Upload
ralph-johns
View
225
Download
0
Embed Size (px)
Citation preview
Computer ScienceComputer Science
Address Space Layout Permutation
Chongkyung Kil
Systems Research Seminar
2Computer ScienceComputer Science
Overview
• Problem Description
• Current Approaches
• Limitations of Current Approaches
• Solution
• Evaluation
• Limitations
• Conclusions and Future Work
3Computer ScienceComputer Science
The Problems: Memory Corruption
• Memory Corruption Vulnerability
– Popular means to take control of target program
– 50-80% of US CERT Alerts
• Common Memory Corruption Attacks
– Buffer overflows, format string exploits, return-to-
libc attacks
– Successful attacks cause a remote code execution
4Computer ScienceComputer Science
Memory Corruption Attack Example
ret
addr
ret
addr
code
buf
Stack Frame
Exploit!
3 GB
Attack packet: NOP NOP Attacker’s code retAddr retAddr retAddr retAddr retAddrNOP NOP
5Computer ScienceComputer Science
Ad-hoc Solutions
• Static Analysis
– MOPS, CQUAL, SLAM, etc
• Dynamic Analysis
– StackGuard, PointGuard, Taintcheck, etc.
• Most target specific type of known attacks
6Computer ScienceComputer Science
A Generic Solution: Randomization
• Critical Observation
– Attackers use absolute memory addresses during the attacks
• Nullify Attacker’s Assumption
– Makes the memory locations of program objects unpredictable
– Forces attackers to guess memory location with low
probability of success
• Benefit
– Protection against known and unknown memory corruption
attacks
– Downtime better than system compromise
7Computer ScienceComputer Science
Attack Example: With Randomization
ret
addr
ret
addr
code
buf
crash
Stack Frame
3 GB
buf
8Computer ScienceComputer Science
A Generic Solution: Randomization
• State-of-the-Art Approaches
– Kernel level approaches
• Exec-Shield, PaX Address Space Layout
Randomization (ASLR)
– User level approach
• Address Obfuscation
9Computer ScienceComputer Science
Randomization Examples
Fig 2. PaX ASLR Process Memory Layout
Fig 1. Normal Process Memory Layout
10Computer ScienceComputer Science
Limitations of Current Approaches
• Kernel Level Approaches
– Low entropy: heap 13 bit, mmap 16 bit, stack 24 bit
• De-Randomization attack can defeat PaX ASLR in about 4 minutes
– Kernel modification required
– Pad wastes memory space. Increasing randomness means wasting more memory by pad
– Locations of code and data segments can be randomized with PIE
• Causes performance overhead (14%)
• User Level Approaches
– Source-to-source transformation
– Wastes memory space by pad
– Runtime overhead: 11-23%
11Computer ScienceComputer Science
Solution
• Goal
– Increase randomness entropy
– Low overhead with negligible pad size
– No need of source code modification
• Address Space Layout Permutation
– A novel binary rewriting tool
• Permutes code and data segments with fine-grained randomization
– A modified Linux kernel
• Permutes stack, heap, and mmap areas
12Computer ScienceComputer Science
Contributions
• Stronger Protection than Related Works
– Provides maximum 29 bits of randomness
– Fine-grained randomization on static code and data segments
• Low Performance Overhead (less than 1%)
• Ease of Use: Automatic Program Transformation
• Non-Intrusive Randomization: No Need for Source Code Modification
– Only need relocation info in the program
13Computer ScienceComputer Science
ASLP Implementations
• User Level Address Permutation
– Uses binary rewriting technique
– Alters base addresses of static code and data segments
– Changes orders of functions and variables within the code
and data segments
– Mitigates partial overwrite attacks, dtors attacks, bss
overflow, and data forgery attacks
• Kernel level address permutation can not deter these attacks
– Works with Linux file format (ELF)
14Computer ScienceComputer Science
Partial Overwrite Attacks
ret
addr
ret
addr
code
buf
Stack Frame
3 GB
ret
addrExploit!
Vul
func
func
15Computer ScienceComputer Science
Dtors Attacks with Coarse-grained
ret
addr
ret
addr
data
buf
Stack Frame
3 GB
dtors
code
M
A
I
NExploit!
var1
var2
var3
var4
16Computer ScienceComputer Science
Dtors Attacks with Fine-grained
ret
addr
ret
addr
data
buf
Stack Frame
3 GB
dtors
code
M
A
I
N
var3
var1
var2
var4
17Computer ScienceComputer Science
ASLP Implementations
• Kernel Level Address Permutation
– Randomizes the base addresses of stack, heap, and mmap()-
ed regions
– Mitigates attacks on the stack , heap, and shared library
regions
– Done by previous work: Chris Bookholt
18Computer ScienceComputer Science
ASLP Implementations
• Object Reference
Fig 3. Object Reference Example
19Computer ScienceComputer Science
ASLP Implementations
• Challenges
– What parts of an ELF file need rewriting?
