Fig 3 - uploaded by Per Larsen
Content may be subject to copyright.
Source publication
Tor is a well-known anonymous communication system used by millions of users, including journalists and civil rights activists all over the world. The Tor Browser gives non-technical users an easy way to access the Tor Network. However, many government organizations are actively trying to compromise Tor not only in regions with repressive regimes b...
Context in source publication
Context 1
... head of the linked list is stored in a dedi- cated register called the base pointer (BP) (ebp on x86). When a new stack frame is added, the called function saves the BP register of the caller on the stack, then overwrites the BP register to point to the current stack frame, as shown in Figure 3. ...
Similar publications
![Statistics and trends of top web browsers, StatCounter Global Stats [48]](publication/326727542/figure/fig5/AS:779393026760706@1562833186221/Statistics-and-trends-of-top-web-browsers-StatCounter-Global-Stats-48_Q320.jpg)
Anonymity protocols are employed to establish encrypted tunnels to protect the privacy of Internet users from traffic analysis attacks. However, the attackers strive to infer some traffic patterns’ characteristics (e.g. packet directions, packet sizes, inter-packet timing, etc.) in order to expose the identities of Internet users and their activiti...
Citations
... Coarse-grained randomization, such as address space layout randomization, has been deployed in many operating systems. Common randomization granularity includes function blocks (Conti et al., 2016;Giuffrida et al., 2012;Zhang et al., 2019), basic blocks (Chen et al., 2016;Koo et al., 2018;Wartell et al., 2012), and instruction and register (Hiser et al., 2012;Homescu et al., 2013;Crane et al., 2015). Randomization is implemented with compilers (Chen et al., 2016;Koo et al., 2018;Williams-King et al., 2016) or binary rewriting tools (Pappas et al., 2012;Wartell et al., 2012). ...
Code-reuse attacks have become a kind of common attack method, in which attackers use the existing code in the program to hijack the control flow. Most existing defenses focus on control flow integrity (CFI), code randomization, and software debloating. However, most fine-grained schemes of those that ensure such high security suffer from significant performance overhead, and only reduce attack surfaces such as software debloating can not defend against code-reuse attacks completely. In this paper, from the perspective of shrinking the available code space at runtime, we propose LoadLord, which dynamically loads, and timely unloads functions during program running to defend against code-reuse attacks. LoadLord can reduce the number of gadgets in memory, especially high-risk gadgets. Moreover, LoadLord ensures the control flow integrity of the loading process and breaks the necessary conditions to build a gadget chain. We implemented LoadLord on Linux operating system and experimented that when limiting only 1/16 of the original function. As a result, LoadLord can defend against code-reuse attacks and has an average runtime overhead of 1.7% on the SPEC CPU 2006, reducing gadgets by 94.02%.
... This makes the first category (compiled MTD implementation) more of an acceptable approach, allowing for more predictable operation during runtime. The two most common MTD compiler implementations were noted as Multicompiler (Larsen et al., 2013) and SelfRando (Conti et al., 2016) can play critical roles within the embedded software development pipeline. Multicompiler provides code transformation passes at compile time while SelfRando inserts stub code to perform dynamic randomization when the program is loaded into memory. ...
Moving Target Defenses (MTD) have become a popular and emerging defense strategy for the protection of traditional information technology systems. By their very nature, MTD strategies are designed to protect against adversary reconnaissance efforts on static platforms, essentially sitting back and having unlimited time to identify, craft, execute, and scale an exploit. With the rapid adoption of distributed automotive Cyber-Physical Systems (CPS) ranging from self driving cars, to connected transportation infrastructure, it is becoming more apparent that third party supply chains, increased remote communication interfaces, and legacy software stacks are making the traditionally designed standalone systems become more susceptible to safety-critical cyber-attacks. MTD strategies within the automotive CPS domain have to delicately balance the tradeoff between security and real time predictability, maintaining the safety constraints of the systems. In this paper, we explore the various MTD strategies presented within the literature while discussing potential applicability and strategies sufficient for the automotive CPS domain.
