Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization

Fei Yan; Kai Wang

doi:10.26599/TST.2018.9010128

Tsinghua Science and Technology 2019, 24(5): 546-556 https://doi.org/10.26599/TST.2018.9010128

Open Access | Issue | Published: 29 April 2019

Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization

Show Author's Information Hide Author's Information Fei Yan(

), Kai Wang

Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China???. Email: blankaiwang@whu.edu.cn.

Keywords:

Address Space Layout Randomization (ASLR), Intel Memory Protection Extensions (MPX), code reuse attack

Cite this article:

Yan F, Wang K. Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization. Tsinghua Science and Technology, 2019, 24(5): 546-556. https://doi.org/10.26599/TST.2018.9010128

Download citation

EndNote(RIS)

BibTeX

404

Views

Downloads

Citations

Crossref

N/A

WoS

Scopus

CSCD

Abstract Full text About this article

Abstract

Code reuse attacks pose a severe threat to modern applications. These attacks reuse existing code segments of vulnerable applications as attack payloads and hijack the control flow of a victim application. With high code entropy and a relatively low performance overhead, Address Space Layout Randomization (ASLR) has become the most widely explored defense against code reuse attacks. However, a single memory disclosure vulnerability is able to compromise this defense. In this paper, we present Memory Protection Extensions (MPX)-assisted Address Space Layout Randomization (M-ASLR), a novel code-space randomization scheme. M-ASLR uses several characteristics of Intel MPX to restrict code pointers in memory. We have developed a fully functioning prototype of M-ALSR, and our evaluation results show that M-ASLR: (1) offers no interference with normal operation; (2) protects against buffer overflow attacks, code reuse attacks, and other sophisticated modern attacks; and (3) adds a very low performance overhead (3.3%) to C/C++ applications.

Full text

Abstract

Full text

Outline

About this article

Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization

Show Author's information Hide Author's Information Fei Yan(

), Kai Wang

Abstract

Keywords: Address Space Layout Randomization (ASLR), Intel Memory Protection Extensions (MPX), code reuse attack

References(30)

[1]

S. Andersen and V. Abella, Data execution prevention, changes to functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory protection technologies, https://docs.microsoft.com/en-us/windows/desktop/memory/data-execution-prevention, 2004.

[2]

M. Tran, M. Etheridge, T. Bletsch, X. X. Jiang, V. Freeh, and P. Ning, On the expressiveness of return-into-libc attacks, in International Workshop on Recent Advances in Intrusion Detection, Berlin, Germany, 2011, pp. 121-141.

DOI Google Scholar

[3]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage, When good instructions go bad: Generalizing return-oriented programming to RISC, in Proceedings of 15th ACM Conference on Computer and Communications Security (CCS’08), Alexandria, VA, USA, 2008, pp. 27-38.

DOI

[4]

H. Shacham, The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), in Proceedings of 14th ACM Conference on Computer and Communications Security (CCS’07), Alexandria, VA, USA, 2007, pp. 552-561.

DOI

[5]

J. C. Tang, M. Xu, S. J. Fu, and K. Huang, A scheduling optimization technique based on reuse in spark to defend against APT attack, Tsinghua Science and Technology, vol. 23, no. 9, pp. 550-560, 2018.

DOI Google Scholar

[6]

PaX Team, PaX Address Space Layout Randomization (ASLR), https://pax.grsecurity.net/docs/aslr.txt, 2003.

[7]

L. Davi, A. R. Sadeghi, and M. Winandy, ROP defender: A detection tool to defend against return-oriented programming attacks, in Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS’11), Hong Kong, China, 2011, pp. 40-51.

DOI

[8]

V. Pappas, M. Polychronakis, and A. D. Keromytis, Transparent ROP exploit mitigation using indirect branch tracing, in Proceedings of 22nd USENIX Security Symposium (USENIX’13), Washington, DC, USA, 2013, pp. 447-462.

[9]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh, Hacking blind, in Proceedings of 2014 IEEE Symposium on Security and Privacy (S&P 14), San Jose, CA, USA, 2014, pp. 227-242.

DOI

[10]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, Code-pointer integrity, in Proceedings of 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI’14), Broomfield, CO, USA, 2014, pp. 147-163.

[11]

H. Shacham, M. Page, B. Pfaff, E. J. Goh, N. Modadugu, and D. Boneh, On the effectiveness of address-space randomization, in Proceedings of 11th ACM Conference on Computer and Communications Security (CCS’04), Washington, DC, USA, 2004, pp. 298-307.

