shuffler: fast and deployable continuous code re …...return-oriented programming ... permutation...
TRANSCRIPT
![Page 1: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/1.jpg)
1
Shuffler: Fast and DeployableContinuous Code Re-Randomization
David Williams-King,Graham Gobieski, Kent Williams-King, James P. Blake,
Xinhao Yuan, Patrick Colp, Michelle Zheng,Vasileios P. Kemerlis, Junfeng Yang, William Aiello
OSDI 2016
![Page 2: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/2.jpg)
2
Software Remains Vulnerable
● High-profile server breaches are commonplace
![Page 3: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/3.jpg)
3
Software Remains Vulnerable
● High-profile server breaches are commonplace● 90% of today’s attacks utilize ROP [1]
![Page 4: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/4.jpg)
4
Return-Oriented Programming
● Reuse fragments of legitimate code (gadgets)
func_3
func_2
func_1
func_3
func_2
func_1
Program code
ret addr
Stack
![Page 5: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/5.jpg)
5
Return-Oriented Programming
● Reuse fragments of legitimate code (gadgets)
Program code
ret addr
Stack
![Page 6: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/6.jpg)
6
Return-Oriented Programming
● Reuse fragments of legitimate code (gadgets)
Stack
ret addrret addr
ret addrdata
Buffer Overrun
ret addr
Program code
![Page 7: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/7.jpg)
7
Return-Oriented Programming
● Reuse fragments of legitimate code (gadgets)
ROP gadget chain
Stack
ret addrret addr
ret addrdata
Buffer Overrun
ret addr
Program code
![Page 8: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/8.jpg)
8
Modern ROP Attacks
● JIT-ROP [2]: iteratively read code at runtime
![Page 9: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/9.jpg)
9
Modern ROP Attacks
● JIT-ROP [2]: iteratively read code at runtime
func_3
func_2
func_1
Target program Attacker
func_3
func_2
func_1
![Page 10: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/10.jpg)
10
Modern ROP Attacks
● JIT-ROP [2]: iteratively read code at runtimeTarget program Attacker
func_3
func_2
func_1
![Page 11: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/11.jpg)
11
Modern ROP Attacks
● JIT-ROP [2]: iteratively read code at runtime
ROP gadget chain
Target program Attacker
Inject exploit
func_3
func_2
func_1
![Page 12: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/12.jpg)
12
Modern ROP Attacks
● JIT-ROP [2]: iteratively read code at runtime
ROP gadget chain
Target program Attacker
Inject exploit
func_3
func_2
func_1
![Page 13: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/13.jpg)
13
The Shuffler Idea
● What if we re-randomize code more rapidly than an attacker discovers gadgets?
func_3
func_2
func_1
func_3
func_2
func_1
![Page 14: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/14.jpg)
14
The Shuffler Idea
● What if we re-randomize code more rapidly than an attacker discovers gadgets?
func_3
func_2
func_1
![Page 15: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/15.jpg)
15
The Shuffler Idea
● What if we re-randomize code more rapidly than an attacker discovers gadgets?
func_3
func_2
func_1
func_3
func_2
func_1
![Page 16: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/16.jpg)
16
The Shuffler Idea
● What if we re-randomize code more rapidly than an attacker discovers gadgets?
ROP gadget chain
Inject exploit
func_3
func_2
func_1
??
![Page 17: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/17.jpg)
17
The Shuffler Idea
● What if we re-randomize code more rapidly than an attacker discovers gadgets?
ROP gadget chain
Inject exploit
![Page 18: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/18.jpg)
18
How Is This Possible?
● Re-randomize code before an attacker uses it
![Page 19: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/19.jpg)
19
How Is This Possible?
● Re-randomize code before an attacker uses it– faster than disclosure vulnerability execution time;
– faster than gadget chain computation time;
– or, faster than network communication time
![Page 20: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/20.jpg)
20
How Is This Possible?
● Re-randomize code before an attacker uses it– faster than disclosure vulnerability execution time;
– faster than gadget chain computation time;
– or, faster than network communication time
![Page 21: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/21.jpg)
21
How Is This Possible?
● Re-randomize code before an attacker uses it– faster than disclosure vulnerability execution time;
– faster than gadget chain computation time;
– or, faster than network communication time● one memory disclosure can only travel 820 miles!
![Page 22: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/22.jpg)
22
What Is Shuffler?
