Hide and Seek: Exploiting and Hardening Leakage-Resilient Code Randomization
Abstract
Information leakage vulnerabilities can allow adversaries to bypass mitigations based on code randomization. This discovery motivates numerous techniques that diminish direct and indirect information leakage: (i) execute-only permissions on memory accesses, (ii) code pointer hiding (e.g., indirection or encryption), and (iii) decoys (e.g., booby traps). Among the proposed leakage-resilient defenses, Readactor is the most comprehensive solution that combines all these techniques. In this paper, we conduct a systematic analysis of recently proposed execute only randomization solutions including Readactor, and demonstrate a new class of attacks that bypasses them generically, highlighting their limitations. We analyze the prevalence of opportunities for such attacks in popular code bases and build three real-world exploits to demonstrate their practicality. We then implement and evaluate a new defense against our attacks. Our evaluation shows that our new technique is practical and adds little additional performance overhead (9.7% vs. 6.4%).
Document Details
- Document Type
- Technical Report
- Publication Date
- May 30, 2016
- Accession Number
- AD1033699
Entities
People
- Ahmad-reza Sadeghi
- Christopher Liebchen
- David Bigelow
- Hamed Okhravi
- Lucas Davi
- Michael Franz
- Per Larsen
- Richard W. Skowyra
- Robert A. Rudd
- Stephen Crane
- Thomas Hobson
- Veer S. Dedhia
Organizations
- MIT Lincoln Laboratory