... Just like attackers may wish to break security properties of HTTPS, it may also be of interest to break the anonymity provided by Tor. A common technique for deanonymization (known to be used in practice) is to compromise Tor Browser instead of circumventing the anonymity provided by Tor [5,10,22,69]. Web browsers like Firefox (or forks thereof) are one of the most complex software types that are widely used today, leading to security vulnerabilities and clear incentives for exploitation. For example, the exploit acquisition platform Zerodium offers up to $100, 000 for a Firefox zero-day exploit that provides remote code execution and local privilege escalation (i.e., full control of the browser) [70]. ...
The security of the web improved greatly throughout the last couple of years. A large majority of the web is now served encrypted as part of HTTPS, and web browsers accordingly moved from positive to negative security indicators that warn the user if a connection is insecure. A secure connection requires that the server presents a valid certificate that binds the domain name in question to a public key. A certificate used to be valid if signed by a trusted Certificate Authority (CA), but web browsers like Google Chrome and Apple’s Safari have additionally started to mandate Certificate Transparency (CT) logging to overcome the weakest-link security of the CA ecosystem. Tor and the Firefox-based Tor Browser have yet to enforce CT.
In this paper, we present privacy-preserving and incrementally-deployable designs that add support for CT in Tor. Our designs go beyond the currently deployed CT enforcements that are based on blind trust: if a user that uses Tor Browser is man-in-the-middled over HTTPS, we probabilistically detect and disclose cryptographic evidence of CA and/or CT log misbehavior. The first design increment allows Tor to play a vital role in the overall goal of CT: detect mis-issued certificates and hold CAs accountable. We achieve this by randomly cross-logging a subset of certificates into other CT logs. The final increments hold misbehaving CT logs accountable, initially assuming that some logs are benign and then without any such assumption. Given that the current CT deployment lacks strong mechanisms to verify if log operators play by the rules, exposing misbehavior is important for the web in general and not just Tor. The full design turns Tor into a system for maintaining a probabilistically-verified view of the CT log ecosystem available from Tor’s consensus. Each increment leading up to it preserves privacy due to and how we use Tor.
... As for the ASLR defense, we assume that the basic coarsegrained technique [40] is applied, which only relocates the base address of a module. More recent ASLRs can also be considered such as fine-grained ASLRs with varying granularity from segment level to instruction/register level [41]- [48] and, further, a re-randomization ASLR technique with periodic memory relocation [49]. In such cases, an attacker may need an advanced code reuse attack techniques such as Just-in-time return-oriented programming (JIT-ROP) to derandomize the memory layout. ...
In the Unix-like system, the Global Offset Table (GOT) overwrite attack is a long-lasting control flow hijacking attack. The attack, by leveraging the dynamic symbol binding mechanism, overwrites any GOT entry into the attacker’s target address to take the execution flow on the library function call. Recently, Full Relro (Relocation Read only), which arranges the GOT section as read-only at program startup, is regarded as most useful against the threat. However, it entails nontrivial loading overhead and is not applicable to libraries. Furthermore, many software packages are currently distributed without Full Relro. As a result, programs are still exposed to the risk of GOT attacks. In this paper, we propose a CFI-based protection scheme against the GOT overwrite attack. Using dynamically bound function symbols as branch identifiers, the scheme secures inter-module function calls on PLT (Procedure Linkage Table) effectively with little performance overhead. Our LLVM based implementation and evaluation on binutils-gdb show that the branch protection scheme is difficult to bypass, fast, and compatible with existing library programs.
... Therefore, the process address space layout randomization can be used to prevent exploitation of vulnerabilities. Various approaches to address space layout randomization were proposed in [12][13][14][15][16][17][18][19][20]. Some of them are applied in practice (ASLR). ...
... In this work, we implemented the randomization with the granularity up to functions; i.e., the code of each function is placed at an arbitrary address when the program is loaded; then, all references to this function in other functions are accordingly modified. A similar solution was proposed in Selfrando [15]. However, the approach described in [15] is designed for protecting individual applications (in particular, Tor browser). ...
... A similar solution was proposed in Selfrando [15]. However, the approach described in [15] is designed for protecting individual applications (in particular, Tor browser). The code performing the randomization is included in the executable file. ...