– How do we find the correct locations of those parts
and rewrite them?
– How those parts affect each other during run time?
• How to find cross-references between program objects
20Computer ScienceComputer Science
ASLP Implementations
• Challenges
– What parts of an ELF file need rewriting?
• Total of 12 sections need to be modified
– How do we find the correct locations of those parts
and rewrite them?
• Use .symtab section (symbol tables and string tables)
– How those parts affect each other during run time?
• Use relocation sections (e.g. .rel.text, .rel.data)
21Computer ScienceComputer Science
ASLP Implementations: User Level
• Two phases: Coarse-grained and Fine-grained Permutation
• Coarse-grained Permutation
– Relocates static code and data segments
• Benefit
– Provides 20 bits of randomness to each segment
• Coarse-grained Permutation Process
– ELF header rewriting: modify the program entry point (e_entry)
– Program header rewriting: modify virtual/physical addresses of code and data segments
– Section rewriting: modify 12 sections including symbol table, procedure linkage table, global offset table, relocation data
22Computer ScienceComputer Science
ASLP Implementations: User Level
Fig 4. ELF Header and Program Header Before Permutation
Fig 5. ELF Header and Program Header After Permutation
(Move Code Segment by 4KB and Data Segment by 14KB)
23Computer ScienceComputer Science
ASLP Implementations: User Level
Fig 6. PLT & GOT Before Permutation Fig 7. PLT & GOT Before Permutation
24Computer ScienceComputer Science
ASLP Implementations: User Level
• Fine-grained Permutation
– Randomly changes the orders of functions and variables in the code and data segments
• Benefit
– Provides further protections on code and data segments
• Fine-grained Permutation Process
– Information Gathering: total number of functions and variables, original order and sizes of each function and variable, etc
– Random Sequence Generation: two random sequences
– Entry Rewriting: re-order the functions and variables
• Modify cross-references (relocation sections)
25Computer ScienceComputer Science
Demonstration of Permutation
Fig 8. Normal Process Memory Layout
Fig 9. Process Layout after Coarse-grained Permutation with ASLP Kernel
26Computer ScienceComputer Science
Demonstration of Permutation
Fig 10. Example of Fine-grained Permutation (Data Segment)
< Before the permutation > < After the permutation >
27Computer ScienceComputer Science
Security Evaluation
- Randomness example: 220 possible locations/2 = 524K average guesses needed
Randomized Bits in Allocation Addresses
17
13 12
0 0
24
13
16
0 0
28 29
20 20 20
0
5
10
15
20
25
30
35
Stack Heap Mmap Code Data
Randomized Regions
Bit
s of
Ran
dom
nes
s
Exec-Shield
PaX ASLR
ASLP
28Computer ScienceComputer Science
Security Evaluation
152 Guesses Per Second
Time To Derandomize Regions
431.01
2713
0 0
27648.68
27
216
0 0
884757.61769515.2
3456.08 3456.08 3456.08
1
10
100
1000
10000
100000
1000000
10000000
Stack Heap Mmap Code Data
Randomi zed Regi ons
Seconds ToDerandomize
Exec-Shield
PaX ASLR
ASLP
29Computer ScienceComputer Science
Performance Evaluation
• CPU 2K Benchmark
– All kernel level approaches show less than 0.3% including ASLP
• Randomizes Stack, heap, and mmap regions
– ASLP shows better performance on user level approaches
• Randomizes Code and data segments
• ASLP (-0.3 %) , PIE (14.38%), Address obfuscation (11%)
• LMBench Benchmark
– Tests only kernel level approaches (micro benchmarks e.g.context-switching overhead)
– ASLP shows 50% better performance compared to other techniques
• fork(), exec(), and context-switching
30Computer ScienceComputer Science
Performance Evaluation
• Apache Benchmark
– Measures the performance of web server
– Tests 1 million requests with 100 worker processes
– All techniques incur less than 1% overhead
• Except PIE: 14%
31Computer ScienceComputer Science
Limitations
• Information Leakage– Location information can be leaked
• via bugs or format-string attack
– Applies to all randomization techniques
• Protection is Probabilistic– Brute force de-randomization attack will
eventually succeed (e.g. modified return-to-libc attack [20])
– With IDS integration, de-randomization could be detected and blocked
32Computer ScienceComputer Science
Conclusions and Future Work
• ASLP provides both user/kernel level randomization
• ASLP allows users to permute static code and data segments with fine-grained level.
• Effectiveness– More randomness, more time to respond to attacks– Low overhead, greater unpredictability
• Stack frame layout permutation will add stronger protection
33Computer ScienceComputer Science
Questions?
Thank you for coming