Feedback control can make data structure layout randomization more cost-effective under zero-day attacks

Feedback control can make data structure layout randomization more cost-effective under zero-day... In the wake of the research community gaining deep understanding about control-hijacking attacks, data-oriented attacks have emerged. Among data-oriented attacks, data structure manipulation attack (DSMA) is a major category. Pioneering research was conducted and shows that DSMA is able to circumvent the most effective defenses against control-hijacking attacks — DEP, ASLR and CFI. Up to this day, only two defense techniques have demonstrated their effectiveness: Data Flow Integrity (DFI) and Data Structure Layout Randomization (DSLR). However, DFI has high performance overhead, and dynamic DSLR has two main limitations. L-1: Randomizing a large set of data structures will significantly affect the performance. L-2: To be practical, only a fixed sub-set of data structures are randomized. In the case that the data structures targeted by an attack are not covered, dynamic DSLR is essentially noneffective. To address these two limitations, we propose a novel technique, feedback-control-based adaptive DSLR and build a system named SALADSPlus. SALADSPlus seeks to optimize the trade-off between security and cost through feedback control. Using a novel feedback-control-based adaptive algorithm extended from the Upper Confidence Bound (UCB) algorithm, the defender (controller) uses the feedbacks (cost-effectiveness) from previous randomization cycles to adaptively choose the set of data structures to randomize (the next action). Different from dynamic DSLR, the set of randomized data structures are adaptively changed based on the feedbacks. To obtain the feedbacks, SALADSPlus inserts canary in each data structure at the time of compilation. We have implemented SALADSPlus based on gcc-4.5.0. Experimental results show that the runtime overheads are 1.8%, 3.7%, and 5.3% when the randomization cycles are selected as 10s, 5s, and 1s respectively. Keywords: Data structure manipulation attack, Data structure layout randomization, Adaptive security, Feedback control Introduction memory page is either writable or executable, but not During the past two decades, control-hijacking attacks both. have drawn tremendous attention from the computer As a counteraction against DEP, adversaries switched security research community. In a control-hijacking from code-injection attacks to code-reuse attacks such as attack, the adversary manipulates the control flow objects return-to-libc and Return-Oriented-Programming (ROP). and shifts the execution to malicious logics. The earliest These code-reuse attacks have motivated a very large attacks hijack the control flow to execute injected code. To amount of research on how to defend and how to counter- defend against those code-injection attacks, Data Execu- attack. In the past 10 years, the research community has tion Prevention (DEP) (The PaX Team 2003a;Microsoft gained deep understanding about the cost-effectiveness 2008) techniques were proposed. DEP ensures that a of major defenses, including Address Space Layout Randomization (ASLR) (Backes and Nürnberger 2014; Bhatkar et al. 2003;Kil et al. 2006; Keromytis et al. 2012; *Correspondence: pzc10@ist.psu.edu; chenping19851@hotmail.com The PaX Team 2003b) and Control Flow Integrity (CFI) College of Information Sciences and Technology, The Pennsylvania State University, University Park 16802, PA, USA (Abadi et al. 2005). Full list of author information is available at the end of the article © The Author(s). 2018 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. Chen et al. Cybersecurity (2018) 1:3 Page 2 of 13 However, in the wake of the research community gain- frequently re-randomizes/de-randomizes the layouts of ing deep understanding about control-hijacking attacks, candidate data structures at run-time. The program data-oriented attacks (Chen et al. 2015, 2005;Huetal. compiled by SALADS can self-randomize a set of of data 2015, 2016) have emerged. Data-oriented attacks do not structures, the instrumentation replaces each statement modify control flow objects. Instead they read/write that contains data structure accesses. To avoid runtime security-sensitive data objects for malicious goals (Chen errors, SALADS inserts de-randomization routine before et al. 2005;Huetal. 2015). Recently, it has been shown any dangerous statement (e.g., pointer involved dangerous that data-oriented attacks are Turing-complete (Hu et al. statements). 2016) and can result in arbitrary behaviors. While SALADS offers security advantages, it still has Among data-oriented attacks, data structure manip- two major limitations. L-1: When SALADS random- ulation attack (DSMA) (Chen et al. 2015)isamajor izes a large set of data structures, it will significantly category. DSMA exploits memory corruption bugs to affect the performance. This further leads to the sec- manipulate multiple security sensitive fields in encapsu- ond limitation. L-2: For the consideration of perfor- lated data objects (e.g., struct and class). For exam- mance, SALADS cannot afford to randomize all the data ple, the attack against openssh (CVE-2001-0144 2001) structures. Instead it randomizes a fixed sub-set of data (CVE-2001-0144) overwrites a particular instance of data structures. In the case that the data structures targeted structure passwd to achieve privilege escalation. Pio- by an attack are not covered, SALADS is essentially neering research was conducted and shows that DSMA noneffective. is able to circumvent the most effective defenses against control-hijacking attacks — DEP, ASLR and CFI. However, Problem statement the research community has quite limited understanding In this paper, we explore to augment SALADS with feed- on how to defend against DSMA. back control to address the above limitations. Our insights Up to this day, only two defense techniques have demon- are as follows. strated their effectiveness: Data Flow Integrity (DFI) Limitation L-1 essentially indicates the necessity of (Castro et al. 2006;Songetal. 2016) and Data Structure a trade-off between security and cost. The availabil- Layout Randomization (DSLR) (Chen et al. 2015;Linet al. ity of feedbacks about security and cost will facilitate 2009;Stanley et al. 2013;Xin et al. 2010). DFI maintains the defense to achieve an optimized trade-off. This the definition-use relationship from the Data Flow Graph, motivates us to employ the canary mechanism to col- and checks whether the definition of each data object lect feedbacks. More details about it will be discussed is legal at run-time. By theory, DFI can defend against shortly. Those feedbacks in turn provide awareness of DSMA. However, DFI introduces performance overhead the attacked data structures, which can be leveraged as high as 103% (Castro et al. 2006), making it impractical to address limitation L-2. The intuition behind is that for deployment. Comparing with DFI, DSLR has similar such awareness can enable the defense to include the defense effectiveness but substantially less cost. We, there- attacked data structures and exclude the safe ones for fore, believe DSLR is much more promising in mitigating randomization. DSMA. In this work, we seek to provide new insights into The goal to optimize the above described trade- and deeper understanding about the cost-effectiveness of off can be formulated as a feedback control prob- DSLR. lem — The defender (controller) uses the feedbacks (cost-effectiveness) from previous randomization cycles DSLR to adaptively choose the set of data structures to ran- Research in the early stage proposed static DSLR (Lin domize (the next action) such that the trade-off is et al. 2009;Stanley et al. 2013;Xin et al. 2010). At the optimized. time of compilation, static DSLR randomly reorders the In this paper, we are therefore deeply interested in the fields or adds dummy fields in encapsulated data objects. problem: Can feedback control be leveraged to address the Static DSLR can prevent DSMA from correctly locating two limitations of dynamic DSLR? target fields and further manipulating them. However, its randomization is fixed at runtime and vulnerable to brute Our approach force attacks. Further, static DSLR requires manual efforts Based on the above insights, we propose a novel tech- to determine which data structures can be randomized. nique, feedback-control-based adaptive DSLR and build a Recent research endeavored to develop dynamic DSLR system named SALADSPlus. SALADSPlus includes two and produced a technique named SALADS (Chen parts. The first part is a compiler extension, which trans- et al. 2015). SALADS aims to address the limita- forms a program into a Data Structure Self-Randomizing tions of static DSLR. It automatically determines the (DSSR) program. The compiler extension mounts the randomization-feasibility of each data structure and DSSR program into an adaptive strategy that utilizes Chen et al. Cybersecurity (2018) 1:3 Page 3 of 13 the Upper Confidence Bound DSLR (UCB-D) algorithm realistic for the defender to eliminate all attacks. Therefore to select data structures for protection at each re- the defense goal is to increase the difficulty for the attacker randomization. Different from SALADS, the set of to succeed with low cost. As discussed, static DSLR is randomized data structures are adaptively changed based fixed at runtime and vulnerable to brute force attacks. And on the cost-effectiveness utilities of the