SlideShare une entreprise Scribd logo

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Télécharger en tant que PPTX, PDF
Yue Chen
Yue Chen

Fine-grained live ASLR (address space layout randomization) during runtime, periodically or with random time intervals. This can significantly leverage the bar of code reuse attack, like return-oriented programming (ROP). In case of information leak, sine it is runtime dynamic ASLR, the memory layout can be changed. keywords for search: control-flow integrity, CFI, memory corruption, Oakland, IEEE S&P, CCS, USENIX Security, NDSS, CODASPY, memory bugs, memory error, buffer overflow, crash, use after free, double free, ptrace

Ingénierie
1  sur  41
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
Code Reuse Attack • Buffer Overflow -> Code Injection Attack
Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute
Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute • Return-oriented Programming Attack – Discover gadgets from existing code, chain them by ret instruction – Turing complete
Code Reuse Attack Existing Code Chained Gadgets
ASLR Address Space Layout Randomization Executable Library1 Library1 Executable
ASLR - Problem Library1 Executable Pointer Leak
ASLR - Problem Library1 Executable Pointer Leak De-randomized
Goal • Live randomization during runtime • Finer-grained randomization unit • Low performance overhead
Remix Live basic block (BB) randomization within functions
Remix Live basic block (BB) randomization within functions Advantages: No function pointer migration Good spatial locality
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds After 2.13 seconds
Challenges • Chain randomized basic blocks together – Need extra space – Instruction update • Stale pointer migration
Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function
Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret mov … add … mov … mov … add … jle …
Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Before Remix
Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Before Remix After Remix
Extra Space Case 2: Displacement Length One-byte displacement: jmp +0x10 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Four-byte displacement: jmp +0x00001000 Before Remix After Remix
Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed!
Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: • Function alignment • Loop alignment
Instruction Update Q: Which instructions need updating ?
Instruction Update Q: Which instructions need updating ? A: Control-flow related ones
Instruction Update Two-step update (e.g., unconditional direct jmp): Basic Block 1 Basic Block 2 Basic Block 3 Original After BB Reordering Step one: Jumps to Original Address of BB 3 Step two: Jumps to Current Address of BB 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 jmp
Instruction Update • Direct call: Step-one update • Indirect call: No update needed • Direct jump: Step-one and step-two update • Indirect jump: Discussed later • PC-relative addressing: Step-one update
Indirect Jump • Jump to functions – Unmoved – PLT/GOT – Tail/Sibling Call • Jump to basic blocks – See next
Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness
Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness • Where? - Return address - Jump table (switch/case) - Saved context (e.g., setjmp/longjmp) - Kernel exception table …
Optimization  Speed up randomization procedure: • Metadata Maintenance – Basic block information (e.g., location) – Code/data that need updating
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle Randomize
Bundle Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 The bundling layout is different from time to time. – Unpredictable! Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Randomize
Implementation • Compiler – Slightly modified LLVM • Linux userspace applications – Ptrace, an isolated small agent to perform the randomization • Freebsd kernel modules – smp_rendezvous
Evaluation - Security • Finer-grained randomization: – Entropy boost • Live randomization during runtime: – Destroy discovered gadgets immediately Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!
Evaluation - Performance SPEC CPU 2006 Performance Overhead
Evaluation - Performance SPEC CPU 2006 Size Increase
Evaluation - Performance Apache Web Server Performance Overhead (by ApacheBench) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
Evaluation - Performance ReiserFS Performance Overhead (by IOZone) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
Q&A

Recommandé

Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?
Pipat Methavanitpong
 
Os lectures
Os lecturesOs lectures
Os lectures
Adnan Ghafoor
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess Communication
Shivam Mitra
 
BAM experiences in large scale deployments
BAM experiences in large scale deploymentsBAM experiences in large scale deployments
BAM experiences in large scale deployments
AIMS Innovation
 
Release Cycle Changes
Release Cycle ChangesRelease Cycle Changes
Release Cycle Changes
HPCC Systems
 
Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...
Shivam Mitra
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and Where
Kernel TLV
 

Recommandé

Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?Intel processor trace - What are Recorded?
Intel processor trace - What are Recorded?
Pipat Methavanitpong
 
Os lectures
Os lecturesOs lectures
Os lectures
Adnan Ghafoor
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess Communication
Shivam Mitra
 
BAM experiences in large scale deployments
BAM experiences in large scale deploymentsBAM experiences in large scale deployments
BAM experiences in large scale deployments
AIMS Innovation
 
Release Cycle Changes
Release Cycle ChangesRelease Cycle Changes
Release Cycle Changes
HPCC Systems
 
Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...Process management in operating system | process states | PCB | FORK() | Zomb...
Process management in operating system | process states | PCB | FORK() | Zomb...
Shivam Mitra
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and Where
Kernel TLV
 
Rashid new cv 2014
Rashid new cv 2014Rashid new cv 2014
Rashid new cv 2014
Rashid Ali
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesA Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
Yael Garten
 
White paper hadoop performancetuning
White paper hadoop performancetuningWhite paper hadoop performancetuning
White paper hadoop performancetuning
Anil Reddy
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedIn
Yael Garten
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL Support
Yue Chen
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in Impala
Cloudera, Inc.
 
Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and Analysis
Yue Chen
 
Apache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateApache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance Update
Cloudera, Inc.
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorial
hadooparchbook
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organization
Yael Garten
 
SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsSecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security Systems
Yue Chen
 
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Cloudera, Inc.
 
Nested Types in Impala
Nested Types in ImpalaNested Types in Impala
Nested Types in Impala
Cloudera, Inc.
 
Architecting next generation big data platform
Architecting next generation big data platformArchitecting next generation big data platform
Architecting next generation big data platform
hadooparchbook
 
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionFaster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Cloudera, Inc.
 
What no one tells you about writing a streaming app
What no one tells you about writing a streaming appWhat no one tells you about writing a streaming app
What no one tells you about writing a streaming app
hadooparchbook
 
Hoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoopHoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoop
Prasanna Rajaperumal
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applications
hadooparchbook
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applications
hadooparchbook
 
Streaming architecture patterns
Streaming architecture patternsStreaming architecture patterns
Streaming architecture patterns
hadooparchbook
 
Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John Blackmore
TechExeter
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 

Contenu connexe

En vedette

Rashid new cv 2014
Rashid new cv 2014Rashid new cv 2014
Rashid new cv 2014
Rashid Ali
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedIn
Yael Garten
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in Impala
Cloudera, Inc.
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organization
Yael Garten
 
SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsSecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security Systems
Yue Chen
 
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionFaster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Cloudera, Inc.
 

En vedette (20)

Rashid new cv 2014
Rashid new cv 2014Rashid new cv 2014
Rashid new cv 2014
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesA Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
 
White paper hadoop performancetuning
White paper hadoop performancetuningWhite paper hadoop performancetuning
White paper hadoop performancetuning
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedIn
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL Support
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in Impala
 
Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and Analysis
 
Apache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateApache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance Update
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorial
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organization
 
SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security SystemsSecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security Systems
 
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
 
Nested Types in Impala
Nested Types in ImpalaNested Types in Impala
Nested Types in Impala
 
Architecting next generation big data platform
Architecting next generation big data platformArchitecting next generation big data platform
Architecting next generation big data platform
 
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for productionFaster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
 
What no one tells you about writing a streaming app
What no one tells you about writing a streaming appWhat no one tells you about writing a streaming app
What no one tells you about writing a streaming app
 
Hoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoopHoodie: Incremental processing on hadoop
Hoodie: Incremental processing on hadoop
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applications
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applications
 
Streaming architecture patterns
Streaming architecture patternsStreaming architecture patterns
Streaming architecture patterns
 

Similaire à Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...
Lucas Leong
 
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Blue Raster
 
Chapter 02 modified
Chapter 02 modifiedChapter 02 modified
Chapter 02 modified
Jugal Doshi
 
Kafka replication apachecon_2013
Kafka replication apachecon_2013Kafka replication apachecon_2013
Kafka replication apachecon_2013
Jun Rao
 
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
Brian Vandegriend
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a Pro
Chester Chen
 

Similaire à Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime) (20)

Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John Blackmore
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Exploiting the windows kernel
Exploiting the windows kernelExploiting the windows kernel
Exploiting the windows kernel
 
Search at Twitter: Presented by Michael Busch, Twitter
Search at Twitter: Presented by Michael Busch, TwitterSearch at Twitter: Presented by Michael Busch, Twitter
Search at Twitter: Presented by Michael Busch, Twitter
 
es_hardware_handout
es_hardware_handoutes_hardware_handout
es_hardware_handout
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafka
Kafka Summit NYC 2017 - Deep Dive Into Apache KafkaKafka Summit NYC 2017 - Deep Dive Into Apache Kafka
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafka
 
Asynchronous Programming in Kotlin with Coroutines
Asynchronous Programming in Kotlin with CoroutinesAsynchronous Programming in Kotlin with Coroutines
Asynchronous Programming in Kotlin with Coroutines
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...Make static instrumentation great again, High performance fuzzing for Windows...
Make static instrumentation great again, High performance fuzzing for Windows...
 
