Layout Randomization Research Articles

FormatAEG: a framework for bypassing ASLR defense and automated exploitation of format string vulnerability

Abstract The format string vulnerability is a common software vulnerability. A well-constructed format string can read and modify arbitrary memory addresses, causing serious system problems. Existing automated exploit generation solutions for format string vulnerability are unable to cope with the limitations imposed by the vulnerability defense mechanism Address Space Layout Randomization (ASLR) and the program itself on vulnerability exploitation. In this paper, to address the above challenges, we propose FormatAEG, the first automatic exploitation framework for format string vulnerabilities that can bypass ASLR defense and the program's own constraints. Specifically, we first proposed an arbitrary address reading and writing method based on a format string vulnerability, which can modify the target address data by directly arranging the target address or automatically searching and utilizing the pointer chain in the stack. Then, we propose a vulnerability reentry method based on global offset table (GOT) hijacking, which hijacks the program control flow by modifying function addresses in the GOT, making the vulnerability reentrant. In the experimental section, we evaluated FormatAEG using 20 Capture The Flag programs from top international tournaments and two real-world programs with format string vulnerabilities. The evaluation results show that with ASLR defense turned on, FormatAEG successfully detects format string vulnerability in 19 of these programs and generates exploit code for 15 of them. Compared with existing tools, FormatAEG detected 11 more format string vulnerabilities and generated 13 more exploit codes.

Mitigation of privilege escalation attack using kernel data relocation mechanism

Kernel memory corruption, which leads to a privilege escalation attack, has been reported as a security threat to operating systems. To mitigate privilege escalation attacks, several security mechanisms are proposed. Kernel address space layout randomization randomizes kernel code and data virtual address layout on the kernel memory. Privileged information protection methods monitor and restore illegal privilege modifications. Therefore, if an adversary identifies the kernel data containing privileged information, an adversary can achieve the privilege escalation in a running kernel. This paper proposes a kernel data relocation mechanism (KDRM) that dynamically relocates privileged information in the running kernel to mitigate privilege escalation attacks. The KDRM introduces the relocation-only page into the kernel. The relocation-only page allows the virtual address of the privileged information to change by dynamically relocating for the user process. One of the relocation-only pages is randomly selected to store the privileged information at the system call invocations. The evaluation results indicate the possibility of mitigating privilege escalation attacks through direct memory overwriting by user processes on Linux with KDRM. The KDRM showed an acceptable performance cost. The overhead of a system call was up to 11.52%, and the kernel performance score was 0.11%.

DSLR–: A low-overhead data structure layout randomization for defending data-oriented programming

By developing a Turing-complete non-control data attack to bypass existing defenses against control flow attacks, Data-Oriented Programming (DOP) has gained significant attention from researchers in recent years. While several defense techniques have been proposed to mitigate DOP attacks, they often introduce substantial overhead due to the blind protection of a large range of data objects. To address this issue, we focus on selecting and protecting the specific target data that are of interest to DOP attackers, rather than securing the entire non-control data in the program. In this regard, we perform static analysis on 20 real-world applications and identify the target data, verifying that they constitute only a small percentage of the overall program, averaging around 3%. Additionally, we propose a semi-automated tool to analyze how to chain operations on the target data in these 20 applications to achieve Turing-complete attacks. Furthermore, we introduce DSLR-: a low-overhead Data Structure Layout Randomization (DSLR) method, which modifies the existing DSLR technique to only randomize the selected target data for DOP. Experimental results demonstrate that DSLR- effectively mitigates DOP attacks, reducing performance overhead by 71.2% and memory overhead by 82.5% compared to the original DSLR technique.

AVX-TSCHA: Leaking information through AVX extensions in commercial processors

Modern x86 processors support an AVX instruction set to boost performance. However, this extension set may also cause security issues. We discovered that there are vulnerable properties in the implementation of the masked load/store instructions. First, these instructions can suppress exceptions caused by invalid or inaccessible memory access. Second, the execution time of these instructions leaks the current state of the page mappings, permissions, and TLB states.Based on this, we present a novel AVX timing side-channel attack that can defeat address space layout randomization. We demonstrate the significance of our side-channel attack by showing User and Kernel ASLR breaks on the recent Intel and AMD processors in various environments, including cloud computing systems (Amazon AWS, Google GCP, and Microsoft Azure), an SGX enclave (a fine-grained ASLR break), and major OSes (Linux, Windows, and macOS). Our attack can identify the Linux kernel's base address in 0.29 ms as well as those of loaded kernel modules in 2.24 ms, with a near-zero error rate. We further demonstrate that our attack can be used to infer user behavior, such as mouse movements and data transmissions over the network. Our evaluation results on multiple mobile, desktop, and server processors (a total of 26 Intel and AMD CPUs) show that 1) the AVX timing side-channel works on the vast majority of Intel processors (from the Sandy Bridge microarchitecture) as well as AMD processors (from the Zen microarchitecture onward) and 2) our KASLR breaks are very fast and reliable. To the best of our knowledge, our attack is the first to demonstrate a KASLR break on both the recent Intel Alder Lake and AMD Zen 3 CPUs. We highlight that more robust isolation or fine-grained randomization should be adopted to mitigate our presented attacks successfully.