● Defense based on continuous re-randomization– Defeats all known code reuse attacks
– 20-50 millisecond shuffling, scales to 24 threads
● Fast: bounds attacker’s available time– Defeats even attackers with zero network latency
● Deployable:– Binary analysis w/o modifying kernel, compiler, ...
● Egalitarian:– Shuffler runs in same address space, defends itself
![Page 23: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/23.jpg)
23
Outline
![Page 24: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/24.jpg)
24
Outline
1. Continuous re-randomization
2. Accelerating our randomization
3. Binary analysis and egalitarianism
4. Results and Demo
![Page 25: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/25.jpg)
25
func_1
...call func_2...
Continuous Re-Randomization
● Easy to copy code & fix direct references
func_2
func_2
![Page 26: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/26.jpg)
26
func_1
...call func_2...
Continuous Re-Randomization
● Easy to copy code & fix direct references
(deleted)
func_2
![Page 27: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/27.jpg)
27
Continuous Re-Randomization
● Easy to copy code & fix direct references● What about code pointers?
![Page 28: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/28.jpg)
28
func_1
...mov $func_2, ptr...call *ptr...
Continuous Re-Randomization
● Easy to copy code & fix direct references● What about code pointers?
func_2
ptr:
![Page 29: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/29.jpg)
29
func_1
...mov $func_2, ptr...call *ptr...
Continuous Re-Randomization
● Easy to copy code & fix direct references● What about code pointers?
func_2
&func_2ptr:
![Page 30: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/30.jpg)
30
func_1
...mov $func_2, ptr...call *ptr...
Continuous Re-Randomization
● Easy to copy code & fix direct references● What about code pointers?
func_2(deleted)func_2
&func_2ptr:
![Page 31: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/31.jpg)
31
func_1
...mov $func_2, ptr...call *ptr...
Continuous Re-Randomization
● Easy to copy code & fix direct references● What about code pointers?
&func_2ptr:
(deleted)func_2
![Page 32: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/32.jpg)
32
Continuous Re-Randomization
● Easy to copy code & fix direct references● What about code pointers?
● How to update allpropagated pointers?
&func_2ptr:
func_2(deleted)
&func_2&func_2
&func_2
&func_2
&func_2
&func_2&func_2
func_2
![Page 33: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/33.jpg)
33
Continuous Re-Randomization
● Solution: add extra level of indirection
f_2_idxptr:
func_2
f_2_idxf_2_idxf_2_idx
f_2_idx
...
%gs: (table)
...
&func_2
...
![Page 34: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/34.jpg)
34
Continuous Re-Randomization
● Solution: add extra level of indirection
f_2_idxptr:
func_2
f_2_idxf_2_idxf_2_idx
f_2_idx
...
%gs: (table)
...
&func_2
...
f_2_idx
f_2_idx
f_2_idx
![Page 35: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/35.jpg)
35
Continuous Re-Randomization
● Solution: add extra level of indirection
f_2_idxptr:
func_2
f_2_idxf_2_idxf_2_idx
f_2_idx
...
%gs: (table)
...
&func_2
...
f_2_idx
f_2_idx
f_2_idx
func_2
![Page 36: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/36.jpg)
36
Continuous Re-Randomization
● Solution: add extra level of indirection
f_2_idxptr:f_2_idxf_2_idx
f_2_idxf_2_idx
...
%gs: (table)
...
&func_2
...
f_2_idx
f_2_idx
f_2_idx
func_2
(deleted)
![Page 37: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/37.jpg)
37
Code Pointer Abstraction
● Transforming *code_ptr into **code_ptr– Correctness: pointer updates sound & precise
– Disclosure-resilience: code ptr table is hidden
![Page 38: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/38.jpg)
38
Code Pointer Abstraction
● Transforming *code_ptr into **code_ptr– Correctness: pointer updates sound & precise
– Disclosure-resilience: code ptr table is hidden
f_2_idxptr: func_2
func_2
...%gs:
...