previous cycles. dynamic DSLR techniques (e.g., SALADS) have to face the To obtain those utilities, SALADSPlus inserts canary in trade-off between security and cost. If a large set of data each data structure at the time of compilation. At runtime structures are re-randomized, it will significantly affect and the end of each defense cycle, SALADSPlus collects the performance. On the other hand, if the data structures the number of polluted canaries. Such information is then targeted by the attacker are not covered, it cannot provide used to calculate the utilities. security. To achieve an optimized trade-off, we employ The second part of our SALADSPlus system is an adver- the canary mechanism to collect feedbacks and periodi- sarial reasoning scheme. This scheme monitors the exe- cally select a (small) set of data structures to randomize cution of a DSSR program and uses the observations to at runtime based on the observable feedbacks. In par- reduce the uncertainty in detecting ongoing DSMA. In ticular, SALADSPlus utilizes memory forensic approach addition, this scheme can help locate the program tar- to find the polluted canaries. The polluted canaries are geted by the DSMA. sent as the feedbacks to the defender. We will show in Our contributions in this work are summarized as fol- “Evaluation” section that the polluted canaries reflect how lows: many DSMAs are blocked (failed DSMAs) and thus can be used to evaluate the effectiveness of a defense action. This is the first effort toward feedback-control-based Those feedbacks can provide awareness of the attacked adaptive DSLR. data structures, which can be leveraged to include the A novel feedback-control-based adaptive defense attacked data structures and exclude the safe ones for algorithm extended from UCB (Upper Confidence randomization. Bound) algorithm (Auer et al. 2002) is proposed. The key idea of SALADSPlus is trial-and-error learn- An adversarial reasoning scheme is proposed. It ing. More specifically, SALADSPlus receives polluted enables the defender to know more about the canaries, which reflect how many DSMAs are blocked attacker. It also helps locate the program targeted by and evaluate how well the deployed actions are. On the DSMA. one hand, SALADSPlus selects the optimal actions that On average, the runtime overheads introduced by can block most DSMAs in the history (exploitation), on SALADSPlus are 1.8%, 3.7%, and 5.3% for application the other hand, SALADSPlus also tires seemingly non- programs (SPECInt2006, openssh-2.1.1p4, optimal actions choices (exploration). So SALADSPlus is httpd-1.1.1,and openssl-0.9.6d), when the particularly well suited to defend against DSMAs where defense cycles are 10s, 5s, and 1s, respectively. the defender is unaware of the targets of DSMAs but can evaluate its previous actions via repeated interactions Overview with attackers. The details of how the defender updates Our work focuses on developing a specific defense against its actions by utilizing the feedbacks will be illustrated in DSMA (Chen et al. 2015), named SALADSPlus, before ‘‘Cost-effectiveness utility and UCB-D algorithm’’ sections. any patches are generated and the zero-day memory And the unique capability of the SALADSPlus, adversarial corruption bugs are located. This section presents the reasoning, will be introduced in “Adversarial reasoning motivation and overview of our defense system. Under scheme” section and evaluated along with the cost- the protection of a defense action, the server uses effectiveness in “Evaluation” section. The uniform time canary detection to identify the number of failed DSMAs interval between two consecutive updates of the defense during a defense cycle and reports the number to the actions is denoted as a defense cycle and the whole vul- defense decision maker (“Canary detection”section). The nerability window is denoted as N defense cycles; i.e., feedback is used by the defense decision maker to cal- T  {1, 2, ··· , N }.Notethatwedonotspecifythe feed- culate the cost-effectiveness of previous defense action backsand theupdatefrequencyofthe attacker. Intherest (“Cost-effectiveness utility” section), and select defense of the paper, we evaluate the security from the point of action for next defense cycle (i.e., a data structure whitelist in view of the defender. “Dynamic data structure layout randomization”section). System components Feedbacks and adaptive defense In the system model depicted in Fig. 1, we consider During the vulnerability window, the defender has limited two entities: the defender and the attacker. The attacker launches the DSMA. In order to circumvent the defense, knowledge of the attacks; e.g., the bug locations, target data structures, etc. Under this limited knowledge, it is not the attacker uses brute force attacks to locate the target Chen et al. Cybersecurity (2018) 1:3 Page 4 of 13 Dynamic data structure layout randomization As discussed in Section ref, dynamic DSLR techniques (e.g., SALADS) are facing two limitations.Our solution SALADSplus uses a novel UCB-D algorithm to dynam- ically make decisions on “which data structures to ran- domize”, while SALADS sticks to a fixed set of data struc- tures. To solve the first limitation, we develop an adaptive algorithm (in “UCB-D algorithm” section) to dynamically decide “which set of data structures to randomize dur- Fig. 1 Overview of how DSSR Binary defends against DSMA ing the next defense cycle” based on the cost-effectiveness utility value (in “Cost-effectiveness utility”section)ofthe data structures. The defender, named SALADSPlus, con- previous decisions. The algorithm enables the defender to sists of two components: defense decision maker and choose better actions as time goes by. To reduce the over- defense actions. head, SALADSPlus re-randomizes data structures much less frequently (i.e., once per defense cycle) but in a much Data Structure Manipulation Attack (DSMA) In this more adaptive certain sense (more adaptivity in general paper, we consider one attacker with multiple DSMAs. In provides more resilience to DSMA). general, an attacker launching DSMAs is associated with a At the beginning of each defense cycle, DSSR binary set of attack actions denoted by A  {a , ··· , a },where 1 m randomizes the data structures in the dynamic whitelist, each action is a combination of several attack scripts. One and de-randomizes the data structures that are not in attack script targets several data structure types (once a the dynamic whitelist. There are two challenges when we script is fixed, the targets are fixed). design SALADSPlus: (1) changing the dynamic whitelist of data structures at runtime without recompiling the Data Structure Self-Randomization Binary (DSSR program(SALADS compiles thesourcecodewitha Binary) SALADSPlus uses adaptive DSLR with static whitelist); (2) when DSSR binary randomizes data adversarial reasoning and generates Data Structure structures, multiple DSSR statements are executed based Self-Randomization binary (DSSR Binary). The DSSR on the previous layout of the data structures. Without binary maintains the metadata for all the data structure concurrency methods, the DSSR statements may access instances, including the base addresses and relative posi- totally irrelevant fields. tions of the fields in data structures. In addition, all the data structure read/write operations are replaced with Dynamic WhiteList To solve the first challenge, DSSR a set of DSSR statements (Chen et al. 2015) to access binary maintains a dynamic whitelist. A dynamic whitelist the randomized data structure layout. What’s more, all is a buffer which is allocated in the heap and inserted by the definitions of the data structures are randomized our customized compiler. It consists of the indices of the at compile-time, and padding bytes are inserted into data structures. If a data structure is in the whitelist, DSSR the data structures (Lin et al. 2009). The DSSR binary binary will randomize it in a defense cycle. Otherwise, the is equipped with a set of defense actions denoted by data structure will keep its pre-known layout. The only D  {d , ··· , d }, where each defense action random- 1 n code of DSSR binary that can access the dynamic whitelist izes a particular set of data structures at runtime. The is an independent thread illustrated as follows. defense decision maker adaptively updates its actions. Theadaptiveupdaterule will be brieflydiscussed in Independent Thread Independent thread is a thread Section Feedbacks and adaptive defense.Inorder to get which is inserted by our customized compiler at the entry the feedbacks for the defender, canary detection inserts of DSSR binary. The thread will allocate the dynamic 32-bit specific values for each field into data structures whitelist and update the whitelist periodically. The thread of a DSSR binary. Once DSSR binary detects a polluted calls the UCB-D function, which we will present shortly canary, it indicates an attacker has maliciously modified in “UCB-D algorithm” section, to “know" exactly how to the fields in a data structure; reports the program name update the whitelist. Once the whitelist is updated, the and the target data structure to the security officer. thread will de-randomize the data structures in the pre- Design and implementation vious whitelist, and randomize the data structures in cur- In this section, we first present dynamic data structure lay- rent whitelist. In addition, the thread contains the canary out randomization, and then demonstrate how the canary detection (in “Canary detection”section). detection generates cost-effectiveness utility values. Fur- ther we illustrate the cost-effectiveness utility value and Write Preferring Lock To solve the second challenge; the UCB-D algorithm. i.e., avoiding the inconsistency between the DSSR Chen et al. Cybersecurity (2018) 1:3 Page 5 of 13 statements and the independent thread, we propose defense cycle. Note that the number of polluted canaries a write preferring lock method. We create a mutex is determined by both the attack action (the combination lock and a global counter which calculates how many of attack scripts) and defense action (randomized data DSSR statements are currently executed. The thread will structures). Then the effectiveness can be represented as require a lock before it randomizes/de-randomizes the a mapping from A × D to R, i.e., for defense cycle t,the data structures,and release thelockafterit finishes the effectiveness is r(t) = r(a(t), d(t)). randomization/de-randomization. Before the thread does If adaptive DSLR does not incur any cost, then the best the randomization/de-randomization, it waits until all defense is to randomize all feasible data structures. How- the concurrent DSSR statements are completed; i.e., the ever the study of SALADS (Chen et al. 2015)shows that global counter is 0. DSSR statements will check the lock the performance overhead is proportional to the number before accessing the data structure. If the lock is occupied of randomized data structures. For example, SALADS by the thread, the statements will wait. When DSSR state- introduces 110%, 120% runtime overhead when random- ments are executed, they will firstly increase the global izing 20% of data structures in gzip and gap respectively. counter by 1, and after accessing the data structure, the We use the number of randomized data structures to global counter decreases by 1. quantify the cost in each defense cycle. The number of randomized data structures is only determined by the Canary detection defense action. Then the cost can be represented as a The canary detection scheme generates cost-effectiveness mapping from D to R, i.e., for defense cycle t,the cost is utility values. In particular, the canary detection is exe- c(t) = c(d(t)). cuted in the thread at the end of each defense cycle based Since the numbers of DSMAs and the numbers of data on the memory forensic analysis. It scans the canaries in structures in all defense cycles are finite, the utility val- the randomized data structures and compares current val- ues in all defense cycles are also bounded. More formally, − + − + ues with a random canary value (Crispin et al. 1998). The there are u and u such that ∀t ∈ T, u(t) ∈[ u , u ]. random canary is chosen at the beginning of each defense Additionally, the defender knows the bounds. Note that cycle through/dev/urandom. If a canary in a data struc- there might be some DSMAs that cannot achieve their ture is polluted, we regard it as one failed DSMA. To attack goal but bypass all canaries. Therefore, the util- quickly pinpoint the canary, we maintain an array to ity cannot precisely represent the cost-effectiveness of a record the addresses of the canaries and mark each ele- defense action because the effectiveness part r may con- ment as 0 or 1,where 1 indicates that the canary needs tain error. We introduce utility error to represent bypass- ing DSMAs. More formally, the utility error for each to be checked. After DSSR statements complete the data structure access, the canary detection checks whether the defense cycle t is denoted as (t) and u(t) = u (t) − (t), data structure type is in the whitelist, and then DSSR where u (t) is the ground truth utility if all failed DSMAs statements will update the array for the corresponding can be detected and (t) represents thenumberoffailed canaries. DSMAs which bypass the canary detection. Our canaries are randomized by the adaptive DSLR and thus diffi- Cost-effectiveness utility cult to bypass. So (t) is small. This will be validated in The UCB-D algorithm is a utility-based reinforcement “Evaluation”section. learning algorithm. As mentioned in “Feedbacks and adaptive defense” section, the key idea of SALAD- UCB-D algorithm SPlus is to utilize feedbacks generated by the server in With the cost-effectiveness utility value, the defense history to evaluate the corresponding defense actions problem can be formulated as: how to choose a and gradually identify the optimal actions. We define sequence of defense actions to maximize the sum of utility to quantify the cost-effectiveness of a defense received utility values during the vulnerability window action. In particular, the utility is in the form of u = T. For simplicity, we define the sum as the aggre- W r − W c,where r is the effectiveness and c is the cost. r c gate utility. The UCB-D algorithm (an extension of And the constant weights W and W are chosen accord- r c the UCB algorithm in Multi-armed Bandit problems ing to the preference of the defender on security and (Kuleshov and Precup 2014; Lai and Robbins 1985)) efficiency. is proposed to solve the problem. A set of notations The most straightforward quantification of the effec- will be introduced as follows before the steps of the tiveness is the number of failed DSMAs during a defense algorithm: cycle. It is mentioned in “Canary detection”section that if a canary in a data structure is polluted, we regard it 1 is an indicator function: 1 = 1 if  is true as one failed DSMA. Therefore, we use the number of {} {} polluted canaries to quantify the effectiveness in each and 1 = 0 if  is false. {} Chen et al. Cybersecurity (2018) 1:3 Page 6 of 13 Algorithm 1 The UCB-D Algorithm An attractive feature of the UCB-D algorithm is that the defender can maximize the aggregate utility value with 1: for d ∈ D do limited information of DSMAs. In particular, the algo- 2: T (1) = 0; rithm only requires the defender to know its previous 3: μ ¯ (1) = 0; actions and their induced utility values. In contrast, it 4: end for does not require the defender to pinpoint the attacked 5: for t = 1; t ≤ N; t ++ do data structures. In the UCB-D algorithm, the defender, 6: for d ∈ D do on one hand, uses average utility value (the first term 7: if T (t) == 0 then of I (t)) in the history predict how well an action might 8: I (t) =+∞; d work in the future and selects the most successful action, 9: else + − 2ln(t) and on the other hand, tries less successful actions by 10: I (t) =¯ μ (t) + (u − u ) ; d d T (t) the penalty term (the second term of I (t)). Through 11: end if the repeated interactions with the attacker, the defender 12: end for gradually identifies the data structures which are more 13: d(t) = arg max I (t); d∈D likely attacked and randomizes them more often than 14: T (t + 1) = T (t) + 1; d(t) d(t) others. 15: for d ∈ D \{d(t)} do 16: T (t + 1) = T (t) d d Adversarial reasoning scheme 17: end for From the experiments in next section, we will see SAL- 18: Defender receives u(t); ADSPlus can provide good effectiveness with low per- 19: for d ∈ D do formance overhead. In this section, we discuss another capability of SALADSPlus: it can enable the security offi- 20: μ ¯ (t + 1) = (u(τ )1 ); d {d(τ )=d} T (t+1) τ =1 cer to do two-level adversarial reasoning in real time. 21: end for First, the security officer can determine whether a zero- 22: end for day attack is DSMA or not. Second, if a zero-day attack is DSMA, the security officer can do program level rea- soning to infer the target program of the DSMA. This t−1 two-level adversarial reasoning is elaborated as follows. T (t) = 1 is the number of times defense d {d(τ )=d} τ =1 action d has been chosen by the end of defense cycle First Level Adversarial Reasoning The basic idea of the t − 1. first level adversarial reasoning is to compare a zero-day t−1 attack with some known attacks (including DSMAs and ∀d ∈ D, μ ¯ (t) = u(τ )1 represents d {d(τ )=d} T (t) non-DSMAs) at runtime and infer whether the zero-day τ =1 the empirical average utility the defender actually attack is DSMA or not. Note that the utility defined in receives by choosing defense action d by the end of “Cost-effectiveness utility”section canbeusedtoquantify defense cycle t − 1. cost-effectiveness of our defense. Since our defense is only 2ln(t) + − effective when defending against DSMAs (determined by ∀d ∈ D, I (t) = μ ¯ (t) + (u − u ) d d T (t) the DSSR Binary), the aggregate utility values of DSMAs represents the upper confidence index of action d at and non-DSMAs are very different. Therefore by compar- the beginning of defense cycle t. ing the aggregate utility of the zero-day attack with those of known attacks, the security officer can tell whether In particular, at the beginning of the defense cycle t,the the zero-day attack is DSMA or not. The aggregate utility defender updates I (t) of each defense action (Line 6–11). values of the known attacks are achieved in Matlab simu- The indices of the actions that have never been chosen lations. We simulate SALADSPlus and the known attacks are set to be far larger than others’. In this way, these in Matlab because the simulations are much faster than actions will be chosen with higher priorities (Line 7–8). the real experiments in web servers. And the simulation For the actions that have been chosen before, their indices results are similar to the real experiment results. This sim- are updated based on their empirical average utility val- ilarity is ensured by the following three aspects: (1) The ues (Line 9–11). The defender