CODE REUSE ATTACKS MITIGATION : ANALYSIS AND NEW HYBRID TECHNIQUE / Ayman Mohammed El-Desokey El-Zoghby
Material type:
TextLanguage: English Summary language: English Publication details: 2021Description: 101 p. ill. 21 cmSubject(s): Genre/Form: DDC classification: - 658
| Item type | Current library | Call number | Status | Date due | Barcode | |
|---|---|---|---|---|---|---|
Thesis
|
Main library | 658 / A.Z.C / 2021 (Browse shelf(Opens below)) | Not for loan |
Browsing Main library shelves Close shelf browser (Hides shelf browser)
Supervisor: Marianne Azer
Thesis (M.A.)—Nile University, Egypt, 2021 .
"Includes bibliographical references"
Contents:
Chapter 1: Introduction ............................................................................................................................ 1
1.1 Research Motivation .......................................................................................................................... 4
1.2 Research Goals .................................................................................................................................. 5
1.3 Contribution ...................................................................................................................................... 5
1.4 Publications ....................................................................................................................................... 5
1.5 Outline ............................................................................................................................................... 6
Chapter 2 – Memory Safety Issues and Attacks ....................................................................................... 7
2.1 Memory Safety Issues ........................................................................................................................ 7
2.1.1 Buffer Overflow (Spatial Memory Safety) ................................................................................... 7
2.1.2 Use-after free (Temporal Memory Safety).................................................................................. 8
2.1.3 Type-confusion ............................................................................................................................ 8
2.2 Memory Protection .......................................................................................................................... 10
2.3 Control-Flow Attacks ........................................................................................................................ 10
2.3.1 Control-Flow Attacks Foundation ............................................................................................. 11
A) Code Injection Attacks ............................................................................................................... 12
B) Code-Reuse Attacks ................................................................................................................... 12
2.4 Computer Memory Structure ........................................................................................................... 13
2.4.1 Stack Frame ............................................................................................................................... 13
2.4.2 Function Epilogue and Function Prologue ................................................................................ 14
2.5 Code Injection Attack and Mitigation Overview .............................................................................. 15
2.5.1 Data Execution Prevention ........................................................................................................ 17
2.5.2 Return-into-libc ......................................................................................................................... 17
2.5.3 Return-Oriented Programming ................................................................................................. 20
2.5.3.1 Gadget Creation ................................................................................................................. 21
2.5.3.2 Real-World Exploits ............................................................................................................ 22
2.5.4 Address Space Layout Randomization (ASLR) ........................................................................... 24
2.5.4.1 Address Space Layout Randomization (ASLR) Limitations ................................................. 26
2.6 Control-Flow Integrity (CFI) .......................................................................................................... 26
2.6.1 CFI for Indirect Jumps ............................................................................................................ 28
v
2.6.2 CFI for Indirect Calls .............................................................................................................. 29
2.6.3 CFI for Function Returns ........................................................................................................ 30
2.6. Summary ........................................................................................................................................ 33
Chapter 3 –Evaluation and Analysis of Code-Reuse Attacks Mitigation Techniques ............................. 35
3.1 Mitigations Based on Control-Flow Integrity ................................................................................... 36
3.1.1 The Original Control-Flow Integrity (CFI) .................................................................................. 37
3.1.1.1 Technique Methodology .................................................................................................... 37
3.1.1.2 Technique Advantages ....................................................................................................... 39
3.1.1.3 Technique Disadvantages ................................................................................................... 39
3.1.1.4 Technique implementation ................................................................................................ 40
3.1.2 Control Flow Integrity for COTS Binaries (Bin-CFI) .................................................................... 40
3.1.2.1 Technique Methodology .................................................................................................... 40
3.1.2.2 Technique Advantages ....................................................................................................... 41
3.1.2.3 Technique Disadvantages ................................................................................................... 42
3.1.2.4 Technique Implementation details .................................................................................... 42
3.1.3 Practical CFI (per-Input CFI) ....................................................................................................... 42
3.1.3.1 Technique Methodology .................................................................................................... 42
3.1.3.2 Technique Advantages ....................................................................................................... 43
3.1.3.3 Technique Disadvantages ................................................................................................... 43
3.1.3.4 Technique Implementation ................................................................................................ 43
3.1.4 Control-Flow Locking ................................................................................................................. 43
3.1.4.1 Technique Methodology .................................................................................................... 43
3.1.4.2 Technique Advantages ....................................................................................................... 44
3.1.4.3 Technique Disadvantages ................................................................................................... 44
3.1.4.4 Technique Implementation ................................................................................................ 44
3.1.5 Compact Control Flow Integrity and Randomization (CCFIR) ................................................... 45
