tutorial

ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks

Authors:

Yueqiang ChengAuthors Info & Claims

ACM SIGPLAN Notices, Volume 52, Issue 7

Pages 143 - 156

https://doi.org/10.1145/3140607.3050752

Published: 08 April 2017 Publication History

Abstract

Recent code reuse attacks are able to circumvent various address space layout randomization (ASLR) techniques by exploiting memory disclosure vulnerabilities. To mitigate sophisticated code reuse attacks, we proposed a light-weight virtual machine, ReRanz, which deployed a novel continuous binary code re-randomization to mitigate memory disclosure oriented attacks. In order to meet security and performance goals, costly code randomization operations were outsourced to a separate process, called the "shuffling process". The shuffling process continuously flushed the old code and replaced it with a fine-grained randomized code variant. ReRanz repeated the process each time an adversary might obtain the information and upload a payload. Our performance evaluation shows that ReRanz Virtual Machine incurs a very low performance overhead. The security evaluation shows that ReRanz successfully protect the Nginx web server against the Blind-ROP attack.

References

[1]

Apache HTTP Server. In http://httpd.apache.org/.

[2]

Blind ROP tool. In http://www.scs.stanford.edu/brop/.

[3]

LLVM Compiler Infrastructure. In http://llvm.org/.

[4]

Libunwind library. In http://www.nongnu.org/libunwind/.

[5]

Nginx Web Server. In http://nginx.org/.

[6]

Getting around non-executable stack (and fix). In http://seclists.org/bugtraq/1997/Aug/63.

[7]

ab tool. In https://httpd.apache.org/docs/2.4/programs/ab.html.

[8]

M. Backes and S. Nürnberger. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In 23rd USENIX Security Symposium (USENIX Security 14), pages 433--447, San Diego, CA, Aug. 2014. USENIX Association. ISBN 978-1-931971-15-7.

[9]

C. Bienia and K. Li. PARSEC 2.0: A New Benchmark Suite for Chip-Multiprocessors. In Proceedings of the 5th Annual Workshop on Modeling, Benchmarking and Simulation, June 2009.

[10]

D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 268--279, New York, NY, USA, 2015. ACM.

Digital Library

[11]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazires, and D. Boneh. Hacking Blind. In 2014 IEEE Symposium on Security and Privacy, pages 227--242, May 2014.

Digital Library

[12]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented Programming: A New Class of Code-reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 30--40, New York, NY, USA, 2011. ACM.

Digital Library

[13]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented Programming Without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 559--572, New York, NY, USA, 2010. ACM.

Digital Library

[14]

Y. Chen, Z. Wang, D. Whalley, and L. Lu. Remix: Ondemand live randomization. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, CODASPY '16, pages 50--61, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-3935-3.

Digital Library

[15]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks. In NDSS. The Internet Society, 2014.

[16]

S. J. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. De Sutter, and M. Franz. It's a TRaP: Table Randomization and Protection Against Function-Reuse Attacks. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 243--255, New York, NY, USA, 2015. ACM. ISBN 978-1-4503-3832-5.

Digital Library

[17]

L. V. Davi, A. Dmitrienko, S. Nürnberger, and A.-R. Sadeghi. Gadge Me if You Can: Secure and Efficient Adhoc Instruction-level Randomization for X86 and ARM. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS '13, pages 299--310, New York, NY, USA, 2013. ACM.

Digital Library

[18]

R. Gawlik, B. Kollenda, P. Koppe, B. Garmany, and T. Holz. Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding. In 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016, 2016.

[19]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In Proceedings of the 21st USENIX Conference on Security Symposium, Security' 12, pages 40--40, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[20]

E. G?ktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In 2014 IEEE Symposium on Security and Privacy, pages 575--589, May 2014.

Digital Library

[21]

E. Göktaş, R. Gawlik, B. Kollenda, E. Athanasopoulos, G. Portokalidis, C. Giuffrida, and H. Bos. Undermining Information Hiding (and What to Do about It). In 25th USENIX Security Symposium (USENIX Security 16), pages 105--119, Austin, TX, Aug. 2016. USENIX Association. ISBN 978-1-931971-32-4.

[22]

D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard. Prefetch side-channel attacks: Bypassing smap and kernel aslr. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, pages 368--379, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4139-4. URL http://doi.acm.org/10.1145/2976749.2978356.

Digital Library

[23]

J. L. Henning. SPEC CPU2006 Benchmark Descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, Sept. 2006. ISSN 0163-5964.

[24]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd My Gadgets Go? In 2012 IEEE Symposium on Security and Privacy, pages 571--585, May 2012.

Digital Library

[25]

H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15), pages 177--192, Washington, D.C., Aug. 2015. USENIX Association.

Digital Library

[26]

R. Hund, C. Willems, and T. Holz. Practical timing side channel attacks against kernel space aslr. In 2013 IEEE Symposium on Security and Privacy, pages 191--205, May 2013.

Digital Library

[27]

Y. Jang, S. Lee, and T. Kim. Breaking kernel address space layout randomization with intel tsx. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, pages 380--392, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4139-4. URL http://doi.acm.org/10.1145/2976749.2978321.

Digital Library

[28]

C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In ACSAC, pages 339--348. IEEE Computer Society, 2006.

Digital Library

[29]

H. Koo and M. Polychronakis. Juggling the gadgets: Binary-level code randomization using instruction displacement. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS '16, pages 23--34, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4233-9.

Digital Library

[30]

K. Lu, S. Nürnberger, M. Backes, and W. Lee. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In 23rd Annual Symposium on Network and Distributed System Security (NDSS 2016), 2015.

[31]

Microsoft. Data Execution Prevention (DEP).

