lr 2 lr le leakage re resilient
play

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra - PowerPoint PPT Presentation

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi


  1. LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden † § , Stephen Crane‡, Lucas Davi †, Michael Franz ∗ , Per Larsen ∗ ‡, Christopher Liebchen †, Ahmad- Reza Sadeghi† †TU Darmstadt §EURECOM *UC Irvine ‡ Immunant, Inc.

  2. Today’s Explo loits & Mit itig igations Application Code call *ptr Function A Data Code Pointer

  3. Today’s Explo loits & Mit itig igations Application Code call *ptr Function A Data Overwrite Code Pointer Code Pointer

  4. Today’s Explo loits & Mit itig igations Application Code ? call *ptr • Address Space Layout Function A Randomization Data Overwrite Code Pointer Code Pointer

  5. Today’s Explo loits & Mit itig igations Application Code • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A Randomization Data Read then Overwrite Code Pointer Code Pointer

  6. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A ? ? Randomization ? • Fine-grained Code Randomization Data Read then Overwrite Code Pointer Code Pointer

  7. Today’s Explo loits & Mit itig igations Application Code • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A Randomization • JIT-ROP [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization Data Read then Overwrite Code Pointer Code Pointer

  8. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization • Execute-only Data Memory Read then Overwrite Code Pointer Code Pointer

  9. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? Code • Code-Pointer Disclosure call *ptr Execute • Address Space Fragment [Serna BH USA’12 ] Layout Function A only ? Code ? Randomization • JIT-ROP ? Fragment [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization • Isomeron (Attack) • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite Code Pointer Code Pointer

  10. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Code-Pointer Randomization Execute only • Isomeron (Attack) Hiding • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite • Code-Pointer Hiding Code Pointer Code Pointer

  11. Today’s Explo loits & Mit itig igations Application Readactor [IEEE S&P’15] ? ? Readactor++ [CCS’15] Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Code-Pointer Randomization Execute only • Isomeron (Attack) Hiding • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite • Code-Pointer Hiding Code Pointer Code Pointer

  12. Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support Readactor XnR HideM Desktop/ [IEEE S&P’15] [CCS’14] [CODASPY’15] Server Memory MMU TLB-Splitting Virtualization

  13. Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support Desktop/ Mobile Server

  14. Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support This Talk: Desktop/ Mobile Execute-only Memory without Server Hardware Support

  15. Th Threat Model Read Memory (Information Disclosure) Write Memory (Memory Corruption Vulnerability) Perform Computations (Scripting Engine or Locally) Cannot Inject New Code (DEP, W^X)

  16. LR 2 : LR : Leakage-Re Resilient La Layout t Randomization

  17. LR 2 2 Ov LR Overview • Fine-grained Code Randomization • Software eXecute-only Memory (XoM) • Code-Pointer Hiding • Return Addresses • Forward Pointers

  18. LR 2 2 Ov LR Overview • Software eXecute-only Memory (XoM) • Code-Pointer Hiding • Return Addresses

  19. Sof Software e Xo XoM: Id Idea Application Randomized Code Read [address] Data A

  20. Sof Software e Xo XoM: Id Idea Application Sandboxing Randomized Code Read [address] Data A

  21. Sof Software e Xo XoM: Desig ign Application Kernel Stack Heap Code A Data A Code B Data B

  22. Sof Software e Xo XoM: Desig ign Application Kernel Sandboxing Read Instructions Code B r1 <- addr Code A r1 <- r1 & 0x7FFFFFFF Code Trampolines r0 <- [r1] 2 GB Data Guard Data A Data B Stack Heap

  23. Co Code de-Po Pointer Hiding: Re Return Addresses

  24. Cod Code-Pointer Hid iding: Re Return Addresses Function B Stack … PUSH LR Caller RA CALL Function C B1 POP LR Return LR Caller Return Address Address B1

  25. Cod Code-Pointer Hid iding: Re Return Addresses Function B Stack … Enc(LR, Key B ) PUSH LR Enc(LR, Key B ) Caller RA CALL Function C B1 POP LR Dec(LR, Key B ) Return LR Caller Return Address Address B1

  26. San Sandboxing Read eads: Op Optimizations

  27. Optim imizations: Loops r0 <- address For i <- 0 ; i < X ; ++i Mask r0 r1 <- [r0]

  28. Optim imizations: Loops r0 <- address Mask r0 For i <- 0 ; i < X ; ++i r1 <- [r0]

  29. Optim imizations: Loops r0 <- address Mask r0 For i <- 0 ; i < X ; ++i r1 <- [r0 + i] r1 <- [r0]

  30. Optim imizations: Loops r0 <- address Mask r0 2 GBCode For i <- 0 ; i < X ; ++i Data Guard Region r1 <- [r0 + i] r1 <- [r0] [r0]

  31. Im Implementation

  32. Im Implementatio ion Application • Kernel Kernel • Stack and Heap Allocations • Loader Code B Code A • Code and Data Sections 2 GBCode • Compiler Data • Sandbox Read Instructions Data A Data B Stack Heap

  33. Evalu luation • Security: • Code-Reuse Attacks: Function Permutation • Direct disclosure: Execute-only Memory • Indirect disclosure: • Code-pointer Hiding • Code/Data section decoupling • CPU: Nvidia Tegra Logan K1 • Performance: • 6.6% run-time overhead • 5.6% space overhead

  34. SP SPEC CPU 2006 15 5 -5 -15 -25 Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2

  35. SP SPEC C CP CPU 2006 Geometric ic Mean 6.63% 6.62% 7 5 2.27% 3 1.45% 1 -1 -3 -3.96% -5 Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2

  36. LR 2 and LR and Software Fault Is Isolation (SFI) • Different Threat Models • SFI isolates untrusted code • LR 2 protects trusted code • LR 2 can protect multiple load instructions by masking one address • SFI sandboxes write and branch instructions

  37. Co Conclusion • First pure software execute-only memory technique • Optimized return address protection scheme • Performance and security matches state-of-the-art solutions requiring special, high-end hardware

Recommend


More recommend