3.1.5.1 Technique Methodology .................................................................................................... 45
3.1.5.2 Technique Advantages ....................................................................................................... 46
3.1.5.3 Technique Disadvantages ................................................................................................... 46
3.1.5.4 Technique Implementation ................................................................................................ 46
3.1.6 Multi Architecture Binary Rewrite ............................................................................................ 46
3.1.6.1 Technique Methodology .................................................................................................... 47
vi
3.1.6.2 Technique Advantages ....................................................................................................... 47
3.1.6.3 Technique Disadvantages ................................................................................................... 47
3.1.6.4 Technique Implementation ................................................................................................ 47
3.1.7 Code Pointer Integrity ............................................................................................................... 48
3.1.7.1 Technique Methodology .................................................................................................... 48
3.1.7.2 Technique Advantages ....................................................................................................... 48
3.1.7.3 Technique Disadvantages ................................................................................................... 48
3.1.7.4 Technique Implementation ................................................................................................ 49
3.2 Mitigations Based on Instruction Rewriting ..................................................................................... 49
3.2.1 In Place Randomization ............................................................................................................. 49
3.2.1.1 Technique Methodology .................................................................................................... 49
3.2.1.2 Technique Advantages ....................................................................................................... 50
3.2.1.3 Technique Disadvantages ................................................................................................... 50
3.2.1.4 Technique Implementation ................................................................................................ 50
3.2.2 NORAX ...................................................................................................................................... 51
3.2.2.1 Technique Methodology .................................................................................................... 51
3.2.2.2 Technique Advantages ....................................................................................................... 51
3.2.2.3 Technique Disadvantages ................................................................................................... 51
3.2.2.4 Technique Implementation ................................................................................................ 52
3.2.3 Return-less kernels. ................................................................................................................... 52
3.2.3.1 Technique Methodology .................................................................................................... 52
3.2.3.2 Technique Advantages ....................................................................................................... 52
3.2.3.3 Technique Disadvantages ................................................................................................... 53
3.2.3.4 Technique Implementation ................................................................................................ 53
3.3 Mitigations Based on Instruction Monitoring .................................................................................. 53
3.3.1 ROPDefender ............................................................................................................................. 53
3.3.1.1 Technique Methodology .................................................................................................... 53
3.3.1.2 Technique Advantages ....................................................................................................... 54
3.3.1.3 Technique Disadvantages ................................................................................................... 54
3.3.1.4 Technique Implementation ................................................................................................ 54
3.3.2 kBouncer .................................................................................................................................. 55
3.3.2.1 Technique Methodology .................................................................................................... 55
vii
3.3.2.2 Technique Advantages ....................................................................................................... 56
3.3.2.3 Technique Disadvantages ................................................................................................... 56
3.3.2.4 Technique Implementation ................................................................................................ 56
3.3.3 ROPecker .................................................................................................................................. 57
3.3.3.1 Technique Methodology .................................................................................................... 57
3.3.3.2 Technique Advantages ....................................................................................................... 57
3.3.3.3 Technique Disadvantages ................................................................................................... 58
3.3.3.4 Technique Implementation ................................................................................................ 58
3.3.4 ROPGuard . ............................................................................................................................... 58
3.3.4.1 Technique Methodology .................................................................................................... 58
3.3.4.2 Technique Advantages ....................................................................................................... 59
3.3.4.3 Technique Disadvantages ................................................................................................... 59
3.3.4.4 Technique Implementation details .................................................................................... 59
3.3.5 Detecting return-oriented programming malicious code (DROP) ............................................ 60
3.3.5.1 Technique Methodology .................................................................................................... 60
3.3.5.2 Technique Advantages ....................................................................................................... 60
3.3.5.3 Technique Disadvantages ................................................................................................... 61
3.3.5.4 Technique Implementation details .................................................................................... 61
3.3.6 Zero-sum Defender ................................................................................................................... 61
3.3.6.1 Technique Methodology .................................................................................................... 61
3.3.6.2 Technique Advantages ....................................................................................................... 61
3.3.6.3 Technique Disadvantages ................................................................................................... 62