What you can read is what you can't execute

Due to the address space layout randomization (ASLR), code reuse attacks (CRAs) require memory probes to get available gadgets. Code reading is the basic way to obtain code information. In theory, setting the code to be unreadable can prevent code reading. However, the pages are loaded dynamically, and the existing methods cannot set all code as unreadable at one time. They can only control code permissions page-by-page via time-consuming page tracking. Moreover, since some special users need to read code, turning off the read permission will affect their execution. To solve these problems, this paper proposes a method AntiRead. It rebuilds the buddy system for memory allocation. The new buddy system places code pages in a specific memory pool to manage their read permissions. In the presence of AntiRead, what is obtained by adversaries through code reading is either randomized code or non-executable code. Experiments and analysis show that AntiRead can prevent the code that has been read from being used as gadgets without affecting the normal code reading. In addition, the CPU overhead introduced by AntiRead is 1.8%.

PointerScope: Understanding Pointer Patching for Code Randomization

Various fine-grained randomization schemes have been designed to increase the entropy of process space, while none of them can rise from an academic exercise to industrial deployment like Address Space Layout Randomization (ASLR). One of the critical reasons is the incorrectness of randomization caused by the mismatch between their pointer collection capabilities and the high accuracy requirements of the pointer patching task. In this article, we present PointerScope, an accurate compile-time pointer collection scheme deriving from a group of novel observations. The success of PointerScope relies on the complete tracing of the pointer generation process, including the compilation chain from compiler to static linker and the interface specification between them. From this view, PointerScope identifies four types of pointer-related static linker behaviors and clarifies five types of inherent addressing modes in the x86-64 architecture. The vague understanding of them causes the Compiler-assisted Code Randomization (CCR) to incorrectly collect pointers and patch them to the wrong values after randomization. Further, we measure the pointer collection capability of augmented binary analysis, the experimental results show that they can mitigate challenges from the traditional binary analysis by the given premises, but additional heuristics still need to be designed to support the fine-grained randomization.

MagBox: Keep the risk functions running safely in a magic box

Address space layout randomization (ASLR) has been widely deployed in operating systems (OS) to hide memory layout, which mitigates code reuse attacks (CRAs). Unfortunately, the memory probing techniques can still provide attackers with enough information to bypass ASLR. Although the control flow integrity (CFI) methods are not affected by code probing, they face the precision problem of control flow graphs (CFG). To make matters worse, most methods rely on the source code of the targets to be protected, which leads to their restrictions on the protection of the objects without source code. To solve these problems, MagBox is proposed in this paper. It identifies the risk functions that can provide gadgets for CRAs by detecting and analyzing attackers’ code probing activities. If the function is probed, it will be moved to a new address space. After that, the control flow transfers of the function will be tracked and analyzed in real time to judge their legitimacy. Experiment results and analysis show that MagBox can mitigate CRAs, and only introduces 3.4% performance overhead to the CPU.

FASLR: Function-Based ASLR via TrustZone-M and MPU for Resource-Constrained IoT Systems

The address space layout randomization (ASLR) has been widely deployed on modern operating systems against code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP). However, porting ASLR to resource-constrained IoT devices is a great challenge due to the limited memory space for randomization. We propose a function-based ASLR scheme (fASLR) for IoT runtime security utilizing the ARM TrustZone-M technology and the memory protection unit (MPU) supported by ARM Cortex-M processors. fASLR loads a function from the flash and randomizes its base address in a randomization region in RAM when the function is being called. We design novel mechanisms on cleaning up finished functions from the RAM and memory addressing to tackle the complexity of function relocation and randomization. Optimizations are applied to effectively reduce overhead introduced by runtime memory management. We also formally prove that user applications will run correctly with fASLR enabled. Compared with the related work, a prominent advantage of fASLR is that fASLR can run an application even if the application code cannot be completely loaded into RAM for execution. We test fASLR with 21 applications. The experimental results show that fASLR achieves a high randomization entropy and incurs a runtime overhead of less than 10%.

An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques

Buffer Overflow (BOF) has been a ubiquitous security vulnerability for more than three decades, potentially compromising any software application or system. This vulnerability occurs primarily when someone attempts to write more bytes of data (shellcode) than a buffer can handle. To date, this primitive attack has been used to attack many different software systems, resulting in numerous buffer overflows. The most common type of buffer overflow is the stack overflow vulnerability, through which an adversary can gain admin privileges remotely, which can then be used to execute shellcode. Numerous mitigation techniques have been developed and deployed to reduce the likelihood of BOF attacks, but attackers still manage to bypass these techniques. A variety of mitigation techniques have been proposed and implemented on the hardware, operating system, and compiler levels. These techniques include No-EXecute (NX) and Address Space Layout Randomization (ASLR). The NX bit prevents the execution of malicious code by making various portions of the address space of a process inoperable. The ASLR algorithm randomly assigns addresses to various parts of the logical address space of a process as it is loaded in memory for execution. Position Independent Executable (PIE) and ASLR provide more robust protection by randomly generating binary segments. Read-only relocation (RELRO) protects the Global Offset Table (GOT) from overwriting attacks. StackGuard protects the stack by placing the canary before the return address in order to prevent stack smashing attacks. Despite all the mitigation techniques in place, hackers continue to be successful in bypassing them, making buffer overflow a persistent vulnerability. The current work aims to describe the stack-based buffer overflow vulnerability and review in detail the mitigation techniques reported in the literature as well as how hackers attempt to bypass them.

On Random Number Generation for Kernel Applications

An operating system kernel uses cryptographically secure pseudorandom number generator (CSPRNG) for creating address space layout randomization (ASLR) offsets to protect memory addresses of processes from exploitation, storing users’ passwords securely and creating cryptographic keys. However, at present, popular kernel CSPRNGs such as Yarrow, Fortuna and /dev/(u)random which are used by MacOS/iOS/FreeBSD, Windows and Linux/Android kernels respectively lack the very crucial property of non-reproducibility of their generated bitstreams which is used to nullify the scope of predicting the bitstream. This paper proposes a CSPRNG called Cryptographically Secure Pseudorandom Number Generator for Kernel Applications (KCS-PRNG) which generates non-reproducible bitstreams. The proposed KCS-PRNG presents an efficient design uniquely configured with two new non-standard and verified elliptic curves and clock-controlled Linear Feedback Shift Registers (LFSRs) and a novel method to consistently generate non-reproducible random bitstreams of arbitrary lengths. The generated bitstreams are statistically indistinguishable from true random bitstreams and provably secure, resilient to important attacks, exhibits backward and forward secrecy, exhibits exponential linear complexity, large period and huge key space.

Securely Sharing Randomized Code That Flies

Address space layout randomization was a great role model, being a light-weight defense technique that could prevent early return-oriented programming attacks. Simple yet effective, address space layout randomization was quickly widely adopted. Conversely, today only a trickle of defense techniques arebeing integrated or adopted mainstream. As code reuse attacks have evolved in complexity, defenses have strived to keep up. However, to do so, many have had to take unfavorable tradeoffs like using background threads or protecting only a subset of sensitive code. In reality, these tradeoffs were unavoidable steps necessary to improve the strength of the state of the art. In this article, we present Mardu , an on-demand system-wide runtime re-randomization technique capable of scalable protection of application as well as shared library code that most defenses have forgone. We achieve code sharing with diversification by implementing reactive and scalable rather than continuous or one-time diversification. Enabling code sharing further removes redundant computation like tracking and patching, along with memory overheads required by prior randomization techniques. In its baseline state, the code transformations needed for Mardu security hardening incur a reasonable performance overhead of 5.5% on SPEC and minimal degradation of 4.4% in NGINX, demonstrating its applicability to both compute-intensive and scalable real-world applications. Even when under attack, Mardu only adds from less than 1% to up to 15% depending on application size and complexity.

Exploit-oriented Automated Information Leakage

PDF HTML XML Export Cite reminder Exploit-oriented Automated Information Leakage DOI: 10.21655/ijsi.1673-7288.00290 Author: Affiliation: Clc Number: Fund Project: Article | Figures | Metrics | Reference | Related | Cited by | Materials | Comments Abstract:Automatic Exploit Generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). This paper presents the automatic solution EoLeak that can exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the Proof-Of-Concept (POC) input that triggers the heap vulnerabilities, characterizes the memory profile from the trace, locates sensitive data (e.g., code pointers), constructs leakage primitives that disclose sensitive data, and generates exploits for the entire process when possible. We have implemented a prototype of EoLeak and evaluated it on a set of Capture The Flag (CTF) binary programs and several real-world applications. Evaluation results reveal that EoLeak is effective at leaking data and generating exploits. Reference Related Cited by

ThermalBleed: A Practical Thermal Side-Channel Attack

Modern OSs expose an interface for monitoring CPU temperature to unprivileged users for effective user decision-based thermal management. Due to the low sampling rate and resolution, thermal sensors have generally been restricted to the construction of covert channels. However, exposing the thermal interface to unprivileged users may be problematic, because the heat emission inside a CPU core is affected by program execution on the core; an attacker may be able to infer the secret information of the program by exploiting the thermal interface as a side-channel. In this paper, we extensively analyze digital thermal sensors in Intel CPUs and show that it is possible to implement a software-based thermal side-channel attack. Specifically, by analyzing some properties of the thermal sensors, we inferred that the thermal sensor makes it possible to distinguish between a cache hit and a physical memory access in memory load operations. Based on the analysis results, we implement ThermalBleed, a thermal side-channel attack that breaks kernel address space layout randomization (KASLR) in Linux systems. Moreover, by conducting an in-depth analysis, we identify useful hidden properties of the Intel thermal sensors. Our analysis establishes a stepping stone to build a more precise and effective thermal side-channel attack in the future. To the best of our knowledge, this is the first work that extends a thermal covert channel to a practical side-channel attack by exploring the properties of Intel digital thermal sensors.

Badaslr: Exceptional cases of ASLR aiding exploitation

Address Space Layout Randomization (ASLR) is de-facto standard exploit mitigation in our daily life software. The simplest idea of unpredictably randomizing memory layout significantly raises the bar for memory exploitation due to the additionally required attack primitives such as information leakage. Ironically, although exceptional, there are rare edge cases where ASLR becomes handy for memory exploitation. In this paper, we dig into such theoretical set of cases and name it as BadASLR. Based on our study, we introduce four categories of BadASLR: (i) aiding free chunk reclamation in heap spraying attack, (ii) aiding stack pivoting in frame-pointer null poisoning attack, (iii) reviving the exploitability of invalid pointer referencing bug, and (iv) introducing wild-card ROP gadgets in x86/x64 position independent code environment. To evaluate if BadASLR can be an actual plausible scenario, we look into real-world bug bounty cases, CTF/wargame challenges. Surprisingly, we found multiple vulnerabilities in commercial software where ASLR becomes handy for attacker. With BadASLR cases, we succeeded in exploiting peculiar vulnerabilities, and received total 10,000 USD as bug bounty reward including one CVE assignment.

Breaking KASLR Using Memory Deduplication in Virtualized Environments

Recent operating systems (OSs) have adopted a defense mechanism called kernel page table isolation (KPTI) for protecting the kernel from all attacks that break the kernel address space layout randomization (KASLR) using various side-channel analysis techniques. In this paper, we demonstrate that KASLR can still be broken, even with the latest OSs where KPTI is applied. In particular, we present a novel memory-sharing-based side-channel attack that breaks the KASLR on KPTI-enabled Linux virtual machines. The proposed attack leverages the memory deduplication feature on a hypervisor, which provides a timing channel for inferring secret information regarding the victim. By conducting experiments on KVM and VMware ESXi, we show that the proposed attack can obtain the kernel address within a short amount of time. We also present several countermeasures that can prevent such an attack.

Stopping Memory Disclosures via Diversification and Replicated Execution

With the wide deployment of security mechanisms such as Address Space Layout Randomization (ASLR), memory disclosures have become a prerequisite for critical memory-corruption attacks (e.g., code-reuse attack)—adversaries are forced to exploit memory disclosures to circumvent ASLR as the first step. As a result, the security threats of memory disclosures are now significantly aggravated—they break not only data confidentiality but also the effectiveness of security mechanisms. In this paper, we propose a general detection methodology and develop a system to stop memory disclosures. We observe that memory disclosures are not root causes but rather consequences of a variety of hard-to-detect program errors such as memory corruption and uninitialized read. We thus propose a replicated execution–based methodology to generally detect memory disclosures, regardless of their causes. We realize this methodology with Buddy : By seamlessly maintaining two identical running instances of a target program and diversifying only its target data, Buddy can accurately detects memory disclosures of the data, as doing so will result in the two instances outputting different values. Extensive evaluation results show that Buddy is reliable and efficient while stopping real memory disclosures such as the Heartbleed leak.

Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism

Operating systems adopt kernel protection methods (e.g., mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation) as essential countermeasures to reduce the likelihood of kernel vulnerability attacks. However, kernel memory corruption can still occur via the execution of malicious kernel code at the kernel layer. This is because the vulnerable kernel code and the attack target kernel code or kernel data are located in the same kernel address space. To gain complete control of a host, adversaries focus on kernel code invocations, such as function pointers that rely on the starting points of the kernel protection methods. To mitigate such subversion attacks, this paper presents multiple kernel memory (MKM), which employs an alternative design for kernel address space separation. The MKM mechanism focuses on the isolation granularity of the kernel address space during each execution of the kernel code. MKM provides two kernel address spaces, namely, i) the trampoline kernel address space, which acts as the gateway feature between user and kernel modes and ii) the security kernel address space, which utilizes the localization of the kernel protection methods (i.e., kernel observation). Additionally, MKM achieves the encapsulation of the vulnerable kernel code to prevent access to the kernel code invocations of the separated kernel address space. The evaluation results demonstrated that MKM can protect the kernel code and kernel data from a proof-of-concept kernel vulnerability that could lead to kernel memory corruption. In addition, the performance results of MKM indicate that the system call overhead latency ranges from 0.020 μs to 0.5445 μs, while the web application benchmark ranges from 196.27 μs to 6, 685.73 μs for each download access of 100,000 Hypertext Transfer Protocol sessions. MKM attained a 97.65% system benchmark score and a 99.76% kernel compilation time.

PageDumper: a mechanism to collect page table manipulation information at run-time

The state-of-the-art contributions in the area of memory forensics are centered around uncovering potentially hidden processes, control flow and code pointer integrity manipulations and detecting malicious code injections done by attackers. At the same time, deployment of memory protection mechanisms like control flow integrity, data execution prevention/no-execute, address space layout randomization and kernel address space layout randomization, have obviated the use of such attack vectors for sensitive information disclosure. Thus, attackers are now adopting various techniques to elude memory protection using memory corruption or memory disclosure attacks inside the operating system (OS). The heavy-dependence of all such advanced prevention and defense mechanisms on memory protection/memory safety attributes are luring attackers to conduct sophisticated data attacks against the OS that leaves no traces in the file system. In this paper, while assessing the security implications of such attack vectors, we propose a mechanism to capture such memory-protection-manipulation-based attack footprints at run time in the form of a utility called PageDumper. While parsing the system virtual address space and page table entries(for the process and kernel address space), it collects the in-memory data attack footprints at run time. Thus, PageDumper can supplement information(s) for the postmortem analysis of run time process and the kernel address space environment, when used in conjunction with memory snapshots taken through memory acquisition tools for a more practical and in-depth memory analysis.

A Review of Memory Errors Exploitation in x86-64

Memory errors are still a serious threat affecting millions of devices worldwide. Recently, bounty programs have reached a new record, paying up to USD 2.5 million for one single vulnerability in Android and up to USD 2 million for Apple’s operating system. In almost all cases, it is common to exploit memory errors in one or more stages to fully compromise those devices. In this paper, we review and discuss the importance of memory error vulnerabilities, and more specifically stack buffer overflows to provide a full view of how memory errors are exploited. We identify the root causes that make those attacks possible on modern x86-64 architecture in the presence of modern protection techniques. We have analyzed how unsafe library functions are prone to buffer overflows, revealing that although there are secure versions of those functions, they are not actually preventing buffer overflows from happening. Using secure functions does not result in software free from vulnerabilities and it requires developers to be security-aware. To overcome this problem, we discuss the three main security protection techniques present in all modern operating system; the non-eXecutable bit (NX), the Stack Smashing Protector (SSP) and the Address Space Layout Randomization (ASLR). After discussing their effectiveness, we conclude that although they provide a strong level of protection against classical exploitation techniques, modern attacks can bypass them.

Obfuscated integration of software protections

To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an experimental evaluation on realistic use cases and state-of-the-art tools, we demonstrate our technique’s potency and resilience to advanced attacks. All relevant code is publicly available online.