chooses the new action d(t) with the largest index (Line 13) and updates the num- Matlab simulations have the same features as the real- bers of times each defense action has been chosen (Lines world vulnerable web servers in terms of data structure 14–17). At the end of the defense cycle t, the defender types and instances. It is difficult to simulate the whole receives utility value u(t) (Line 18) and then updates servers in Matlab, but we simulate the data structures and the empirical average utility values of all defense actions the related manipulations in Matlab. (2) The same UCB- (Line 19–20). D algorithm is implemented in both the real-world web Chen et al. Cybersecurity (2018) 1:3 Page 7 of 13 servers and the Matlab simulations. (3) The simulated beginning of each defence cycle, we randomize the data attacks have the same features as known CVEs in terms of structures in one group based on the UCB-D algorithm. targets and attack frequencies. How attacks are launched We launch six real world Second Level Adversarial Reasoning If a zero-day attack attacks shown in Table 1.Inthe firstattack, thebuffer is a DSMA, the security officer can further infer which overflow bug in openssl (CVE-2002-0656 2002)is program the DSMA is targeting. This adversarial rea- exploited to overwrite a data structure instance session soning capability is provided by the canary detection. (of type ssl_session_st)and malloc_chunk, The canary detection reports two messages when some whose details have been presented in “Data Structure Manipulation Attack (DSMA)” section. In the second canaries are polluted: (1) the type of polluted data struc- attack, the integer truncation bug in (CVE-2001-0144 tures; (2) the program name which is inserted into the DSSR programs. With the program name and data struc- 2001) is exploited to overflow the pw_uid in passwd ture type, the security officer can quickly pinpoint the type and do privilege escalation. The third attack exploits target program. This second level adversarial reasoning is the heap overflow bug in (CVE-2015-0235 2015), which only meaningful when SALADSPlus is effective; i.e., the will pollute malloc_chunk. In the fourth attack, the zero-day attack does not succeed. For example, the attack stack overflow bug in (CVE-1999-0071 1999)isexploited (CVE-2002-0656 2002) lasted several days against SAL- to overflow timeval. In the fifth attack, Heartbleed ADSPlus but still failed . This effectiveness, which will be bug (CVE-2014-0160 2014) is exploited to over-read 2- validated in “Evaluation” section, gives the security officer bytes buffer and leak sensitive data. In the sixth attack, sufficienttimetolocatethe target programofthe zero- the same bug in openssh (CVE-2001-0144 2001)is used day attack. Note that the first level adversarial reasoning is to modify an authentication flag (Chen et al. 2005) important because the security officer can quickly rule out and circumvent the authentication check. This attack non-DSMAs and do second level adversarial reasoning. does not affect any data structure, and we denote it as do_authentication attack. Both Heartbleed and Evaluation do_authentication attacks are non-DSMAs. In this section, we present the evaluation of SALAD- SPlus. We first introduce the evaluation environment in Effectiveness We compile the selected programs with “Real-world environment” section. We then evaluate the static DSLR and SALADSPlus, respectively. During our effectiveness of SALADSPlus in “Effectiveness”section experiments,wealsoenableASLRintheexecutionenvi- and its performance overhead in “Performance overhead” ronments. We compare the defense results of static DSLR section. We finally verify the adversarial reasoning capa- and SALADSPlus by launching the six attacks respec- bility of SALADSPlus in “Adversarial reasoning”section. tively. Defense results are also shown in Table 1.The results demonstrate that in two hours, all six attacks can succeed when static DSLR is deployed. When SAL- Real-world environment ADSPlus is deployed, DSMAs cannot succeed within We implement SALADSPlus on the top of gcc-4.5.0 with 12K lines of C code added. All evaluation experiments are two hours but the non-DSMAs; e.g., Heartbleed and conducted on an Intel(R) Core(TM) i5 machine with 4GB do_authenticated attack, can succeed. memory running Red Hat Linux 7.3 with Linux kernel version 2.4.18. Justification of Effectiveness Part in Utility The cost- effectiveness is represented by the difference between Effectiveness the number of failed DSMAs (effectiveness part) and How DSSR applications are generated We generate the number of randomized data structure instances (cost DSSR applications via using SALADSPlus to compile part). As mentioned in “Cost-effectiveness utility”section, open source programs, including apache-1.1.1, SALADSPlus uses the canary detection to indicate the openssh-2.1.1p4, openssl-0.9.6d,and failed DSMAs. Therefore we define the number of pol- glibc-2.2.2. The DSSR applications contain 348, 47, luted canaries as the effectiveness part in our utility. 132, and 2329 data structure types, respectively. The fol- Table 2 shows that the polluted data structures detected lowing experiments are conducted on a vulnerable apache by the canary detection can reflect failed DSMAs, which web server (apache-1.1.1 compiled with openssl-0.9.6d justifies the effectiveness part of our utility. and glibc-2.2.2) and a vulnerable ssh server (openssh- 2.1.1p4 compiled with glibc-2.2.2). For the vulnerable Performance overhead servers, we divide data structures to five groups, where Runtime Overhead To evaluate the runtime over- each group has 20% data structures. We choose the length head introduced by SALADSPlus, we test a number of the defense cycle as 1/5/10 seconds, respectively. At the of programs, including SPECInt2006, httpd-1.1.1, Chen et al. Cybersecurity (2018) 1:3 Page 8 of 13 Table 1 Defense results of DSSR applications in two hours Programs CVE # Bugs Data Structure Static DSLR SALADSPlus openssl-0.9.6d CVE-2002-0656 KEY ARG bug (CVE-2002-0656 2002) ssl_session_st × malloc_chunk glibc-2.2.2 CVE-2015-0235 GHOST bug (CVE-2015-0235 2015) malloc_chunk × openssh-2.1.1 CVE-2001-0144 CRC-32 bug (CVE-2001-0144 2001) passwd × apache-1.1.1 CVE-1999-0071 Cookie bug (CVE-1999-0071 1999)timeval × openssl-1.0.1c CVE-2014-0160 Heartbleed bug (CVE-2014-0160 2014)N/A ×× openssh-2.1.1 CVE-2001-0144 do_authentication (CVE-2001-0144 2001)N/A ×× openssh-2.1.1p4 and openssl-0.9.6d.Weinsert with those in Matlab simulations to validate the similar- the instrumented code to calculate the number of ran- ity between results of the Matlab simulations and real- domized data structure instances at runtime. Table 3 world web server experiments. The results are shown shows the results. The defense cycles are 1/5/10 seconds in Fig. 4.Wecan seethatthe aggregateutilityvalues and in each defense cycle, 20% data structures are ran- of both the DSMAs and non-DSMAs (Heartbleed and domized. As Fig. 2 shown, theaverage runtimeoverheads do_authentication) achieved in Matlab simulations are 5.3%, 3.7%, 1.8% on average. The performance results are similar to those achieved in Apache and Openssh show that the runtime overhead is in parallel to the experiments respectively. randomized data structure instances. First Level Adversarial Reasoning We use mutations of Memory Overhead We compare the memory usage of the attacks to simulate the zero-day attacks, and then DSSR programs with original programs. As Fig. 3 shows, compare the aggregate utility values of the mutated the memory overhead is 1.8% on average. The memory attacks achieved in Apache and Openssh experiments overhead is orthogonal to the defense cycle, and mainly with those of the known attacks in simulations to tell introduced by the paddings and canaries. whether the zero-day attacks are DSMAs or not. We mutate the attack scripts in two ways: (1) changing the Adversarial reasoning attack target; (2) merging multiple attack scripts into one. In this section, we verify that SALADSPlus enables the the First, we change the attack script by exploiting CVE- security officer to do adversarial reasoning in real time. 2001-0144 (CVE-2001-0144 2001): instead of modifying pw_uid in passwd, we write an additional attack script Simulation Settings First we simulate SALADSPlus and to manipulate pw_passwd in passwd.Second, we merge the same six attacks in Matlab and get their corresponding the attack scripts that exploit openssl (CVE-2002-0656 aggregate utility values. The Matlab simulations have the 2002) and apache (CVE-1999-0071 1999)intoone attack same features as the vulnerable apache web server and ssh at the mixing ratio of 10 to 1. Figure 5 shows that the server in terms of data structure types and instances. We curves of the mutated attacks are similar to original select 5 seconds as the length of one defense cycle. And DSMAs, but different from the non-DSMA, which verify the simulated attacks have the same features as CVEs in the first level adversarial reasoning. terms of targets and attack frequency. Second Level Adversarial Reasoning For zero-day Validation of the Similarity First we compare the aggre- DSMAs, we infer their target programs. From the experi- gate utility values in Apache and Openssh experiments mental results, all the four DSMAs mentioned in Section Table 2 Justification of Effectiveness in Utility Programs CVE # Bugs # Polluted ds in 5s # Attacks in 5s openssl-0.9.6d CVE-2002-0656 KEY ARG bug (CVE-2002-0656 2002)10 10 glibc-2.2.2 CVE-2015-0235 GHOST bug (CVE-2015-0235 2015)16 16 openssh-2.1.1 CVE-2001-0144 CRC-32 bug (CVE-2001-0144 2001)10 10 apache-1.1.1 CVE-1999-0071 Cookie bug (CVE-1999-0071 1999)50 50 Chen et al. Cybersecurity (2018) 1:3 Page 9 of 13 Table 3 The number of randomized data structure instances at runtime Programs httpd-1.1.1 openssh-2.1.1 openssl-0.9.6d astar bzip2 gcc h264ref # Instances 114 89 245 12 1093 689 47 Programs libquantum omnetpp sjeng gobmk hmmer mcf perlbench specrand # Instances 19 24 13 15 14 23 98 0 Effectiveness can be detected by the canary detection. of facilitating following attack attempts should be The correct target programs’ names and the polluted data very small. structures are reported to the security officer. The canary detection can detect continuous buffer over- write attacks, which are the main form of buffer overflow. Discussion There are several methods to bypass the canary detec- Our adaptive defense can perform adversarial reasoning tion (Litchfield 2003;TeamC 2009). However, most of to tell whether the attack is DSMA or not. However, if the bypass canary methods are focused on stack cookie the attacker knows the defense, it can tailor the attack (Team C 2009). Some methods (Litchfield 2003) even need actions; e.g., extending the duration of an attack try to to hook the data structures (e.g., exception handler reg- several defense cycles. As such, the canary detection may istration structure) to bypass. In contrast, our adaptive not be able to detect the DSMA in some defense cycles, DSLR can raise the bar for this kind of bypassing. In addi- and cost-effectiveness utility values in these defense cycles tion, discrete write approaches, which use bugs like format may be very close to non-DSMA. Nonetheless, the defense string (OWASP 2009), can modify target data objects can still get the feedbacks from the server and adaptively without changing the value of the canary. As such, dis- update its actions. As time goes by, the defender will crete write can circumvent the canary detection. What’s gradually choose better actions so the long term aggre- more, to circumvent the canary detection, an attacker can gate utility will improve and be different from that of the resort to memory content leakage (e.g., memory disclo- non-DSMA. sure (Snow et al. 2013), uninitialized memory tracking Our adaptive defense is deployed before any patches are (Chenetal. 2011), side channel (Bittau et al. 2014;Seibert generated and the zero-day memory corruption bugs are et al. 2014;Zhang et al. 2012)). At client-side, the canaries located. During the vulnerability window, the defender may be easier to be read than sever-side, because just-in- has limited knowledge of the attacks. Under this limited time compilers (e.g., Javascript and Actionscript engines) knowledge, it is not realistic for the defender to guaran- may help the attacker to poke around memory (Blazakis tee that no DSMA can succeed. However, as one form 2010). State-of-the-art protection CFI (Abadi et al. 2005; of moving target defense, our goal is to increase DSMA Bletsch et al. 2011;Egele et al. 2012; Zhang and Sekar 2013) and ASLR (Backes 2014; Bhatkar et al. 2003, 2005; costs and make it harder for the attacker to succeed. In particular, a DSMA might succeed in one defense cycle. Hiser et al. 2012;Kil et al. 2006; Keromytis et al. 2012; But when the same attack is launched the next time, Paleari et al. 2009;The PaXTeam 2003b; Wartell et al. theattackerstill hastospend averylarge pricetosuc- 2012; Bigelow et al. 2015;Davietal. 2015; Giuffrida et al. ceed. In addition, a failed attack could tamper with some 2012;Luetal. 2016) raise the bar for the attacker to get data and have some side effects. But due to randomiza- the information of memory layout. tion, the attacker should have no idea of the locations of When the canary detection discovers the DSMAs, it is a the tampered data in a short period. So the probability malicious/unsafe event clearly. If the point is that attackers Fig. 2 Runtime overhead Chen et al. Cybersecurity (2018) 1:3 Page 10 of 13 Fig. 3 Memory overhead may continue poking around in a brute-force fashion, then Related work blocking the attack after the detection of several consec- In this section, we focus on two potential defenses utive crashes/canary overwrites seems to be a good idea. against DSMAs: Data Flow Integrity and Data-Plane However, this kind of defense (stopping the process) actu- Randomization. ally has the same results under DDoS attacks. In addition, merely stopping cannot prevent the next but the same Data Flow Integrity DFI was first proposed by Miguel DSMAs. Castro et al. (2006). By using static analysis, DFI computes Fig. 4 a- b: Comparisons among the aggregate utility values in Matlab simulations and Apache experiments when defending against openssl (CVE-2002-0656), glibc (CVE-2015-0235), apache (CVE-1999-0071), and Heartbleed (CVE-2014-0610); c - d: the comparison among the aggregate utility values in Matlab simulations and Openssh experiments when defending against glibc (CVE-2015-0235), openssh (CVE-2001-0144), and do_authentication (CVE-2001-0144) Chen et al. Cybersecurity (2018) 1:3 Page 11 of 13 Fig. 5 a- b Compare the aggregate utility values of apache + openssl (CVE-2002-0656 & CVE-1999-0071), and Heartbleed (CVE-2014-0610) in real server experiments with the aggregate utility values in Matlab simulations; c - d compare the aggregate utility values of openssh mutation (CVE-2001-0144) and do_authentication (CVE-2001-0144) in real server experiments with the aggregate utility values in Matlab simulations a Data Flow Graph and checks whether the definition Data-Plane Randomization Data Space Randomization of each data object is legal at run-time. A tailored DFI (DSR) (Bhatkar and Sekar 2008; Cadar et al. 2008)was (Song et al. 2016) was proposed to solve the privilege esca- proposed to prevent non-control-flow attacks by XOR- lation attack in the kernel. A complete enforcement of ing data with random masks. However DSR introduces DFI can defend against DSMAs, however, complete DFI high performance overhead since all the data objects suffers from performance overhead as high as 103% (Cas- need to be randomized. Static DSLR (Lin et al. 2009; tro et al. 2006). Tailored DFI (Song et al. 2016)focusing Stanley et al. 2013;Xinet al. 2010)was proposed to on privilege escalation attacks in the kernel can defeat prevent data structure manipulation attacks, via modi- small parts of DSMAs, but the majority of DSMAs are fying the definition of a data structure to reorder the out-of-scope of that work. Recently, researchers leverage fields. However, static DSLR has several limitations. First, hardware to assist the DFI and improve the runtime over- the layout randomized by static DSLR is determined at head (Song et al. 2016). However, the techniques heavily compile time, and it is vulnerable to brute force attacks depend on new features of the newest CPU (processor (Stacham et al. 2004). Second, static DSLR requires man- tracing), which is not in use by the majority of web ser- ual efforts to determine which data structure can be ran- vice providers. By comparison, our method not only has domized. Xin et al. (Xin et al. 2010) extend static DSLR reasonable performance overhead, but also is hardware and propose to use a constraint set to select randomizable independent. data structures. But their technique cannot handle nested Chen et al. Cybersecurity (2018) 1:3 Page 12 of 13 data structures and ignores all data structures associated Received: 4 January 2018 Accepted: 17 April 2018 with pointer operations. Recently, SALADS (Chen et al. 2015) was proposed to achieve dynamical data structure References layout re-randomization. However, the set of randomized Abadi M, Budiu M, Erlingsson U, Ligatti J (2005) Control-flow integrity. In: ACM data structures selected by an expert is fixed through- Conference on Computer and Communications Security (CCS ’05). ACM, New York out the whole lifetime of a process. In addition, SALADS Auer P, Cesa-Bianchi N, Fischer P (2002) Finite-time analysis of the multiarmed suffers from high runtime overhead. bandit problem. Mach Learn 47(2-3):235–256 Backes M, Nürnberger S (2014) Oxymoron: Making fine-grained memory Conclusion randomization practical by allowing code sharing. In: USENIX Security Symposium (Security ’14). USENIX Association, San Diego We present SALADSPlus, a new adaptive DSLR with Bhatkar E, Duvarney DC, Sekar R (2003) Address obfuscation: an efficient adversarial reasoning, that automatically translates a pro- approach to combat a broad range of memory error exploits. In: USENIX gram to a data structure self-randomizing (DSSR) pro- Security Symposium (Security ’03). USENIX Association, San Diego Bhatkar S, Sekar R (2008) Data space randomization. In: International gram. At runtime, a DSSR program periodically selects Conference on Detection of Intrusions and Malware, and Vulnerability and randomizes a set of data structures based on the Assessment (DIMVA ’08). Springer-Verlag, Berlin UCB-D algorithm. Besides, SALADSPlus could perform Bhatkar S, Sekar R, DuVarney DC (2005) Efficient techniques for comprehensive protection from memory error exploits. In: USENIX Security Symposium adversary reasoning to indicate whether there is DSMA or (Security ’05). USENIX Association, San Diego not, and further locate the target program of the attack. Bigelow D, Hobson T, Rudd R, Streilein W, Okhravi H (2015) Timely SALADSPlus is the first effective defense with low over- rerandomization for mitigating memory disclosures. In: Proceedings of the head against DSMA. Moreover, adversarial reasoning is 22nd Conference on Computer and Communications Security (CCS ’15). ACM, New York a unique feature of our defense. We have implemented Bittau A, Belay A, Mashtizadeh A, Mazieres D, Boneh D (2014) Hacking blind. In: SALADSPlus based on gcc-4.5.0. Experimental results IEEE Symposium on Security and Privacy (Oakland ’14). IEEE Computer show that the runtime overheads are 1.8%, 3.7%, and 5.3% Society, Washington Blazakis D (2010) Interpreter exploitation. In: USENIX Conference on Offensive when the defense cycles are selected as 10s, 5s, and 1s Technologies (WOOT ’10). IEEE Computer Society, Washington respectively. Bletsch T, Jiang X, Freeh V (2011) Mitigating code-reuse attacks with control-flow locking. In: Annual Computer Security Applications Conference (ACSAC ’11). ACM, New York Endnotes Cadar C, Akritidis P, Costa M, Martin J-P, Castro M (2008) Data randomization. ASLR randomizes the base addresses of both data and In: MSR-TR-2008-120. Microsoft Research, Cambridge Castro M, Costa M, Harris T (2006) Securing software by enforcing data-flow code in the memory. integrity. In: Proceedings of the 7th Symposium on Operating Systems CFI disables deviations from the being-protected pro- Design and Implementation (OSDI’06). USENIX Association, Berkeley Chen H, Mao Y, Wang X, Zhou D, Zeldovich N, Kaashoek MF (2011) Linux kernel gram’s original control-flow graph. vulnerabilities: State-of-the-art defenses and open problems. In: We used brute force attacks to guess the layout of Asia-Pacific Workshop on Systems (APSys ’11). ACM, New York Chen P, Xu J, Lin Z, Xu D, Mao B, Liu P (2015) A practical approach for adaptive ssl_session_st when we did the experiments. data structure layout randomization. In: Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS’15). Springer, Acknowledgements Switzerland This work was supported by ARO W911NF-13-1-0421 (MURI), NSF Chen S, Xu J, Sezer EC, Gauriar P, Iyer RK (2005) Non-control-data attacks are CNS-1422594, and NSF CNS-1505664. realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium (Security ’05). USENIX Association, San Diego Crispin C, Calton P, Dave M, Heather H, Jonathan W, Peat B, Steve B, Aaron G, Authors’ contributions Perry W, Qian Z (1998) Stackguard: automatic adaptive detection and PC carried out the background, idea proposal, system implementation and prevention of buffer-overflow attacks. In: USENIX Security Symposium evaluation, ZH designed the UCB-D algorithm, participated in the experiments (Security ’98). USENIX Association, San Diego and drafted the manuscript. JX carried out the improvements of the manuscripts. MZ participated in the problem formulation, designed the UCB-D CVE-1999-0071 (1999) Apache-cookie bug. http://seclab.cs.ucdavis.edu/ algorithm and drafted the manuscript. PL conceived of the study and projects/testing/vulner/39.html participated in its design and coordination. All authors read and approved the CVE-2001-0144 (2001) SSH CRC-32 compensation attack detector. http://www. final manuscript. securityfocus.com/bid/2347/discuss CVE-2002-0656 (2002) Apache openssl heap overflow exploit. http://www. phreedom.org/research/exploits/apache-openssl/ Competing interests CVE-2014-0160 (2014) Heartbleed Bug The authors declare that they have no competing interests. CVE-2015-0235 (2015) Ghost: glibc gethostbyname buffer overflow. https://www.qualys.com/2015/01/27/cve-2015-0235/GHOST-CVE-2015- Publisher’s Note 0235.txt Springer Nature remains neutral with regard to jurisdictional claims in Davi L, Liebchen C, Sadeghi A-R, Snow KZ, Monrose F (2015) Isomeron: published maps and institutional affiliations. Code randomization resilient to (just-in-time) return-oriented programming. In: Annual Network and Distributed System Security Symposium (NDSS ’15). NDSS Symposium, San Diego Author details Egele M, Fischer T, Holz T, Hund R, Nurnberger S, Sadeghi AR, Davi L, College of Information Sciences and Technology, The Pennsylvania State Dmitrienko A (2012) Mocfi: A framework to mitigate control-flow attacks University, University Park 16802, PA, USA. The School of Electrical on smartphones,. In: Annual Network and Distributed System Security Engineering and Computer Science, The Pennsylvania State University, State Symposium (NDSS’12). NDSS Symposium, San Diego College, University Park 16801, PA, USA. Chen et al. Cybersecurity (2018) 1:3 Page 13 of 13 Giuffrida C, Kuijsten A, Tanenbaum AS (2012) Enhanced operating system exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep- security through efficient and fine-grained address space randomization. and-aslr/ In: USENIX Conference on Security Symposium (Security ’12). USENIX The PaX Team (2003a) PaX non-executable pages design & implementation. Association, San Diego http://pax.grsecurity.net/docs/noexec.txt Hiser J, Nguyen-Tuong A, Co M, Hall M, Davidson JW (2012) Ilr: Where’d my The PaX Team (2003b) Pax address space layout randomization (ASLR). http:// gadgets go?. In: IEEE Symposium on Security and Privacy (Oakland ’12). pax.grsecurity.net/docs/aslr.txt IEEE Computer Society, Washington Wartell R, Mohan V, Hamlen K, Lin Z (2012) Binary stirring: Self-randomizing Hu H, Chua ZL, Adrian S, Saxena P, Liang Z (2015) Automatic generation of instruction addresses of legacy x86 binary code. In: ACM Conference on data-oriented exploits. In: Proceedings of the 24th USENIX Security Computer and Communications Security (CCS ’12). ACM, New York Symposium (Security ’15). USENIX Association, San Diego Xin Z, Chen H, Han H, Mao B, Xie L (2010) Misleading malware similarities Hu H, Shinde S, Adrian S, Chua ZL, Saxena P, Liang Z (2016) Data-oriented analysis by automatic data structure obfuscation. In: International programming: On the expressiveness of non-control data attacks. In: IEEE Conference on Information Security (ISC ’10). Springer-Verlag, Berlin Symposium on Security and Privacy (Oakland ’16). IEEE Computer Society, Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-vm side channels and Washington their use to extract private keys. In: ACM Conference on Computer and Communications Security (CCS ’12). ACM, New York Keromytis AD, Pappas V, Polychronakis M (2012) Smashing the gadgets: Zhang M, Sekar R (2013) Control flow integrity for cots binaries. In: USENIX Hindering return-oriented programming using in-place code Conference on Security (Security ’13). USENIX Association, San Diego randomization. In: IEEE Symposium on Security and Privacy (Oakland ’12). IEEE Computer Society, Washington Kil C, Jim J, Bookholt C, Xu J, Ning P (2006) Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC ’06). IEEE, Miami Beach Kuleshov V, Precup D (2014) Algorithms for multi-armed bandit problems. In: Proceedings of the seventeenth annual ACM-SIAM symposium on Discrete algorithm, Society for Industrial and Applied Mathematics Philadelphia, PA, USA. pp 928–936. CVE-2014-0160 (2014) https://cve. mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160 Lai TL, Robbins H (1985) Asymptotically efficient adaptive allocation rules. Adv Appl Math 6(1):4–22 Lin Z, Riley RD, Xu D (2009) Polymorphing software by randomizing data structure layout. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’09). Berlin, Springer-Verlag Litchfield D (2003) Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server. https://www.blackhat.com/ presentations/bh-asia-03/bh-asia-03-litchfield.pdf Lu K, Nurnberger S, Backes M, Lee W (2016) How to make aslr win the clone wars: Runtime re-randomization. In: Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS ’16). NDSS Symposium, San Diego Microsoft (2008) A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2. http://support.microsoft.com/kb/ OWASP (2009) Format string. https://www.owasp.org/index.php/Format_ string_attack Paleari R, Roglia GF, Martignoni L (2009) Surgically returning to randomized lib(c). In: Annual Computer Security Applications Conference (ACSAC ’09). ACM, New York Seibert J, Okhravi H, Söderström E (2014) Information leaks without memory disclosures:remote side channel attacks on diversified code. In: ACM Conference on Computer and Communications Security (CCS ’14). ACM, New York Shacham H, Page M, Pfaff B, Goh E-J, Modadugu N, Boneh D (2004) On the effectiveness of address-space randomization. In: ACM Conference on Computer and Communications Security (CCS ’04). ACM, New York Snow KZ, Monrose F, Davi L, Dmitrienko A, Liebchen C, Sadeghi A-R (2013) Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (Oakland ’13). IEEE, Berkeley Song C, Lee B, Lu K, Harris WR, Kim T, Lee W (2016) Enforcing kernel security invariants with data flow integrity. In: Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS ’16). NDSS Symposium, San Diego Song C, Moon H, Alam M, Yun I, Lee B, Kim T, Lee W, Paek Y (2016) Hdfi: Hardware-assisted data-flow isolation. In: Proceedings of IEEE Symposium on Security and Privacy (Oakland ’16). NDSS Symposium, San Diego Stanley DM, Xu D, Spafford EH (2013) Improved kernel security through memory layout randomization. In: International Performance Computing and Communications Conference (IPCCC ’13). IEEE, San Diego Team C (2009) Exploit writing tutorial part 6 : Bypassing stack cookies, safeseh, sehop, hw dep and aslr. https://www.corelan.be/index.php/2009/09/21/ http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Cybersecurity Springer Journals

Feedback control can make data structure layout randomization more cost-effective under zero-day attacks

Free
13 pages

Loading next page...
 
/lp/springer_journal/feedback-control-can-make-data-structure-layout-randomization-more-SAaug68d0O
Publisher
Springer Journals
Copyright
Copyright © 2018 by The Author(s)
Subject
Computer Science; Computer Science, general
eISSN
2523-3246
D.O.I.
10.1186/s42400-018-0003-x
Publisher site
See Article on Publisher Site

Abstract

In the wake of the research community gaining deep understanding about control-hijacking attacks, data-oriented attacks have emerged. Among data-oriented attacks, data structure manipulation attack (DSMA) is a major category. Pioneering research was conducted and shows that DSMA is able to circumvent the most effective defenses against control-hijacking attacks — DEP, ASLR and CFI. Up to this day, only two defense techniques have demonstrated their effectiveness: Data Flow Integrity (DFI) and Data Structure Layout Randomization (DSLR). However, DFI has high performance overhead, and dynamic DSLR has two main limitations. L-1: Randomizing a large set of data structures will significantly affect the performance. L-2: To be practical, only a fixed sub-set of data structures are randomized. In the case that the data structures targeted by an attack are not covered, dynamic DSLR is essentially noneffective. To address these two limitations, we propose a novel technique, feedback-control-based adaptive DSLR and build a system named SALADSPlus. SALADSPlus seeks to optimize the trade-off between security and cost through feedback control. Using a novel feedback-control-based adaptive algorithm extended from the Upper Confidence Bound (UCB) algorithm, the defender (controller) uses the feedbacks (cost-effectiveness) from previous randomization cycles to adaptively choose the set of data structures to randomize (the next action). Different from dynamic DSLR, the set of randomized data structures are adaptively changed based on the feedbacks. To obtain the feedbacks, SALADSPlus inserts canary in each data structure at the time of compilation. We have implemented SALADSPlus based on gcc-4.5.0. Experimental results show that the runtime overheads are 1.8%, 3.7%, and 5.3% when the randomization cycles are selected as 10s, 5s, and 1s respectively. Keywords: Data structure manipulation attack, Data structure layout randomization, Adaptive security, Feedback control Introduction memory page is either writable or executable, but not During the past two decades, control-hijacking attacks both. have drawn tremendous attention from the computer As a counteraction against DEP, adversaries switched security research community. In a control-hijacking from code-injection attacks to code-reuse attacks such as attack, the adversary manipulates the control flow objects return-to-libc and Return-Oriented-Programming (ROP). and shifts the execution to malicious logics. The earliest These code-reuse attacks have motivated a very large attacks hijack the control flow to execute injected code. To amount of research on how to defend and how to counter- defend against those code-injection attacks, Data Execu- attack. In the past 10 years, the research community has tion Prevention (DEP) (The PaX Team 2003a;Microsoft gained deep understanding about the cost-effectiveness 2008) techniques were proposed. DEP ensures that a of major defenses, including Address Space Layout Randomization (ASLR) (Backes and Nürnberger 2014; Bhatkar et al. 2003;Kil et al. 2006; Keromytis et al. 2012; *Correspondence: pzc10@ist.psu.edu; chenping19851@hotmail.com The PaX Team 2003b) and Control Flow Integrity (CFI) College of Information Sciences and Technology, The Pennsylvania State University, University Park 16802, PA, USA (Abadi et al. 2005). Full list of author information is available at the end of the article © The Author(s). 2018 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. Chen et al. Cybersecurity (2018) 1:3 Page 2 of 13 However, in the wake of the research community gain- frequently re-randomizes/de-randomizes the layouts of ing deep understanding about control-hijacking attacks, candidate data structures at run-time. The program data-oriented attacks (Chen et al. 2015, 2005;Huetal. compiled by SALADS can self-randomize a set of of data 2015, 2016) have emerged. Data-oriented attacks do not structures, the instrumentation replaces each statement modify control flow objects. Instead they read/write that contains data structure accesses. To avoid runtime security-sensitive data objects for malicious goals (Chen errors, SALADS inserts de-randomization routine before et al. 2005;Huetal. 2015). Recently, it has been shown any dangerous statement (e.g., pointer involved dangerous that data-oriented attacks are Turing-complete (Hu et al. statements). 2016) and can result in arbitrary behaviors. While SALADS offers security advantages, it still has Among data-oriented attacks, data structure manip- two major limitations. L-1: When SALADS random- ulation attack (DSMA) (Chen et al. 2015)isamajor izes a large set of data structures, it will significantly category. DSMA exploits memory corruption bugs to affect the performance. This further leads to the sec- manipulate multiple security sensitive fields in encapsu- ond limitation. L-2: For the consideration of perfor- lated data objects (e.g., struct and class). For exam- mance, SALADS cannot afford to randomize all the data ple, the attack against openssh (CVE-2001-0144 2001) structures. Instead it randomizes a fixed sub-set of data (CVE-2001-0144) overwrites a particular instance of data structures. In the case that the data structures targeted structure passwd to achieve privilege escalation. Pio- by an attack are not covered, SALADS is essentially neering research was conducted and shows that DSMA noneffective. is able to circumvent the most effective defenses against control-hijacking attacks — DEP, ASLR and CFI. However, Problem statement the research community has quite limited understanding In this paper, we explore to augment SALADS with feed- on how to defend against DSMA. back control to address the above limitations. Our insights Up to this day, only two defense techniques have demon- are as follows. strated their effectiveness: Data Flow Integrity (DFI) Limitation L-1 essentially indicates the necessity of (Castro et al. 2006;Songetal. 2016) and Data Structure a trade-off between security and cost. The availabil- Layout Randomization (DSLR) (Chen et al. 2015;Linet al. ity of feedbacks about security and cost will facilitate 2009;Stanley et al. 2013;Xin et al. 2010). DFI maintains the defense to achieve an optimized trade-off. This the definition-use relationship from the Data Flow Graph, motivates us to employ the canary mechanism to col- and checks whether the definition of each data object lect feedbacks. More details about it will be discussed is legal at run-time. By theory, DFI can defend against shortly. Those feedbacks in turn provide awareness of DSMA. However, DFI introduces performance overhead the attacked data structures, which can be leveraged as high as 103% (Castro et al. 2006), making it impractical to address limitation L-2. The intuition behind is that for deployment. Comparing with DFI, DSLR has similar such awareness can enable the defense to include the defense effectiveness but substantially less cost. We, there- attacked data structures and exclude the safe ones for fore, believe DSLR is much more promising in mitigating randomization. DSMA. In this work, we seek to provide new insights into The goal to optimize the above described trade- and deeper understanding about the cost-effectiveness of off can be formulated as a feedback control prob- DSLR. lem — The defender (controller) uses the feedbacks (cost-effectiveness) from previous randomization cycles DSLR to adaptively choose the set of data structures to ran- Research in the early stage proposed static DSLR (Lin domize (the next action) such that the trade-off is et al. 2009;Stanley et al. 2013;Xin et al. 2010). At the optimized. time of compilation, static DSLR randomly reorders the In this paper, we are therefore deeply interested in the fields or adds dummy fields in encapsulated data objects. problem: Can feedback control be leveraged to address the Static DSLR can prevent DSMA from correctly locating two limitations of dynamic DSLR? target fields and further manipulating them. However, its randomization is fixed at runtime and vulnerable to brute Our approach force attacks. Further, static DSLR requires manual efforts Based on the above insights, we propose a novel tech- to determine which data structures can be randomized. nique, feedback-control-based