DOI

[12]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. R. Sadeghi, Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization, in Proceedings of 2013 IEEE Symposium on Security and Privacy (S&P’13), San Francisco, CA, USA, 2013, pp. 574-588.

DOI

[13]

K. J. Lu, C. Y. Song, B. Lee, S. P. Chung, T. Kim, and W. K. Lee, ASLR-Guard: Stopping address space leakage for code reuse attacks, in Proceedings of 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15), Denver, CO, USA, 2015, pp. 280-291.

DOI

[14]

Intel, Intel® 64 and IA-32 architectures software developer’s manuals, https://software.intel.com/en-us/articles/intel-sdm, 2016.

[15]

S. Ramakesavan and J. Rodriguez, Intel® memory protection extensions enabling guide, https://software. intel.com/en-us/articles/intel-memory-protection-extensions-enabling-guide, 2016.

[16]

O. Oleksenko, D. Kuvaiskii, P. Bhatotia, P. Felber, and C. Fetzer, Intel MPX explained: An empirical study of intel MPX and software-based bounds checking approaches, arXiv preprint arXiv:1702.00719, 2017.

Google Scholar

[17]

Y. Chen, Z. Wang, D. Whalley, and L. Lu, Remix: On-demand live randomization, in Proceedings of 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16), New Orleans, LA, USA, 2016, pp. 50-61.

DOI

[18]

L. Davi, C. Liebchen, A. R. Sadeghi, K. Z. Snow, and F. Monrose, Isomeron: Code randomization resilient to (just-in-time) return-oriented programming, presented at 2015 Network and Distributed System Security Symposium (NDSS’15), San Diego, CA, USA, 2015.

[19]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson, ILR: Where’d my gadgets go? in Proceedings of 2012 IEEE Symposium on Security and Privacy (S&P’12), San Francisco, CA, USA, 2012, pp. 571-585.

DOI

[20]

C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning, Address Space Layout Permutation (ASLP): Towards fine-grained randomization of commodity software, in Proceedings of 22nd Annual Computer Security Applications Conference (ACSAC’06), Miami, FL, USA, 2006, pp. 339-348.

DOI

[21]

K. J. Lu, W. K. Lee, S. Nürnberger, and M. Backes, How to make ASLR win the clone wars: Runtime re-randomization, Presented at the 2016 Network and Distributed System Security Symposium (NDSS’16), San Diego, CA, USA, 2016.

[22]

M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, Meltdown, arXiv preprint arXiv:1801.01207, 2018.

Google Scholar

[23]

P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, Spectre attacks: Exploiting speculative execution, arXiv preprint arXiv:1801.01203, 2018.

Google Scholar

[24]

C. Zhang, T. Wei, Z. F. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, Practical control flow integrity and randomization for binary executables, in Proceedings of 2013 IEEE Symposium on Security and Privacy (S&P’13), San Francisco, CA, USA, 2013, pp. 559-573.

[25]

M. W. Zhang and R. Sekar, Control flow integrity for COTS binaries, in Proceedings of 22nd USENIX Security Symposium (USENIX’13), Washington, DC, USA, 2013, pp. 337-352.

[26]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, Out of control: Overcoming control-flow integrity, in Proceedings of 2014 IEEE Symposium on Security and Privacy (S&P’14), San Jose, CA, USA, 2014, pp. 575-589.

DOI

[27]

M. Larabel and M. Tippett, Phoronix test suite, http://www.phoronix-test-suite.com, 2011.

[28]

V. Pappas, kBouncer: Efficient and transparent ROP mitigation, http://www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf, 2012.

[29]

S. Liang, Y. Zhang, B. Li, X. J. Guo, C. F. Jia, and Z. L. Liu, SecureWeb: Protecting sensitive information through the web browser extension with a security token, Tsinghua Science and Technology, vol. 23, no. 5, pp. 526-538, 2018.

DOI Google Scholar

[30]

Intel, Introduction to Intel® memory protection extensions, https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, 2013.

About this article

Publication history

Acknowledgements

Rights and permissions

Publication history

Received: 12 October 2018

Accepted: 10 November 2018

Published: 29 April 2019

Issue date: October 2019

Copyright

Acknowledgements

This work was supported in part by the National Natural Science Foundation of China (No. 61272452), the National Key Basic Research and Development (973) Program of China (No. 2014CB340601), and the Natural Science Foundation of Hubei Province (No. 2017CFB663).