![Page 39: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/39.jpg)
39
Code Pointer Abstraction
● Transforming *code_ptr into **code_ptr– Correctness: pointer updates sound & precise
– Disclosure-resilience: code ptr table is hidden
f_2_idxptr: func_2
func_2
...%gs:
...
mov $0x40054d, %rax
=> mov $0x20, %rax
Rewrite initialization pointsRewrite call sites callq *%rax
=> callq *%gs:(%rax)
![Page 40: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/40.jpg)
40
Outline
1. Continuous re-randomization
2. Accelerating our randomization
3. Binary analysis and egalitarianism
4. Results and Demo
![Page 41: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/41.jpg)
41
Return Address Encryption
● Return addresses are code pointers too● Could use code pointer table, but inefficient
– call/ret instructions highly optimized
![Page 42: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/42.jpg)
42
Return Address Encryption
● Return addresses are code pointers too● Could use code pointer table, but inefficient
– call/ret instructions highly optimized
● Alternative mechanism – correct and hidden– Use normal call instructions
– Encrypt return addresses with XOR key
![Page 43: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/43.jpg)
43
Return Address Encryption
● Prevent return address disclosure
![Page 44: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/44.jpg)
44
Return Address Encryption
● Prevent return address disclosure
Thread Stack
ret addr
func_2
func_1
ret addr
ret addr
func_3
![Page 45: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/45.jpg)
45
Return Address Encryption
● Prevent return address disclosure
Thread Stack
(encrypted)
func_2
func_1
(encrypted)
(encrypted)
func_3
+
+
+
XOR key
![Page 46: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/46.jpg)
46
Return Address Encryption
● Prevent return address disclosure
func:
; original code
ret
Thread Stack
(encrypted)
func_2
func_1
(encrypted)
(encrypted)
func_3
+
+
+
XOR key
![Page 47: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/47.jpg)
47
Return Address Encryption
● Prevent return address disclosure● We use binary rewriting (expand basic blocks)
func:mov %fs:0x28,%r11xor %r11,(%rsp); original codemov %fs:0x28,%r11xor %r11,(%rsp)ret
Thread Stack
(encrypted)
func_2
func_1
(encrypted)
(encrypted)
func_3
+
+
+
XOR key
![Page 48: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/48.jpg)
48
Return Address Migration
● Unwind stack and re-encrypt new addresses
Thread Stack
(encrypted)
func_2func_1
(encrypted)
(encrypted)
+
+
+
XOR key
func_3
![Page 49: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/49.jpg)
49
Return Address Migration
● Unwind stack and re-encrypt new addresses
Thread Stack
func_2func_1
func_2
func_1+
+
+
XOR key
func_3
func_3
(encrypted)
(encrypted)
(encrypted)
![Page 50: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/50.jpg)
50
Return Address Migration
● Unwind stack and re-encrypt new addresses
Thread Stack
(deleted)(deleted)
func_2
func_1+
+
+
XOR key
(deleted)
func_3
(encrypted)
(encrypted)
(encrypted)
![Page 51: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/51.jpg)
51
Asynchronous Randomization
![Page 52: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/52.jpg)
52
Asynchronous Randomization
Computations
20ms shuffle period
● Creating new code copies takes time
![Page 53: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/53.jpg)
53
Asynchronous Randomization
● Creating new code copies takes time
ComputationsGenerate
permutationMake newcode copy
Fix callinstructions
Update codepointer table
Stackunwind
15ms shuffling overhead5ms real work
![Page 54: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/54.jpg)
54
Asynchronous Randomization
5ms real work
● Creating new code copies takes time● Shuffler prepares new code asynchronously
Generatepermutation
Make newcode copy
Fix callinstructions
Update codepointer table
Stackunwind
15ms shuffling overhead
Computations
![Page 55: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/55.jpg)
55
Asynchronous Randomization
● Creating new code copies takes time● Shuffler prepares new code asynchronously
Stackunwind
Stackunwind
19.94ms real work 0.06ms
Computations Computations
Generatepermutation
Make newcode copy
Fix callinstructions
Update codepointer table
![Page 56: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/56.jpg)
56
Asynchronous Randomization
● Creating new code copies takes time● Shuffler prepares new code asynchronously● Each thread unwinds its own stack in parallel
99.7% of runtime 0.3%
Computations
Generatepermutation
Make newcode copy
Fix callinstructions
Update codepointer table
Stackunwind
Stackunwind
Computations
![Page 57: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/57.jpg)
57
Outline
1. Continuous re-randomization
2. Accelerating our randomization
3. Binary analysis and egalitarianism
4. Results and Demo
![Page 58: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/58.jpg)
58
Augmented Binary Analysis
● Use additional info from unmodified compilers– Symbols, to distinguish code and data (no -s)
– Relocations, to find all code pointers (--emit-relocs)
![Page 59: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/59.jpg)
59
Augmented Binary Analysis
● Use additional info from unmodified compilers– Symbols, to distinguish code and data (no -s)
– Relocations, to find all code pointers (--emit-relocs)
.section .rodata: .quad 0x400620
.section .text: mov $0x400620, %rax
Code pointer, or integer?
