NDSS 2017: Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity
Add to List Share
Video taken during the Network and Distributed System Security (NDSS) Symposium 2017, held February 26 through March 1, 2017, at Catamaran Resort Hotel & Spa in San Diego, California.
Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity
Memory corruption vulnerabilities not only allow modification of control data and injection of malicious payloads; they also allow adversaries to reconnoiter a diversified program, customize a payload, and ultimately bypass code randomization defenses. In response, researchers have proposed and built various leakage-resilient defenses against code reuse. Leakage-resilient defenses use memory protection techniques to prevent adversaries from directly reading code as well as pointer indirection or encryption techniques to decouple code pointers from the randomized code layout, avoiding indirect leakage. In this paper, we show that although current code pointer protections do prevent leakage per se, they are fundamentally unable to stop code reuse. Specifically, we demonstrate a new class of attacks we call address-oblivious code reuse that bypasses state-of-the-art leakage-resilience techniques by profiling and reusing protected code pointers, without leaking the code layout. We show that an attacker can accurately identify protected code pointers of interest and mount code-reuse attacks at the abstraction level of pointers without requiring any knowledge of code addresses. We analyze the prevalence of opportunities for such attacks in popular code bases and build three real-world exploits against Nginx and Apache to demonstrate their practicality. We analyze recently proposed leakage resilient defenses and show that they are vulnerable to address oblivious code reuse. Our findings indicate that because of the prevalence of code pointers in realistic programs and the fundamental need to expose them to read operations (even indirectly), diversity defenses face a fundamental design challenge in mitigating such attacks.
Authors: Robert Rudd (MIT Lincoln Laboratory), Richard Skowyra (MIT Lincoln Laboratory), David Bigelow (MIT Lincoln Laboratory), Veer Dedhia (MIT Lincoln Laboratory), Thomas Hobson (MIT Lincoln Laboratory), Stephen Crane (Immunant, Inc), Christopher Liebchen (Tech UniversitÃ¤t Darmstadt), Per Larsen (UC, Irvine and Immunant, Inc.), Lucas Davi (Technische UniversitÃ¤t Darmstadt), Michael Franz (University of California, Irvine), Ahmad-Reza Sadeghi (Tech UniversitÃ¤t Darmstadt), Hamed Okhravi (MIT Lincoln Laboratory)
Led Digital Marketing Efforts of Top 500 e-Retailers.
Worked with Top Brands at Leading Agencies.
Successfully Managed Over $50 million in Digital Ad Spend.
Developed Strategies and Processes that Enabled Brands to Grow During an Economic Downturn.
Taught Advanced Internet Marketing Strategies at the graduate level.
Your Cart 0
Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.