address obfuscation an efficient approach to combat a broad range of memory error exploits n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits PowerPoint Presentation
Download Presentation
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits

Loading in 2 Seconds...

play fullscreen
1 / 21

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. Authors: Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Publish: Usenix Security Symposium 2003 Presented by: Hua Zhang. Contributions.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits' - trynt


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
address obfuscation an efficient approach to combat a broad range of memory error exploits

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits

Authors: Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar

Publish: Usenix Security Symposium 2003

Presented by: Hua Zhang

contributions
Contributions
  • It systematically protects against a wide range of attacks which exploit memory programming errors
  • It can be easily applied to existing legacy code without modifying the source code, or the underlying operating systems
  • It can be applied selectively to protect security-critical applications without needing to change the rest of the system
  • The transformation is fast and introduce only a low runtime overhead
outline
Outline
  • Introduction
  • Stack Smashing
  • Address Obfuscation – Transformations
  • Address Obfuscation – Implementation
  • Address Obfuscation – Effectiveness
  • Conclusion
introduction
Introduction
  • Attacks exploit memory programming errors are one of today’s most serious security threats
    • It requires the attacker to have an in-depth understanding of the internal details of a victim program
  • Program Obfuscation
    • A technique to prevent such a understanding
    • Code Obfuscation
      • Prevent such an understanding and reverse engineering
    • Address Obfuscation
      • Each time the transformed code is executed, the virtual addresses of the code and data are randomized.
memory layout of a typical binary
Memory Layout of a Typical Binary
  • Code
    • Machine code
    • Read only
  • Data and BSS
    • Global variables
    • Initialized or Un-initialized
    • Not executable
  • Stack
    • Local variables
    • Parameters, Return addresses
  • Heap
    • Memory area when allocate memory during execution, e.g. malloc()
stack smashing
Stack Smashing
  • A stack-allocated buffer can be intentionally overflowed to overwrite the return address
  • The attacker must
    • Guess the right value to put into the faked return address
    • Guess the location of the return address on the stack relatively to the overflowed buffer
how address obfuscation works
How Address Obfuscation Works
  • Two ways to exploit a memory error
    • Overwriting pointer
      • Code Pointer and Data Pointer
      • Point to the address of data or code chosen by the attacker
      • Require the attacker to know the absolute address of such data or code
    • Overwriting non-pointer Data
      • Code is protected and can not be overwritten
      • A example is to overwrite the arguments to chmod and execve
      • Require the attacker to know the relative distance between a buffer and the location of the data to be overwritten
transformations in address obfuscation 1
Transformations in Address Obfuscation - 1
  • Randomize the base address of memory regions
    • Randomize the base address of the stack
      • All addresses on the stack are randomized
      • Make it very difficult to find the address of injected code and pointer the return address to it
    • Randomize the base address of the heap
      • Against attacks where code is injected to the heap, and then a buffer overflow to pointer to this address
    • Randomize the starting address of dynamically-linked libraries
    • Randomize the locations of routines and static data in the executable
transformations in address obfuscation 2
Transformations in Address Obfuscation - 2
  • Permute the order of variables/routines
    • Make it difficult to overwrite data without corrupting other data that is critical for continued execution of the program
    • Three possible ways
      • Permute the order of local variables in a stack frame
      • Permute the order of static variables
      • Permute the order of routines in shared libraries or the routines in the executable
transformations in address obfuscation 3
Transformations in Address Obfuscation - 3
  • Introduce random gaps between objects
    • Locations of objects can be randomized
    • Four possible ways
      • Introduce random padding into stack frames
      • Introduce random padding between successive malloc allocation requests
      • Introduce random padding between variables in the static area
      • Introduce gaps within routines, and add jump instructions to skip over these gaps
implementation issues 1
Implementation Issues - 1
  • When to perform the transformations
    • Compile-time, link-time, installation-time or load-time
    • Compile-time means better performance
    • Load-time does not require special compilers and linkers, and can be applied to binary program without source code
    • Link-time is chosen by this paper
implementation issues 2
Implementation Issues - 2
  • When to determine the transformation amounts
    • Transformation time
      • Best performance
      • But the randomization will be the same every time the program is executed, a possible solution is periodically re-transformation
    • Beginning of program execution
    • Continuously changing during execution
      • Most difficult to attack
      • Not good for performance
    • Transformation time is chosen by the paper
implementation approach 1
Implementation Approach - 1
  • Approach
    • At binary level
    • Inserting additional code with the LEEL binary-editing tool
  • Only rewriting routines that can be completely analyzed
    • Safe rewriting of machine code requires understanding of the complete control-flow graph, which is difficult because of
      • Data may be intermixed with code
      • Indirect jumps and calls
implementation approach 2
Implementation Approach - 2
  • Stack base address randomization
    • By adding extra code to the text segment of the program
    • Skipped from execution by inserting a jump instruction at the beginning of the main routine
    • Decrement the stack pointer by a random number between 1 and 108
    • This gap is write-protected using the mpprotect system call
    • Overflow beyond the base of the stack into this area will cause crash
implementation approach 3
Implementation Approach - 3
  • DLL base address randomization
    • To prevent attacks that jump to library code
  • Two options
    • Dynamically randomize library addresses using mmap
      • Implemented by a wrapper to mmap
      • Location of shared memory will be different for every execution
    • Statically randomize library addresses at link-time
      • Implemented by dynamically linking the executable with a dummy shared library
      • No change to the loader or rest of the system
implementation approach 4
Implementation Approach - 4
  • Text/Data segment randomization
    • Prevent attacks
      • modify a static variable
      • Jump to existing program code
  • Two approaches
    • Compile to a shared library and create a new main to load this library and call the old main
      • Code in shared library are position independent
      • Less efficient than address dependent counterpart
    • Relocate program’s code and data at link-time
      • No performance overhead
implementation approach 5
Implementation Approach - 5
  • Random stack frame padding
    • Pushing extra storage onto the stack during the initialization phase of each subroutine
  • Two issues
    • Padding size
      • Static – no runtime overhead
      • Dynamic
    • Placement of padding
      • Between the base pointer and local variables
      • Before parameters to function
implementation approach 51
Implementation Approach - 5
  • Heap Randomization
    • Code that will allocate a randomly-sized large chunk of memory is added
    • Wrapper functions is used to intercept calls to malloc
    • Dynamical memory allocation requests are randomly increases by 0 to 25%
effectiveness
Effectiveness
  • It is critical to have an estimate of the increase in attacker work load, as
    • Address obfuscation is foolproof
    • A probabilistic technique
  • Mathematical analysis of the effectiveness on different kinds of attacks are conducted in the paper

For example, success rate of a single attack

    • Stack smashing – 4/(2.5*104)
    • Existing code attacks – 4x10-5
conclusion
Conclusion
  • Strong Points
    • A comprehensive study of approaches for address obfuscation
    • A real tools is implemented
    • Mathematical analysis on the effectiveness
  • Weak Points
    • Insufficient introduction on background info
    • Only some routines can be transformed
    • Transformed binaries or the memory map of these binaries can be accessed by the attacker to extract random values from the binary