TU Darmstadt / ULB / TUbiblio

Return to Where? You Can't Exploit What You Can't Find

Crane, Stephen and Liebchen, Christopher and Homescu, Andrei and Davi, Lucas and Larsen, Per and Sadeghi, Ahmad-Reza and Brunthaler, Stefan and Franz, Michael (2015):
Return to Where? You Can't Exploit What You Can't Find.
In: Blackhat USA, [Conference or Workshop Item]

Abstract

Detecting and preventing exploitation of memory corruption vulnerabilities is highly challenging. Until now, no countermeasure has been able to fully prevent sophisticated exploitation techniques, such as return-oriented programming (ROP). Recent control-flow integrity (CFI) defenses from Google and Microsoft can be bypassed by constructing a ROP payload that adheres to the control-flow constraints or by exploiting implementation flaws. Microsoft's EMET has less overhead than full CFI, but offers less protection in return, and can be bypassed. Probabilistic countermeasures based on memory layout randomization (such as ASLR) are already in widespread use. However, the Pwn2own competitions have repeatedly demonstrated that attackers can bypass code randomization using memory leaks in browsers.

To reduce the impact of memory disclosure, recent defenses utilize execute-only memory. In this work we show that execute-only memory is insufficient and that these solutions can still be bypassed. In particular, we show how to determine the code layout by analyzing pointers in the heap and on the stack without ever reading the code.

On the defensive side, we build a comprehensive yet practical defense called Readactor that counters both direct reading of code and indirect layout disclosure through analysis of code pointers. We employ a thin hypervisor and a kernel patch to utilize true hardware execute-only memory, and prevent direct reading of code in Linux processes. We hide all code pointers in readable memory using a patched version of the LLVM compiler. We deploy a number of techniques to break ROP gadget chains and disorient the adversary. Specifically, we hide code pointers by converting them into direct jumps stored in execute-only memory to prevent indirect layout disclosure.

Our solution is efficient, because it activates previously unused hardware capabilities in modern x86 processors and is often faster than industry CFI implementations. Our solution is also highly practical; we were able to automatically apply our defense to the Chromium web browser. Finally, our solution is comprehensive; we also protect the dynamically generated code emitted by the V8 JavaScript JIT compiler.

Item Type: Conference or Workshop Item
Erschienen: 2015
Creators: Crane, Stephen and Liebchen, Christopher and Homescu, Andrei and Davi, Lucas and Larsen, Per and Sadeghi, Ahmad-Reza and Brunthaler, Stefan and Franz, Michael
Title: Return to Where? You Can't Exploit What You Can't Find
Language: German
Abstract:

Detecting and preventing exploitation of memory corruption vulnerabilities is highly challenging. Until now, no countermeasure has been able to fully prevent sophisticated exploitation techniques, such as return-oriented programming (ROP). Recent control-flow integrity (CFI) defenses from Google and Microsoft can be bypassed by constructing a ROP payload that adheres to the control-flow constraints or by exploiting implementation flaws. Microsoft's EMET has less overhead than full CFI, but offers less protection in return, and can be bypassed. Probabilistic countermeasures based on memory layout randomization (such as ASLR) are already in widespread use. However, the Pwn2own competitions have repeatedly demonstrated that attackers can bypass code randomization using memory leaks in browsers.

To reduce the impact of memory disclosure, recent defenses utilize execute-only memory. In this work we show that execute-only memory is insufficient and that these solutions can still be bypassed. In particular, we show how to determine the code layout by analyzing pointers in the heap and on the stack without ever reading the code.

On the defensive side, we build a comprehensive yet practical defense called Readactor that counters both direct reading of code and indirect layout disclosure through analysis of code pointers. We employ a thin hypervisor and a kernel patch to utilize true hardware execute-only memory, and prevent direct reading of code in Linux processes. We hide all code pointers in readable memory using a patched version of the LLVM compiler. We deploy a number of techniques to break ROP gadget chains and disorient the adversary. Specifically, we hide code pointers by converting them into direct jumps stored in execute-only memory to prevent indirect layout disclosure.

Our solution is efficient, because it activates previously unused hardware capabilities in modern x86 processors and is often faster than industry CFI implementations. Our solution is also highly practical; we were able to automatically apply our defense to the Chromium web browser. Finally, our solution is comprehensive; we also protect the dynamically generated code emitted by the V8 JavaScript JIT compiler.

Title of Book: Blackhat USA
Uncontrolled Keywords: ICRI-SC;Secure Things;Solutions;S2
Divisions: 20 Department of Computer Science
20 Department of Computer Science > System Security Lab
DFG-Collaborative Research Centres (incl. Transregio)
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres
Profile Areas
Profile Areas > Cybersecurity (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments
Date Deposited: 04 Aug 2016 10:13
Identification Number: TUD-CS-2015-0103
Related URLs:
Export:

Optionen (nur für Redakteure)

View Item View Item