Biblio
Code reuse attacks have been a threat to software security since the introduction of non-executable memory protections. Despite significant advances in various types of additional defenses, such as control flow integrity (CFI) and leakage-resilient code randomization, recent code reuse attacks have demonstrated that these defenses are often not enough to prevent successful exploitation. Sophisticated exploits can reuse code comprising larger code fragments that conform to the enforced CFI policy and which are not affected by randomization. As a step towards improving our defenses against code reuse attacks, in this paper we present Shredder, a defense-in-depth exploit mitigation tool for the protection of closed-source applications. In a preprocessing phase, Shredder statically analyzes a given application to pinpoint the call sites of potentially useful (to attackers) system API functions, and uses backwards data flow analysis to derive their expected argument values and generate whitelisting policies in a best-effort way. At runtime, using library interposition, Shredder exposes to the protected application only specialized versions of these critical API functions, and blocks any invocation that violates the enforced policy. We have experimentally evaluated our prototype implementation for Windows programs using a large set of 251 shellcode and 30 code reuse samples, and show that it improves significantly upon code stripping, a state-of-the-art code surface reduction technique, by blocking a larger number of malicious payloads with negligible runtime overhead.
Code diversification is an effective mitigation against return-oriented programming attacks, which breaks the assumptions of attackers about the location and structure of useful instruction sequences, known as "gadgets". Although a wide range of code diversification techniques of varying levels of granularity exist, most of them rely on the availability of source code, debug symbols, or the assumption of fully precise code disassembly, limiting their practical applicability for the protection of closed-source third-party applications. In-place code randomization has been proposed as an alternative binary-compatible diversification technique that is tolerant of partial disassembly coverage, in the expense though of leaving some gadgets intact, at the disposal of attackers. Consequently, the possibility of constructing robust ROP payloads using only the remaining non-randomized gadgets is still open. In this paper we present instruction displacement, a code diversification technique based on static binary instrumentation that does not rely on complete code disassembly coverage. Instruction displacement aims to improve the randomization coverage and entropy of existing binary-level code diversification techniques by displacing any remaining non-randomized gadgets to random locations. The results of our experimental evaluation demonstrate that instruction displacement reduces the number of non-randomized gadgets in the extracted code regions from 15.04% for standalone in-place code randomization, to 2.77% for the combination of both techniques. At the same time, the additional indirection introduced due to displacement incurs a negligible runtime overhead of 0.36% on average for the SPEC CPU2006 benchmarks.
Memory disclosure vulnerabilities enable an adversary to successfully mount arbitrary code execution attacks against applications via so-called just-in-time code reuse attacks, even when those applications are fortified with fine-grained address space layout randomization. This attack paradigm requires the adversary to first read the contents of randomized application code, then construct a code reuse payload using that knowledge. In this paper, we show that the recently proposed Execute-no-Read (XnR) technique fails to prevent just-in-time code reuse attacks. Next, we introduce the design and implementation of a novel memory permission primitive, dubbed No-Execute-After-Read (near), that foregoes the problems of XnR and provides strong security guarantees against just-in-time attacks in commodity binaries. Specifically, near allows all code to be disclosed, but prevents any disclosed code from subsequently being executed, thus thwarting just-in-time code reuse. At the same time, commodity binaries with mixed code and data regions still operate correctly, as legitimate data is still readable. To demonstrate the practicality and portability of our approach we implemented prototypes for both Linux and Android on the ARMv8 architecture, as well as a prototype that protects unmodified Microsoft Windows executables and dynamically linked libraries. In addition, our evaluation on the SPEC2006 benchmark demonstrates that our prototype has negligible runtime overhead, making it suitable for practical deployment.