3.3.6.4 Technique Implementation details .................................................................................... 62
3.4 Mitigations Based on Memory Randomization ................................................................................ 62
3.4.1 Binary Stirring ............................................................................................................................ 62
3.4.1.1 Technique Methodology .................................................................................................... 62
3.4.1.2 Technique Advantages ....................................................................................................... 63
3.4.1.3 Technique Disadvantages ................................................................................................... 63
3.4.1.4 Technique Implementation details .................................................................................... 63
3.4.2 KAISER ...................................................................................................................................... 64
3.4.2.1 Technique Methodology .................................................................................................... 64
3.4.2.2 Technique Advantages ....................................................................................................... 64
viii
3.4.2.3 Technique Disadvantages ................................................................................................... 65
3.4.2.4 Technique Implementation details .................................................................................... 65
3.4.3 Marlin ....................................................................................................................................... 65
3.4.3.1 Technique Methodology .................................................................................................... 65
3.4.3.2 Technique Advantages ....................................................................................................... 65
3.4.3.3 Technique Disadvantages ................................................................................................... 66
3.4.3.4 Technique Implementation details .................................................................................... 66
3.4.4 Instruction Location Randomization ......................................................................................... 66
3.4.4.1 Technique Methodology .................................................................................................... 66
3.4.4.2 Technique Advantages ....................................................................................................... 67
3.4.4.3 Technique Disadvantages ................................................................................................... 67
3.4.4.4 Technique Implementation details .................................................................................... 67
3.5 Mitigations Based on Input Scanning ............................................................................................... 68
3.5.1 ROPScan ................................................................................................................................... 68
3.5.1.1 Technique Methodology .................................................................................................... 68
3.5.1.2 Technique Advantages ....................................................................................................... 69
3.5.1.3 Technique Disadvantages ................................................................................................... 69
3.5.1.4 Technique Implementation details .................................................................................... 69
3.6 Comparison of Code-Reuse Mitigations ........................................................................................... 69
3.6.1 Impact on Performance............................................................................................................. 70
3.6.2 Universality and Completeness ................................................................................................. 70
3.6.3 Effectiveness ............................................................................................................................. 71
3.7. Summary ........................................................................................................................................ 75
Chapter 4: Hybrid Code-Reuse Protection System ................................................................................ 77
4.1 Ghent University Multi-Variant Execution Environment (GHUMVEE) System Overview ................ 77
4.1.1 GHUMVEE Operation Methodology.......................................................................................... 79
4.1.2 GHUMVEE as a ROP Defense .................................................................................................... 83
4.1.3 GHUMVEE Evaluation as a Code-reuse Mitigation Technique .................................................. 83
4.1.4 Relaxed-Monitoring (ReMon) System ....................................................................................... 84
4.2 Gadget-Free Binaries (G-Free) .......................................................................................................... 85
4.2.1 G-Free Technique Overview ...................................................................................................... 85
4.2.1 G-Free Technique Evaluation .................................................................................................... 87
ix
4.3 A Proposed Hybrid System to Mitigate Code-Reuse Attacks using G-Free and GHUMVEE (NG-MVEE). ................................................................................................................................................... 87
4.4 Experiment Setup and Results ......................................................................................................... 89
4.5 Hybrid System Evaluation ................................................................................................................ 93
Chapter 5: Conclusions and Future Work .............................................................................................. 95
5.1 Future Work .................................................................................................................................... 95
References ...............................................................................................................................
Abstract:
Code-Reuse Attacks (CRA) are established attack mechanisms employed to bypass advanced software-based and hardware-based defenses. The prevalence of software vulnerabilities and weak memory protection practices allow attackers to corrupt the memory space of the vulnerable applications to run a malicious arbitrary code. More than twenty code-reuse mitigation techniques have been evaluated, analyzed, and compared. The comparison aims to point out the added-value of these defenses and the shortcomings as well. Each code-reuse defense mechanism has scope limitations and restrictive prerequisites; which allow attackers to bypass suggested defenses eventually.
Our research aim is to explore the possibility of aggregating different defenses to provide enhanced protection against code-reuse attacks. A novel mitigation framework is proposed in our research which is a hybrid mechanism combining two different mitigation techniques. The first technique is called Gadget Free (G-Free) which focuses on removing malicious code-snippets (i.e., gadgets) from system libraries and binary code during compile-time. The second technique adopts the Moving Target Defense (MTD) protection concept. This technique is called Ghent University Multi-Variant Execution Environment (GHUMVEE). GHUMVEE provides run-time and compile-time protection against code-reuse attacks by monitoring the execution of multi-variants of the same program and observer if a program instance is misbehaving because of successful exploitations.
Text in English, abstracts in English.
There are no comments on this title.