[32]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization. In 2012 IEEE Symposium on Security and Privacy, pages 601--615, May 2012.

Digital Library

[33]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 447--462, Washington, D.C., 2013. USENIX. ISBN 978-1-931971-03-4.

[34]

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-Oriented Programming: Systems, Languages, and Applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012. ISSN 1094-9224.

Digital Library

[35]

G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically Returning to Randomized lib(c). In ACSAC, pages 60--69. IEEE Computer Society, 2009. ISBN 978-0-7695-3919-5.

Digital Library

[36]

J. Salwan. ROPGadget. In http://shellstorm.org/project/ROPgadget.

[37]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A. R. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In 2015 IEEE Symposium on Security and Privacy, pages 745--762, May 2015.

Digital Library

[38]

J. Seibert, H. Okhravi, and E. Söderström. Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 54--65, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2957-6.

Digital Library

[39]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, pages 298--307, New York, NY, USA, 2004. ACM. ISBN 1-58113-961-6.

Digital Library

[40]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. R. Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574--588, May 2013.

Digital Library

[41]

R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the Memory Secrecy Assumption. In Proceedings of the Second European Workshop on System Security, EUROSEC '09, pages 1--8, New York, NY, USA, 2009. ACM.

Digital Library

[42]

L. Szekeres, M. Payer, L. T. Wei, and R. Sekar. Eternal war in memory. IEEE Security Privacy, 12(3):45--53, May 2014. ISSN 1540-7993.

[43]

U.Wiki. Address space layout randomization (ASLR).

[44]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 157--168, New York, NY, USA, 2012. ACM. ISBN 978-1-4503-1651-4.

Digital Library

[45]

D. Williams-King, G. Gobieski, K. Williams-King, J. P. Blake, X. Yuan, P. Colp, M. Zheng, V. P. Kemerlis, J. Yang, and W. Aiello. Shuffler: Fast and deployable continuous code re-randomization. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), pages 367--382, GA, Nov. 2016. USENIX Association.

Cited By

Zhang TCai MZhang DHuang H(2022)SeBROP: blind ROP attacks without returnsFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-021-0342-816:4Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s11704-021-0342-8
Agadakos IJin DWilliams-King DKemerlis VPortokalidis GBalenson D(2019)NibblerProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359823(70-83)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359823
Shen ZChen W(2019)A Survey of Research on Runtime Rerandomization Under Memory DisclosureIEEE Access10.1109/ACCESS.2019.29317077(105432-105440)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2931707
Show More Cited By

Index Terms

ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. Compilers
      1. Source code generation

Recommendations

Timely Rerandomization for Mitigating Memory Disclosures
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Address Space Layout Randomization (ASLR) can increase the cost of exploiting memory corruption vulnerabilities. One major weakness of ASLR is that it assumes the secrecy of memory addresses and is thus ineffective in the face of memory disclosure ...
ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks
VEE '17: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Recent code reuse attacks are able to circumvent various address space layout randomization (ASLR) techniques by exploiting memory disclosure vulnerabilities. To mitigate sophisticated code reuse attacks, we proposed a light-weight virtual machine, ...
Moving Targets vs. Moving Adversaries: On the Effectiveness of System Randomization
MTD '17: Proceedings of the 2017 Workshop on Moving Target Defense

Memory-corruption vulnerabilities pose a severe threat on modern systems security. Although this problem is known for almost three decades it is unlikely to be solved in the near future because a large amount of modern software is still programmed in ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 52, Issue 7

VEE '17

July 2017

256 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/3140607

Editor:
Matthew Fluet

Issue’s Table of Contents

VEE '17: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
April 2017
261 pages
ISBN:9781450349482
DOI:10.1145/3050748

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 April 2017

Published in SIGPLAN Volume 52, Issue 7

Check for updates

Author Tags

Qualifiers

Tutorial
Research
Refereed limited

Funding Sources

National Natural Science Foundation of China
MOST
Beijing Municipal Science & Technology Commission Program

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
467
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)2

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang TCai MZhang DHuang H(2022)SeBROP: blind ROP attacks without returnsFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-021-0342-816:4Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s11704-021-0342-8
Agadakos IJin DWilliams-King DKemerlis VPortokalidis GBalenson D(2019)NibblerProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359823(70-83)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359823
Shen ZChen W(2019)A Survey of Research on Runtime Rerandomization Under Memory DisclosureIEEE Access10.1109/ACCESS.2019.29317077(105432-105440)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2931707
Venkata Krishna JApparao Naidu GUpadhayaya N(2018)A Lion‐Whale optimization‐based migration of virtual machines for data centers in cloud computingInternational Journal of Communication Systems10.1002/dac.353931:8Online publication date: 19-Feb-2018
https://doi.org/10.1002/dac.3539
Chang ZLin JSun HLi RWang YHu BZhao XJiang DSun NWang S(2024)Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel ModuleProceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3678015.3680476(23-30)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1145/3678015.3680476
Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Jin HYang SPark MCho HLee D(2024)Satellite: Effective and Efficient Stack Memory Protection Scheme for Unsafe Programming LanguagesICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_16(221-235)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_16
Shen ZDharsee KCriswell J(2022)Randezvous: Making Randomization Effective on MCUsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567970(28-41)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567970
Wu CXie MWang ZZhang YLu KZhang XLai YKang YYang MLi T(2022)Dancing with Wolves: An Intra-process Isolation Technique with Privileged HardwareIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.3168089(1-1)Online publication date: 2022
https://doi.org/10.1109/TDSC.2022.3168089
Wang ZWu CZhang YTang BYew PXie MLai YKang YCheng YShi Z(2022)Making Information Hiding Effective AgainIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.306408619:4(2576-2594)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3064086
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents