SYMBOLS); COMPUTER SOFTWARE REUSABILITY; OBJECT ORIENTED PROGRAMMING; PROGRAM COMPILERS; RANDOM PROCESSES;

CODE REUSE; COOP; DIVERSITY; EXPLOITS; MITIGATIONS; RANDOMIZATION;

SIDE CHANNEL ATTACK;

EID: 84954159903     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2810103.2813682     Document Type: Conference Paper

References (40)

1. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-ow integrity principles, implementations, and applications. ACM Transactions on Information System Security, 13, 2009.
2. M. Backes and S. Nürnberger. Oxymoron - making fine-grained memory randomization practical by allowing code sharing. In USENIX Security Symposium, 2014.
3. M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In ACM Conference on Computer and Communications Security (CCS), 2014.
4. S. Bhatkar and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security Symposium, 2005.
5. S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In USENIX Security Symposium, 2003.
6. A. Bittau, A. Belay, A. J. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In IEEE Symposium on Security and Privacy (S&P), 2014.
7. T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
8. S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security (CCS), 2010.
9. CodeSourcery, Compaq, EDG, HP, IBM, Intel, Red Hat, and SGI. Itanium C++ Application Binary Interface (ABI), 2001.
10. S. Crane, P. Larsen, S. Brunthaler, and M. Franz. Booby trapping software. In Workshop on New Security Paradigms (NSPW), 2013.
11. S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In IEEE Symposium on Security and Privacy (S&P), 2015.
12. T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2015.
13. L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In Symposium on Network and Distributed System Security (NDSS), 2015.
14. L. V. Davi, A. Dmitrienko, S. Nürnberger, and A. Sadeghi. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2013.
15. I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point: On the effectiveness of code pointer integrity. In IEEE Symposium on Security and Privacy (S&P), 2015.
16. R. Gawlik and T. Holz. Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs. In Annual Computer Security Applications Conference (ACSAC), 2014.
17. J. Gionta, W. Enck, and P. Ning. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In ACM Conference on Data and Application Security and Privacy (CODASPY), 2015.
18. A. Homescu, S. Brunthaler, P. Larsen, and M. Franz. Librando: transparent code randomization for just-in-time compilers. In ACM Conference on Computer and Communications Security (CCS), 2013.
19. A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz. Profile-guided automatic software diversity. In IEEE/ACM International Symposium on Code Generation and Optimization (CGO), 2013.
20. D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.
21. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In USENIX Security Symposium, 2014.
22. P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. SoK: Automated software diversity. In IEEE Symposium on Security and Privacy (S&P), 2014.
23. Z. Lin, R. Riley, and D. Xu. Polymorphing software by randomizing data structure layout. In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009.
24. V. Mohan, P. Larsen, S. Brunthaler, K. Hamlen, and M. Franz. Opaque control-ow integrity. In Symposium on Network and Distributed System Security (NDSS), 2015.
25. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. SoftBound: Highly compatible and complete spatial memory safety for C. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2009.
26. Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 11, 2001.
27. A. Prakash, X. Hu, and H. Yin. vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries. In Symposium on Network and Distributed System Security (NDSS), 2015.
28. rix. Smashing C++ VPTRS. Phrack Magazine, 56(8), 2000. URL http://phrack.org/issues/56/8.html.
29. R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information System Security, 15, 2012.
30. F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the Effectiveness of Current Anti-ROP Defenses. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2014.
31. F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In IEEE Symposium on Security and Privacy (S&P), 2015.
32. F. J. Serna. The info leak era on software exploitation. In BlackHat USA, 2012.
33. H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In ACM Conference on Computer and Communications Security (CCS), 2004.
34. J. Siebert, H. Okhravi, and E. Söderström. Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code. In ACM Conference on Computer and Communications Security (CCS), 2014.
35. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy (S&P), 2013.
36. C. Song, C. Zhang, T. Wang, W. Lee, and D. Melski. Exploiting and protecting dynamic code generation. In Symposium on Network and Distributed System Security (NDSS), 2015.
37. L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy (S&P), 2013.
38. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-ow integrity in GCC & LLVM. In USENIX Security Symposium, 2014.
39. M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. W. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2011.
40. C. Zhang, C. Song, K. Z. Chen, Z. Chen, and D. Song. VTint: Defending virtual function tables' integrity. In Symposium on Network and Distributed System Security (NDSS), 2015.