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depth
 
Chapter 02 modified
Chapter 02 modifiedChapter 02 modified
Chapter 02 modified
 
Ch5 process synchronization
Ch5 process synchronizationCh5 process synchronization
Ch5 process synchronization
 
Kafka replication apachecon_2013
Kafka replication apachecon_2013Kafka replication apachecon_2013
Kafka replication apachecon_2013
 
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a Pro
 

Plus de Yue Chen

EncExec: Secure In-Cache Execution
EncExec: Secure In-Cache ExecutionEncExec: Secure In-Cache Execution
EncExec: Secure In-Cache Execution
Yue Chen
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing Vulnerabilities
Yue Chen
 

Plus de Yue Chen (7)

KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
 
EncExec: Secure In-Cache Execution
EncExec: Secure In-Cache ExecutionEncExec: Secure In-Cache Execution
EncExec: Secure In-Cache Execution
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing Vulnerabilities
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)
 
Inside Parquet Format
Inside Parquet FormatInside Parquet Format
Inside Parquet Format
 
Inside HDFS Append
Inside HDFS AppendInside HDFS Append
Inside HDFS Append
 
How Impala Works
How Impala WorksHow Impala Works
How Impala Works
 

Dernier

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Christo Ananth
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Call Girls in Nagpur High Profile
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Dr.Costas Sachpazis
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
ranjana rawat
 

Dernier (20)

BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

  • 1. Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
  • 2. Code Reuse Attack • Buffer Overflow -> Code Injection Attack
  • 3. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute
  • 4. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute • Return-oriented Programming Attack – Discover gadgets from existing code, chain them by ret instruction – Turing complete
  • 5. Code Reuse Attack Existing Code Chained Gadgets
  • 6. ASLR Address Space Layout Randomization Executable Library1 Library1 Executable
  • 9. Goal • Live randomization during runtime • Finer-grained randomization unit • Low performance overhead
  • 10. Remix Live basic block (BB) randomization within functions
  • 11. Remix Live basic block (BB) randomization within functions Advantages: No function pointer migration Good spatial locality
  • 12. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A
  • 13. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds
  • 14. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds After 2.13 seconds
  • 15. Challenges • Chain randomized basic blocks together – Need extra space – Instruction update • Stale pointer migration
  • 16. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function
  • 17. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret mov … add … mov … mov … add … jle …
  • 18. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Before Remix
  • 19. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Before Remix After Remix
  • 20. Extra Space Case 2: Displacement Length One-byte displacement: jmp +0x10 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Four-byte displacement: jmp +0x00001000 Before Remix After Remix
  • 21. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed!
  • 22. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: • Function alignment • Loop alignment
  • 23. Instruction Update Q: Which instructions need updating ?
  • 24. Instruction Update Q: Which instructions need updating ? A: Control-flow related ones
  • 25. Instruction Update Two-step update (e.g., unconditional direct jmp): Basic Block 1 Basic Block 2 Basic Block 3 Original After BB Reordering Step one: Jumps to Original Address of BB 3 Step two: Jumps to Current Address of BB 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 jmp
  • 26. Instruction Update • Direct call: Step-one update • Indirect call: No update needed • Direct jump: Step-one and step-two update • Indirect jump: Discussed later • PC-relative addressing: Step-one update
  • 27. Indirect Jump • Jump to functions – Unmoved – PLT/GOT – Tail/Sibling Call • Jump to basic blocks – See next
  • 28. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness
  • 29. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness • Where? - Return address - Jump table (switch/case) - Saved context (e.g., setjmp/longjmp) - Kernel exception table …
  • 30. Optimization  Speed up randomization procedure: • Metadata Maintenance – Basic block information (e.g., location) – Code/data that need updating
  • 31. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop
  • 32. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle
  • 33. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle Randomize
  • 34. Bundle Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 The bundling layout is different from time to time. – Unpredictable! Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Randomize
  • 35. Implementation • Compiler – Slightly modified LLVM • Linux userspace applications – Ptrace, an isolated small agent to perform the randomization • Freebsd kernel modules – smp_rendezvous
  • 36. Evaluation - Security • Finer-grained randomization: – Entropy boost • Live randomization during runtime: – Destroy discovered gadgets immediately Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!
  • 37. Evaluation - Performance SPEC CPU 2006 Performance Overhead
  • 38. Evaluation - Performance SPEC CPU 2006 Size Increase
  • 39. Evaluation - Performance Apache Web Server Performance Overhead (by ApacheBench) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  • 40. Evaluation - Performance ReiserFS Performance Overhead (by IOZone) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  • 41. Q&A