![Page 60: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/60.jpg)
60
Augmented Binary Analysis
● Use additional info from unmodified compilers– Symbols, to distinguish code and data (no -s)
– Relocations, to find all code pointers (--emit-relocs)
.section .rodata: .quad 0x400620
.section .text: mov $0x400620, %rax
.section .rodata: .quad 4195872
.section .text: mov $4195872, %rax
Code pointer, or integer?
![Page 61: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/61.jpg)
61
Augmented Binary Analysis
● Use additional info from unmodified compilers– Symbols, to distinguish code and data (no -s)
– Relocations, to find all code pointers (--emit-relocs)
.section .rodata: .quad 0x400620
.section .text: mov $0x400620, %rax
Code pointer, or integer?
Relocations (meta-data)
.section .rodata: .quad 4195872
.section .text: mov $4195872, %rax
![Page 62: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/62.jpg)
62
Augmented Binary Analysis
● Use additional info from unmodified compilers– Symbols, to distinguish code and data (no -s)
– Relocations, to find all code pointers (--emit-relocs)● ask linker to preserve relocations
.section .rodata: .quad 0x400620
.section .text: mov $0x400620, %rax
Code pointer, or integer?
Relocations (meta-data)
.section .rodata: .quad 4195872
.section .text: mov $4195872, %rax
![Page 63: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/63.jpg)
63
Augmented Binary Analysis
● Allows accurate and complete disassembly
![Page 64: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/64.jpg)
64
Augmented Binary Analysis
● Allows accurate and complete disassembly● Many special cases, but we handle them
![Page 65: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/65.jpg)
65
Where to Re-Randomize From
● Most defenses operate at higher privilege level– i.e. kernel, hypervisor, hardware
– Or else declare their own code “trusted”
![Page 66: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/66.jpg)
66
Where to Re-Randomize From
● Most defenses operate at higher privilege level– i.e. kernel, hypervisor, hardware
– Or else declare their own code “trusted”
● Shuffler is egalitarian– Same level of privilege, no system modifications
– Defends itself from attack
![Page 67: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/67.jpg)
67
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
![Page 68: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/68.jpg)
68
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
mov 0x400620(,%rax,8),%raxjmpq *%rax
0x400620: 0x400508 0x4005140x400630: 0x400520 0x40052c0x400640: 0x400538 0x400544
memcpy’s code
![Page 69: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/69.jpg)
69
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
Rewrite main, printf, ..., memcpy, ...
mov 0x400620(,%rax,8),%raxjmpq *%rax
memcpy’s code
0x400620: 0x400508 0x4005140x400630: 0x400520 0x40052c0x400640: 0x400538 0x400544
![Page 70: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/70.jpg)
70
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
Rewrite main, printf, ..., memcpy, ...
mov 0x400620(,%rax,8),%raxjmpq *%rax
0x400620: 0x20 0x280x400630: 0x30 0x880x400640: 0x40 0x48
memcpy’s codemov 0x400620(,%rax,8),%raxjmpq *%gs:(%rax)
New memcpy code
Invalidates memcpy jump table
But rewrite process uses (old) memcpy
![Page 71: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/71.jpg)
71
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
Rewrite main, printf, ..., memcpy, ...
mov 0x400620(,%rax,8),%raxjmpq *%rax
0x400620: 0x20 0x280x400630: 0x30 0x880x400640: 0x40 0x48
memcpy’s codemov 0x400620(,%rax,8),%raxjmpq *%gs:(%rax)
New memcpy code
??
