TY - GEN
T1 - Improving address space randomization with a dynamic offset randomization technique
AU - Xu, Haizhi
AU - Chapin, Steve J.
PY - 2006
Y1 - 2006
N2 - Address Space Randomization (ASR) techniques randomize process layout to prevent attackers from locating target functions. Prior ASR techniques have considered singletarget attacks, which succeed if the attacker can locate a single, powerful system library function. These techniques are not sufficient to defend against chained return-into-lib(c) attacks, each of which calls a sequence of system library functions in order. In this paper, we propose a new ASR technique, code islands, that randomizes not only the base pointers of memory mapping (mmapping), but also relative distances between functions, maximally and dynamically. Our technique can minimize the utility of information gained in early probes of a chained return-into-lib(c) attack, for later stages of that attack. With a pre-defined rerandomization threshold, our code islands technique not only is exponentially more effective than any prior ASR technique in defending against brute-force searches for locations of multiple targets-a key component of chained return-into-lib(c) attacks, but can also maintain high service availability even under attack. Our overhead measurement on some wellknown GNU applications shows that it takes less than 0.05 second to load/rerandomize a process with the necessary C system library functions using code islands, and our technique introduces a 3-10% run-time overhead from interisland control transfers. We conclude that the code island technique is well-suited to dedicated multi-threaded servers.
AB - Address Space Randomization (ASR) techniques randomize process layout to prevent attackers from locating target functions. Prior ASR techniques have considered singletarget attacks, which succeed if the attacker can locate a single, powerful system library function. These techniques are not sufficient to defend against chained return-into-lib(c) attacks, each of which calls a sequence of system library functions in order. In this paper, we propose a new ASR technique, code islands, that randomizes not only the base pointers of memory mapping (mmapping), but also relative distances between functions, maximally and dynamically. Our technique can minimize the utility of information gained in early probes of a chained return-into-lib(c) attack, for later stages of that attack. With a pre-defined rerandomization threshold, our code islands technique not only is exponentially more effective than any prior ASR technique in defending against brute-force searches for locations of multiple targets-a key component of chained return-into-lib(c) attacks, but can also maintain high service availability even under attack. Our overhead measurement on some wellknown GNU applications shows that it takes less than 0.05 second to load/rerandomize a process with the necessary C system library functions using code islands, and our technique introduces a 3-10% run-time overhead from interisland control transfers. We conclude that the code island technique is well-suited to dedicated multi-threaded servers.
KW - Address space randomization
KW - Code islands
KW - Denialof-service attacks
KW - Derandomization attacks
KW - Intrusion mitigation
UR - http://www.scopus.com/inward/record.url?scp=33751041736&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33751041736&partnerID=8YFLogxK
U2 - 10.1145/1141277.1141364
DO - 10.1145/1141277.1141364
M3 - Conference contribution
AN - SCOPUS:33751041736
SN - 1595931082
SN - 9781595931085
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 384
EP - 391
BT - Applied Computing 2006 - The 21st Annual ACM Symposium on Applied Computing - Proceedings of the 2006 ACM Symposium on Applied Computing
PB - Association for Computing Machinery
T2 - 2006 ACM Symposium on Applied Computing
Y2 - 23 April 2006 through 27 April 2006
ER -