ASLR2: A New Moving Target Defense Primitive Using COTS Binary Rewriting Without Heuristics

Abstract

Moving target defense (MTD) creates asymmetric uncertainty for attackers, and has increasingly become a prominent defense strategy. One of the widely deployed (existing in nearly all of the modern Operating Systems) MTDs is address space layout randomization (ASLR), which randomizes the address space of a program each time when the program is executed. ASLR has been evolved from base address shifting to fine-grained (e.g., per basic block, per function) address space randomization, in response to recent advanced code reuse attacks such as return oriented programming (ROP), jump oriented programming (JOP), and call oriented programming (COP). However, recent fine-grained ASLR only employs a one-time randomization, and such a limitation has been exploited by advanced just-in-time ROP and side channel ROP, which collect gadgets on-the-fly and dynamically compile them to attack the victim programs such as web servers or web browsers. To defeat such emerging advanced code reuse attacks, we propose a new moving target defense primitive: run-time Address Space Layout Re-Randomization (ASLRR) that offers a dynamic address space layout re-randomization capability to protect the vulnerable commercial-off-the-shelf (COTS) software running in both x86/64 and ARM platforms without accessing any source or co-operations from compilers. To have a wide applicability, we take a static COTS binary rewriting approach to realize our ASLRR. One important advancement in this proposed research is that we will leverage our recently developed COTS binary rewriting system (i.e., MultiVerse) that holds both soundness and completeness, as our baseline technique, to rewrite a binary with the capability of (periodically) re-randomizing its address space without sacrificing too much performance penalty. In particular, rewriting binaries statically is challenging especially for the x86 architecture where addresses can be computed dynamically, code and data can be interleaved, and instructions have variable length and can start at any offset. Unlike existing approaches that make strong assumptions on the binary code (e.g., requiring correct disassembling, co-operation from compilers, or access to debugging symbols or relocation entries), we propose to develop a next-generation brute-force disassembler that is able to disassemble all possible legal instructions in COTS binaries for both ARM and x86/64, and an instruction rewriter that is able to correctly rewrite all the indirect control flow transfer instructions and always guard them to execute the code in correct locations. In addition to these two key components, we also propose to develop a runtime address randomizer that is able to re-randomize program code space periodically, or re-randomize right after certain system call execution (e.g., write, send, and sendto), thereby eventually enabling our ASLRR defense primitive in COTS binaries when executed. Meanwhile, aggressive performance optimization has also to be performed for the rewriting code, in order to have an acceptable overhead for the protected binaries. If successful, the project will provide defenders with new, potent, and practical ASLRR for more effectively defending against the memory corruption attacks using advanced offensive techniques such as ROP, Blind-ROP, and JIT-ROP. The proposed techniques will be particularly useful in both enterprise computing and the computing of nation s interest. Our research agenda also offers strong academic and scientific merit by developing a next generation static binary rewriter that is able to rewrite a binary without using any heuristics, in contrast to conventional approaches that mainly rely on various assumptions and heuristics to rewrite a binary. In addition to our ASLRR, there will be many other applications that can benefit from our new rewriter, such as software fault isolation, inlined reference monitoring, binary code hardening, and binary code reuse.

Document Details

Document Type

DoD Grant Award

Publication Date

Jun 25, 2021

Source ID

W911NF2110081

Entities

Tags