Software vulnerabilities are a serious security threat. It is important to develop protection mechanisms preventing their exploitation, especially with a rapid increase of ROP attacks. State of the art protection mechanisms have some drawbacks that can be used by attackers. In this paper, we propose fine-grained address space layout randomization on program load that is able to protect from such kind of attacks. During the static linking stage, the executable and library files are supplemented with information about function boundaries and relocations. A system dynamic linker/loader uses this information to perform permutation of functions. The proposed method was implemented for 64-bit programs on CentOS 7 operating system. The implemented method has shown good resistance to ROP attacks evaluated by two metrics: the number of survived gadgets and the exploitability estimation of ROP chain examples. The implementation presented in this article is applicable across the entire operating system and has no compatibility problems affecting the program performance. The working capacity of proposed approach was demonstrated on real programs. The further research can cover forking randomization and finer granularity than on the function level. It also makes sense to implement the randomization of short functions placement taking into account the relationships between them. The close arrangement of functions that often call each other can improve the performance of individual programs.
... For classifying the environments, two subcategories were chosen: a) language of the program being obfuscated/diversified and b) execution environment. Only a minority of research [135,158,163,167,191,232,340] mentioned multiple languages or language classes. ...
Context: Diversification and obfuscation are promising techniques for securing software and protecting computers from harmful malware. The goal of these techniques is not removing the security holes, but making it difficult for the attacker to exploit security vulnerabilities and perform successful attacks. Objective: There is an increasing body of research on the use of diversification and obfuscation techniques for improving software security; however, the overall view is scattered and the terminology is unstructured. Therefore, a coherent review gives a clear statement of state-of-the-art, normalizes the ongoing discussion and provides baselines for future research. Method: In this paper, systematic literature review is used as the method of the study to select the studies that discuss diversification/obfuscation techniques for improving software security. We present the process of data collection, analysis of data, and report the results. Results: As the result of the systematic search, we collected 357 articles relevant to the topic of our interest, published between the years 1993 and 2017. We studied the collected articles, analyzed the extracted data from them, presented classification of the data, and enlightened the research gaps. Conclusion: The two techniques have been extensively used for various security purposes and impeding various types of security attacks. There exist many different techniques to obfuscate/diversify programs, each of which targets different parts of the programs and is applied at different phases of software development life-cycle. Moreover, we pinpoint the research gaps in this field, for instance that there are still various execution environments that could benefit from these two techniques, including cloud computing, Internet of Things (IoT), and trusted computing. We also present some potential ideas on applying the techniques on the discussed environments.
... The possibility of a hybrid approach has been identified as a potentially attractive solution [36], and (to the best of our knowledge) we are the first to attempt an actual feasibility study of this concept by designing, implementing, and evaluating an end-to-end code transformation toolchain. We are not the first though to identify the benefits of augmenting binaries with transformation-assisting metadata, as previous works have proposed load-time diversification schemes based on self-randomizing binaries [5,50]. The main drawbacks of these approaches are: i) the granularity of the performed randomization, which is limited to whole-function reordering; and ii) the lack of the backwards compatibility and flexibility that a separate rewriter component provides, which allows for selective hardening and fine-tuning according to the characteristics of each particular system. ...
... This flexibility and backwards compatibility is an important benefit compared to the alternative approach of selfrandomizing binaries [5,50]. According to the characteristics of each particular system, administrators may opt for randomization at installation or load time (or no randomization at all), and selectively enable or disable additional hardening transformations and instrumentation that may be available. ...
... Client-side code randomization often involves complex binary code analysis, which faces significant challenges when it comes to accuracy and coverage, especially when supplemental information (e.g., relocation or symbolic information) is not available [66,68,79,[100][101][102]. Static binary rewriting of stripped binaries is still possible in certain cases, although it involves either code extraction heuristics [7-11, 33, 44, 47], or dynamic binary instrumentation [8,10,47,48]. Other implementation approaches include compile-time [5,28,32,42,43], link-time [6], load-time [7,8,10,33,44,50], and run-time [45,46,[103][104][105] solutions. On the other hand, the concept of serverside diversification has been briefly explored, especially as part of "app store" software distribution models [2,3]. ...
... A hijacked code pointer is used to redirect execution to the first gadget, which uses one of the prepared address to execute the next gadget through an indirect call, jump, or return instruction, and so on. Address space layout randomization (ASLR) [1], and newer randomization techniques proposed in literature [2]- [14], mitigate CRAs by introducing uncertainty on the location of gadgets during exploitation. In response, modern exploits rely primarily on information disclosure vulnerabilities [15], [16] to exfiltrate code addresses, while other avenues of attack include using sidechannels to reduce entropy [17], [18] and brute-forcing [19]. ...
