LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden † § , Stephen Crane‡, Lucas Davi †, Michael Franz ∗ , Per Larsen ∗ ‡, Christopher Liebchen †, Ahmad- Reza Sadeghi† †TU Darmstadt §EURECOM *UC Irvine ‡ Immunant, Inc.
Today’s Explo loits & Mit itig igations Application Code call *ptr Function A Data Code Pointer
Today’s Explo loits & Mit itig igations Application Code call *ptr Function A Data Overwrite Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application Code ? call *ptr • Address Space Layout Function A Randomization Data Overwrite Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application Code • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A Randomization Data Read then Overwrite Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A ? ? Randomization ? • Fine-grained Code Randomization Data Read then Overwrite Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application Code • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A Randomization • JIT-ROP [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization Data Read then Overwrite Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization • Execute-only Data Memory Read then Overwrite Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application ? ? Code ? ? Code • Code-Pointer Disclosure call *ptr Execute • Address Space Fragment [Serna BH USA’12 ] Layout Function A only ? Code ? Randomization • JIT-ROP ? Fragment [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization • Isomeron (Attack) • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Code-Pointer Randomization Execute only • Isomeron (Attack) Hiding • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite • Code-Pointer Hiding Code Pointer Code Pointer
Today’s Explo loits & Mit itig igations Application Readactor [IEEE S&P’15] ? ? Readactor++ [CCS’15] Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Code-Pointer Randomization Execute only • Isomeron (Attack) Hiding • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite • Code-Pointer Hiding Code Pointer Code Pointer
Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support Readactor XnR HideM Desktop/ [IEEE S&P’15] [CCS’14] [CODASPY’15] Server Memory MMU TLB-Splitting Virtualization
Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support Desktop/ Mobile Server
Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support This Talk: Desktop/ Mobile Execute-only Memory without Server Hardware Support
Th Threat Model Read Memory (Information Disclosure) Write Memory (Memory Corruption Vulnerability) Perform Computations (Scripting Engine or Locally) Cannot Inject New Code (DEP, W^X)
LR 2 : LR : Leakage-Re Resilient La Layout t Randomization
LR 2 2 Ov LR Overview • Fine-grained Code Randomization • Software eXecute-only Memory (XoM) • Code-Pointer Hiding • Return Addresses • Forward Pointers
LR 2 2 Ov LR Overview • Software eXecute-only Memory (XoM) • Code-Pointer Hiding • Return Addresses
Sof Software e Xo XoM: Id Idea Application Randomized Code Read [address] Data A
Sof Software e Xo XoM: Id Idea Application Sandboxing Randomized Code Read [address] Data A
Sof Software e Xo XoM: Desig ign Application Kernel Stack Heap Code A Data A Code B Data B
Sof Software e Xo XoM: Desig ign Application Kernel Sandboxing Read Instructions Code B r1 <- addr Code A r1 <- r1 & 0x7FFFFFFF Code Trampolines r0 <- [r1] 2 GB Data Guard Data A Data B Stack Heap
Co Code de-Po Pointer Hiding: Re Return Addresses
Cod Code-Pointer Hid iding: Re Return Addresses Function B Stack … PUSH LR Caller RA CALL Function C B1 POP LR Return LR Caller Return Address Address B1
Cod Code-Pointer Hid iding: Re Return Addresses Function B Stack … Enc(LR, Key B ) PUSH LR Enc(LR, Key B ) Caller RA CALL Function C B1 POP LR Dec(LR, Key B ) Return LR Caller Return Address Address B1
San Sandboxing Read eads: Op Optimizations
Optim imizations: Loops r0 <- address For i <- 0 ; i < X ; ++i Mask r0 r1 <- [r0]
Optim imizations: Loops r0 <- address Mask r0 For i <- 0 ; i < X ; ++i r1 <- [r0]
Optim imizations: Loops r0 <- address Mask r0 For i <- 0 ; i < X ; ++i r1 <- [r0 + i] r1 <- [r0]
Optim imizations: Loops r0 <- address Mask r0 2 GBCode For i <- 0 ; i < X ; ++i Data Guard Region r1 <- [r0 + i] r1 <- [r0] [r0]
Im Implementation
Im Implementatio ion Application • Kernel Kernel • Stack and Heap Allocations • Loader Code B Code A • Code and Data Sections 2 GBCode • Compiler Data • Sandbox Read Instructions Data A Data B Stack Heap
Evalu luation • Security: • Code-Reuse Attacks: Function Permutation • Direct disclosure: Execute-only Memory • Indirect disclosure: • Code-pointer Hiding • Code/Data section decoupling • CPU: Nvidia Tegra Logan K1 • Performance: • 6.6% run-time overhead • 5.6% space overhead
SP SPEC CPU 2006 15 5 -5 -15 -25 Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2
SP SPEC C CP CPU 2006 Geometric ic Mean 6.63% 6.62% 7 5 2.27% 3 1.45% 1 -1 -3 -3.96% -5 Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2
LR 2 and LR and Software Fault Is Isolation (SFI) • Different Threat Models • SFI isolates untrusted code • LR 2 protects trusted code • LR 2 can protect multiple load instructions by masking one address • SFI sandboxes write and branch instructions
Co Conclusion • First pure software execute-only memory technique • Optimized return address protection scheme • Performance and security matches state-of-the-art solutions requiring special, high-end hardware
Recommend
More recommend