Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

22nd Annual Network and Distributed System Security Symposium, NDSS 2015

Volumn , Issue , 2015, Pages

  Davi, Lucas ^a   Liebchen, Christopher ^a   Sadeghi, Ahmad Reza ^a   Snow, Kevin Z ^b   Monrose, Fabian ^b  

^a DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

^b UNIVERSITY OF NORTH CAROLINA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); JUST IN TIME PRODUCTION; RANDOM PROCESSES;

ATTACK STRATEGIES; CODE RANDOMIZATION; CODE REUSE; DIRECT CODES; FINE GRAINED; JUST-IN-TIME; MEMORY PAGES; RETURN-ORIENTED PROGRAMMING; RUNTIMES; SECURITY ANALYSIS;

STATIC ANALYSIS;

EID: 85080743214     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2015.23262     Document Type: Conference Paper

References (58)

1. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13(1), 2009.
2. Aleph One. Smashing the stack for fun and profit. Phrack magazine, 7(49):365, 1996.
3. M. Backes and S. Nürnberger. Oxymoron - making fine-grained memory randomization practical by allowing code sharing. In USENIX Security Symposium, 2014.
4. M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In ACM Conference on Computer and Communications Security (CCS), 2014.
5. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security Symposium, 2005.
6. D. Bruening, E. Duesterwald, and S. Amarasinghe. Design and implementation of a dynamic optimization framework for windows. In 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4), 2001.
7. N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In USENIX Security Symposium, 2014.
8. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security (CCS), 2010.
9. X. Chen. Analyzing the first ROP-only, sandbox-escaping PDF exploit. http://blogs.mcafee.com/mcafee-labs/analyzing-the-first-rop-only-sandboxescaping-pdf-exploit, 2013.
10. Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. Ropecker: A generic and practical approach for defending against rop attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.
11. J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis, 2007.
12. M. Conover and w00w00 Security Team. w00w00 on heap overflows. http://www.cgsecurity.org/exploit/heaptut.txt, 1999.
13. L. Davi, A.-R. Sadeghi, and M. Winandy. Ropdefender: A detection tool to defend against return-oriented programming attacks. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
14. L. Davi, A. Dmitrienko, S. Nürnberger, and A.-R. Sadeghi. Gadge me if you can - secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In ACM Conference on Computer and Communications Security (CCS), 2013.
15. L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security Symposium, 2014.
16. T. Durden. Bypassing PaX ASLR protection. Phrack magazine, 11(59), 2002.
17. Gadgets DNA.com. How PDF exploit being used by JailbreakMe to jailbreak iPhone iOS 4.0.1. http://www.gadgetsdna.com/iphone-ios-4-0-1-jailbreak-execution-flowusing-pdf-exploit/5456/, 2010.
18. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In USENIX Security Symposium, 2012.
19. E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy, 2014.
20. E. Göktas, E. Athanasopoulos, C. Heraklion, G. M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter. In USENIX Security Symposium, 2014.
21. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In IEEE Symposium on Security and Privacy, 2012.
22. M. Howard. Address space layout randomization in Windows Vista. http://blogs.msdn.com/b/michael_howard/archive/2006/05/26/address-space-layout-randomization-in -windows-vista.aspx, 2006.
23. Intel. Software guard extensions programming reference. https://software.intel.com/sites/default/files/329298-001.pdf. Accessed: 2014-11-16.
24. N. Joly. Advanced exploitation of Internet Explorer 10/Windows 8 overflow (Pwn2Own 2013). http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php, 2013.
25. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In IEEE Symposium on Security and Privacy, 2003.
26. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In Annual Computer Security Applications Conference (ACSAC), 2006.
27. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.
28. P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated software diversity. In IEEE Symposium on Security and Privacy, 2014.
29. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with”return-less” kernels. In Proceedings of the 5th European Conference on Computer Systems, 2010.
30. libdasm. libdasm. https://code.google.com/p/libdasm/, 2014.
31. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. ACM Sigplan Notices, 40(6):190-200, 2005.
32. S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In USENIX Security Symposium, 2006.
33. Metasploit. Metasploit. http://www.metasploit.com/. Accessed: 2014-07-14.
34. V. Mohan, P. Larsen, S. Brunthaler, K. Hamlen, and M. Franz. Opaque control-flow integrity. In Symposium on Network and Distributed System Security (NDSS), 2015.
35. D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In USENIX Security Symposium, 2009.
36. R. Naraine. Memory randomization (ASLR) coming to Mac OS X Leopard. http://www.zdnet.com/blog/security/memory-randomization-aslr-coming-to-mac-os -x-leopard/595, 2007.
37. N. Nethercote. Dynamic binary analysis and instrumentation. PhD thesis, PhD thesis, University of Cambridge, 2004.
38. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-free: Defeating return-oriented programming through gadget-less binaries. In Annual Computer Security Applications Conference (ACSAC), 2010.
39. V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In IEEE Symposium on Security and Privacy, 2012.
40. V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent rop exploit mitigation using indirect branch tracing. In USENIX Security Symposium, 2013.
41. M. Payer and T. R. Gross. Generating low-overhead dynamic binary translators. In Proceedings of the 3rd Annual Haifa Experimental Systems Conference, 2010.
42. A. Pelletier. Advanced exploitation of Internet Explorer heap overflow (Pwn2Own 2012 exploit). http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php, 2012.
43. E. J. Schwartz, T. Avgerinos, and D. Brumley. Q: Exploit hardening made easy. In USENIX Security Symposium, 2011.
44. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM Conference on Computer and Communications Security (CCS), 2007.
45. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In ACM Conference on Computer and Communications Security (CCS), 2004.
46. S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications, 2008.
47. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy, 2013.
48. Solar Designer. Getting around non-executable stack (and fix), 1997.
49. A. Sotirov. Heap Feng Shui in JavaScript. In Black Hat Europe, 2007.
50. A. N. Sovarel, D. Evans, and N. Paul. Wheres the feeb? the effectiveness of instruction set randomization. In USENIX Security Symposium, 2005.
51. S. Sridhar, J. S. Shapiro, and P. P. Bungale. Hdtrans: A low-overhead dynamic translator. SIGARCH Comput. Archit. News, 35, 2007.
52. Ubuntu Wiki. Address space layout randomization (ASLR). https://wiki.ubuntu.com/Security/Features#aslr, 2013.
53. VUPEN Security. Advanced exploitation of internet explorer heap overflow (pwn2own 2012 exploit), 2012.
54. T. Wang, T. Wei, G. Gu, and W. Zou. Taintscope: A checksumaware directed fuzzing tool for automatic software vulnerability detection. In IEEE Symposium on Security and Privacy, 2010.
55. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In ACM Conference on Computer and Communications Security (CCS), 2012.
56. Y. Weiss and E. Barrantes. Known/chosen key attacks against software instruction set randomization. In Annual Computer Security Applications Conference (ACSAC), 2006.
57. M. Zhang and R. Sekar. Control flow integrity for cots binaries. In USENIX Security Symposium, 2013.
58. D. D. Zovi. Practical return-oriented programming. Invited Talk, RSA Conference, 2010.