Invalidates memcpy jump table
But rewrite process uses (old) memcpy
![Page 72: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/72.jpg)
72
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler
![Page 73: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/73.jpg)
73
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler
Shufflerstage 1
Shufflerstage 2
Otherlibraries
C library
Program
Loader loads
rewrites
![Page 74: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/74.jpg)
74
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler
Shufflerstage 1
Shufflerstage 2
Otherlibraries
C library
Program
Loader
invokes
![Page 75: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/75.jpg)
75
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler
Shufflerstage 1
Shufflerstage 2
Otherlibraries
C library
Program
Loader
eraseserases
![Page 76: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/76.jpg)
76
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler– Make new copies
Shufflerstage 2
Otherlibraries
C library
Program
Shufflerstage 2
Otherlibraries
C library
Program
![Page 77: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/77.jpg)
77
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler– Make new copies
Shufflerstage 2
Otherlibraries
C library
Program
![Page 78: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/78.jpg)
78
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler– Make new copies
Shufflerstage 2
Otherlibraries
C library
Program
Shufflerstage 2
Otherlibraries
C library
Program
![Page 79: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/79.jpg)
79
Egalitarian Bootstrapping
● Problem: transformations break original code– e.g. memcpy uses code pointers
● Solution: use two copies of Shuffler– Make new copies
Shufflerstage 2
Otherlibraries
C library
Program
![Page 80: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/80.jpg)
80
Outline
1. Continuous re-randomization
2. Accelerating our randomization
3. Binary analysis and egalitarianism
4. Results and Demo
![Page 81: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/81.jpg)
81
Performance Evaluation
● SPEC CPU overhead at 50ms = 14.9%
![Page 82: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/82.jpg)
82
Performance Evaluation
● SPEC CPU overhead at 50ms = 14.9%● Multiprocess Nginx up to 24 workers
![Page 83: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/83.jpg)
83
Security Evaluation
● Two disclosure-based attack methodologies:– Scan many pages for the desired gadgets
● impacted by disclosure time, network latency
– Explore gadget space in small number of pages● impacted by ROP chain computation time (> 40 seconds)
![Page 84: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/84.jpg)
84
Security Evaluation
● Two disclosure-based attack methodologies:– Scan many pages for the desired gadgets
● impacted by disclosure time, network latency
– Explore gadget space in small number of pages● impacted by ROP chain computation time (> 40 seconds)
● Published JIT-ROP takes 2300-378000 ms● We can re-randomize typically every 20-50 ms
![Page 85: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/85.jpg)
85
Demo
![Page 86: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/86.jpg)
86
![Page 87: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/87.jpg)
87
Conclusion
● Continuous re-randomization every 20-50 ms
![Page 88: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/88.jpg)
88
Conclusion
● Continuous re-randomization every 20-50 ms● Fast:
– Defeats all known code reuse attacks
– Asynchronous shuffling offloads overhead
● Deployable:– Binary analysis w/o modifying kernel, compiler, ...
● Egalitarian:– No additional privileges required
– Shuffler defends its own code
![Page 90: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/90.jpg)
90
Related Work
● JIT-ROP, SOSP 2013● Oxymoron, Usenix Sec 2014● Code Pointer Integrity, OSDI 2014● Stabilizer, SIGARCH 2013● Remix, CODASPY 2016● TASR, CCS 2015● ...more related work in our paper
[1] https://securityintelligence.com/anti-rop-a-moving-target-defense/[2] http://www.ieee-security.org/TC/SP2013/papers/4977a574.pdf
![Page 91: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/91.jpg)
91
Future Work
● Translating stack unwind information– Breaks C++ exceptions, pthread_cancel, etc.
● Cannot shuffle the loader currently– Breaks dlopen
● If shuffling takes too long, no mechanism to pause target program
![Page 92: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/92.jpg)
92
Shuffler Thread Performance
● Asynchronous shuffling runs quickly● Synchronous runtime is 0.3% of total runtime
![Page 93: Shuffler: Fast and Deployable Continuous Code Re …...Return-Oriented Programming ... permutation Make new code copy Fix call instructions Update code pointer table Stack unwind Stack](https://reader034.vdocuments.us/reader034/viewer/2022050521/5fa466830a7b3b52a40177fa/html5/thumbnails/93.jpg)
93
Scalability
● Tradeoff for server workers– Multithreaded => better performance overhead
– Multiprocess => no disclosures across workers
● Both techniques scale well in practice (up to 24x)
unw
unwComputations
unwComputations
unwComputations
Multithreaded program
unw
unwComputations
unwComputations
Multiprocess program
unw
n Shuffler threads1 common Shuffler thread