... Such techniques typically permute objects in the text segment or randomize the padding between such objects. Existing permutationbased techniques reorganize individual code pages [3], [6], [9], [14], individual functions [2], [4], [5], [12], [20], [23], or intra-function elements (e.g., basic blocks [8], instructions [7], [10], or data flow [7], [20], [23], [25]). Similarly existing padding-based techniques typically operate at the function level [4], [5], [12] or within individual functions (e.g., randomly padding basic blocks [12], [13], [22], [23], [25], [36] or instructions [10], [11], [45]). ...
... The results were gathered with version 4.8.4 of the gcc compiler. STABILIZER [9], Marlin [14] and selfrando [6] rerandomize at function boundaries while STIR [26], Remix [5] and Chronomorph [12] rerandomize at basic block boundaries. 3 No matter whether the system rerandomizes at basic block or function boundaries, the compiler determines the granularity. ...
Mixr is a novel moving target defense (MTD) system that improves on the traditional address space layout randomization (ASLR) security technique by giving security architects the tools to add "runtime ASLR" to existing software programs and libraries without access to their source code or debugging information and without requiring changes to the host's linker, loader or kernel. Runtime ASLR systems rerandomize the code of a program/library throughout execution at rerandomization points and with a particular granularity. The security professional deploying the Mixr system on a program/library has the flexibility to specify the frequency of runtime rerandomization and the granularity. For example, she/he can specify that the program rerandomizes itself on 60-byte boundaries every time the write() system call is invoked. The Mixr MTD of runtime ASLR protects binary programs and software libraries that are vulnerable to information leaks and attacks based on that information.
Mixr is an improvement on the state of the art in runtime ASLR systems. Mixr gives the security architect the flexibility to specify the rerandomization points and granularity and does not require access to the target program/library's source code, debugging information or other metadata. Nor does Mixr require changes to the host's linker, loader or kernel to execute the protected software. No existing runtime ASLR system offers those capabilities. The tradeoff is that applying the Mixr MTD of runtime ASLR protection requires successful disassembly of a program - something which is not always possible. Moreoever, the runtime overhead of a Mixr-protected program is non-trivial.
Mixr, besides being a tool for implementing the MTD of runtime ASLR, has the potential to further improve software security in other ways. For example, Mixr could be deployed to implement noise injection into software to thwart side-channel attacks using differential power analysis.
... Code diversification is an instance of fine-grained address space layout randomization (ASLR), a general randomization technique also applied to stack, heap, and static data memory [93], [69], [58], [31], [13], [12]. The goal of code diversification is to keep from the attacker any knowledge of the code and code locations using function/basic-block/instruction permutations [90], [72], [61], [55] or other randomization techniques [31], [28], [25], [10], [34], [56]. Without such knowledge, ROP [79], and other traditional code-reuse attacks [36], [20], [40], [59], [23], become much more complicated. ...
Code diversification is an effective strategy to prevent modern code-reuse exploits. Unfortunately, diversification techniques are inherently vulnerable to information disclosure. Recent diversification-aware ROP exploits have demonstrated that code disclosure attacks are a realistic threat, with an attacker able to read or execute arbitrary code memory and gather enough gadgets to bypass state-of-the-art code diversification defenses. In this paper, we present CodeArmor, a binary-level system to harden code diversification against all the existing read-based and execution-based code disclosure attacks. To counter such attacks, CodeArmor virtualizes the code space to completely decouple code pointer values from the concrete location of their targets in the memory address space. Using a combination of run-time randomization and pervasively deployed honey gadgets, code space virtualization probabilistically ensures that only code references that can legitimately be issued by the program are effectively translated to the concrete code space. This strategy significantly reduces the attack surface, limiting the attacker to only code pointer gadgets that can be leaked from data memory. In addition, unlike existing leakage-resistant code diversification techniques that provide similar security guarantees, CodeArmor requires no access to source code, hypervisors, or special hardware support. Our experimental results show that CodeArmor provides a strong line of defense against existing and future attacks, at the cost of only low average performance overhead (6.9% on SPEC and 14.5% on popular server programs, and even lower—roughly halving such average overheads—when operating aggressive inlining optimizations at the binary level).
