Readactor: Practical Code Randomization Resilient to Memory Disclosure
- 1 May 2015
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- No. 10816011,p. 763-780
- https://doi.org/10.1109/sp.2015.52
Abstract
Code-reuse attacks such as return-oriented programming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from constructing a reliable code-reuse attack. However, all solutions proposed so far are either vulnerable to memory disclosure or are impractical for deployment on commodity systems. In this paper, we address the deficiencies of existing solutions and present the first practical, fine-grained code randomization defense, called Read actor, resilient to both static and dynamic ROP attacks. We distinguish between direct memory disclosure, where the attacker reads code pages, and indirect memory disclosure, where attackers use code pointers on data pages to infer the code layout without reading code pages. Unlike previous work, Read actor resists both types of memory disclosure. Moreover, our technique protects both statically and dynamically generated code. We use a new compiler-based code generation paradigm that uses hardware features provided by modern CPUs to enable execute-only memory and hide code pointers from leakage to the adversary. Finally, our extensive evaluation shows that our approach is practical -- we protect the entire Google Chromium browser and its V8 JIT compiler -- and efficient with an average SPEC CPU2006 performance overhead of only 6.4%.Keywords
This publication has 34 references indexed in Scilit:
- Missing the Point(er): On the Effectiveness of Code Pointer IntegrityPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- VTint: Protecting Virtual Function Tables' IntegrityPublished by Internet Society ,2015
- Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented ProgrammingPublished by Internet Society ,2015
- SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption AttacksPublished by Internet Society ,2014
- ROPecker: A Generic and Practical Approach For Defending Against ROP AttacksPublished by Internet Society ,2014
- Evaluating the Effectiveness of Current Anti-ROP DefensesLecture Notes in Computer Science, 2014
- Return-Oriented ProgrammingACM Transactions on Information and System Security, 2012
- Control-flow integrity principles, implementations, and applicationsACM Transactions on Information and System Security, 2009
- SPEC CPU2006 memory footprintACM SIGARCH Computer Architecture News, 2007
- Operating system protection through program evolutionComputers & Security, 1993