adaptive DSLR and build a Recent research endeavored to develop dynamic DSLR system named SALADSPlus. SALADSPlus includes two and produced a technique named SALADS (Chen parts. The first part is a compiler extension, which trans- et al. 2015). SALADS aims to address the limita- forms a program into a Data Structure Self-Randomizing tions of static DSLR. It automatically determines the (DSSR) program. The compiler extension mounts the randomization-feasibility of each data structure and DSSR program into an adaptive strategy that utilizes Chen et al. Cybersecurity (2018) 1:3 Page 3 of 13 the Upper Confidence Bound DSLR (UCB-D) algorithm realistic for the defender to eliminate all attacks. Therefore to select data structures for protection at each re- the defense goal is to increase the difficulty for the attacker randomization. Different from SALADS, the set of to succeed with low cost. As discussed, static DSLR is randomized data structures are adaptively changed based fixed at runtime and vulnerable to brute force attacks. And on the cost-effectiveness utilities of the previous cycles. dynamic DSLR techniques (e.g., SALADS) have to face the To obtain those utilities, SALADSPlus inserts canary in trade-off between security and cost. If a large set of data each data structure at the time of compilation. At runtime structures are re-randomized, it will significantly affect and the end of each defense cycle, SALADSPlus collects the performance. On the other hand, if the data structures the number of polluted canaries. Such information is then targeted by the attacker are not covered, it cannot provide used to calculate the utilities. security. To achieve an optimized trade-off, we employ The second part of our SALADSPlus system is an adver- the canary mechanism to collect feedbacks and periodi- sarial reasoning scheme. This scheme monitors the exe- cally select a (small) set of data structures to randomize cution of a DSSR program and uses the observations to at runtime based on the observable feedbacks. In par- reduce the uncertainty in detecting ongoing DSMA. In ticular, SALADSPlus utilizes memory forensic approach addition, this scheme can help locate the program tar- to find the polluted canaries. The polluted canaries are geted by the DSMA. sent as the feedbacks to the defender. We will show in Our contributions in this work are summarized as fol- “Evaluation” section that the polluted canaries reflect how lows: many DSMAs are blocked (failed DSMAs) and thus can be used to evaluate the effectiveness of a defense action. This is the first effort toward feedback-control-based Those feedbacks can provide awareness of the attacked adaptive DSLR. data structures, which can be leveraged to include the A novel feedback-control-based adaptive defense attacked data structures and exclude the safe ones for algorithm extended from UCB (Upper Confidence randomization. Bound) algorithm (Auer et al. 2002) is proposed. The key idea of SALADSPlus is trial-and-error learn- An adversarial reasoning scheme is proposed. It ing. More specifically, SALADSPlus receives polluted enables the defender to know more about the canaries, which reflect how many DSMAs are blocked attacker. It also helps locate the program targeted by and evaluate how well the deployed actions are. On the DSMA. one hand, SALADSPlus selects the optimal actions that On average, the runtime overheads introduced by can block most DSMAs in the history (exploitation), on SALADSPlus are 1.8%, 3.7%, and 5.3% for application the other hand, SALADSPlus also tires seemingly non- programs (SPECInt2006, openssh-2.1.1p4, optimal actions choices (exploration). So SALADSPlus is httpd-1.1.1,and openssl-0.9.6d), when the particularly well suited to defend against DSMAs where defense cycles are 10s, 5s, and 1s, respectively. the defender is unaware of the targets of DSMAs but can evaluate its previous actions via repeated interactions Overview with attackers. The details of how the defender updates Our work focuses on developing a specific defense against its actions by utilizing the feedbacks will be illustrated in DSMA (Chen et al. 2015), named SALADSPlus, before ‘‘Cost-effectiveness utility and UCB-D algorithm’’ sections. any patches are generated and the zero-day memory And the unique capability of the SALADSPlus, adversarial corruption bugs are located. This section presents the reasoning, will be introduced in “Adversarial reasoning motivation and overview of our defense system. Under scheme” section and evaluated along with the cost- the protection of a defense action, the server uses effectiveness in “Evaluation” section. The uniform time canary detection to identify the number of failed DSMAs interval between two consecutive updates of the defense during a defense cycle and reports the number to the actions is denoted as a defense cycle and the whole vul- defense decision maker (“Canary detection”section). The nerability window is denoted as N defense cycles; i.e., feedback is used by the defense decision maker to cal- T  {1, 2, ··· , N }.Notethatwedonotspecifythe feed- culate the cost-effectiveness of previous defense action backsand theupdatefrequencyofthe attacker. Intherest (“Cost-effectiveness utility” section), and select defense of the paper, we evaluate the security from the point of action for next defense cycle (i.e., a data structure whitelist in view of the defender. “Dynamic data structure layout randomization”section). System components Feedbacks and adaptive defense In the system model depicted in Fig. 1, we consider During the vulnerability window, the defender has limited two entities: the defender and the attacker. The attacker launches the DSMA. In order to circumvent the defense, knowledge of the attacks; e.g., the bug locations, target data structures, etc. Under this limited knowledge, it is not the attacker uses brute force attacks to locate the target Chen et al. Cybersecurity (2018) 1:3 Page 4 of 13 Dynamic data structure layout randomization As discussed in Section ref, dynamic DSLR techniques (e.g., SALADS) are facing two limitations.Our solution SALADSplus uses a novel UCB-D algorithm to dynam- ically make decisions on “which data structures to ran- domize”, while SALADS sticks to a fixed set of data struc- tures. To solve the first limitation, we develop an adaptive algorithm (in “UCB-D algorithm” section) to dynamically decide “which set of data structures to randomize dur- Fig. 1 Overview of how DSSR Binary defends against DSMA ing the next defense cycle” based on the cost-effectiveness utility value (in “Cost-effectiveness utility”section)ofthe data structures. The defender, named SALADSPlus, con- previous decisions. The algorithm enables the defender to sists of two components: defense decision maker and choose better actions as time goes by. To reduce the over- defense actions. head, SALADSPlus re-randomizes data structures much less frequently (i.e., once per defense cycle) but in a much Data Structure Manipulation Attack (DSMA) In this more adaptive certain sense (more adaptivity in general paper, we consider one attacker with multiple DSMAs. In provides more resilience to DSMA). general, an attacker launching DSMAs is associated with a At the beginning of each defense cycle, DSSR binary set of attack actions denoted by A  {a , ··· , a },where 1 m randomizes the data structures in the dynamic whitelist, each action is a combination of several attack scripts. One and de-randomizes the data structures that are not in attack script targets several data structure types (once a the dynamic whitelist. There are two challenges when we script is fixed, the targets are fixed). design SALADSPlus: (1) changing the dynamic whitelist of data structures at runtime without recompiling the Data Structure Self-Randomization Binary (DSSR program(SALADS compiles thesourcecodewitha Binary) SALADSPlus uses adaptive DSLR with static whitelist); (2) when DSSR binary randomizes data adversarial reasoning and generates Data Structure structures, multiple DSSR statements are executed based Self-Randomization binary (DSSR Binary). The DSSR on the previous layout of the data structures. Without binary maintains the metadata for all the data structure concurrency methods, the DSSR statements may access instances, including the base addresses and relative posi- totally irrelevant fields. tions of the fields in data structures. In addition, all the data structure read/write operations are replaced with Dynamic WhiteList To solve the first challenge, DSSR a set of DSSR statements (Chen et al. 2015) to access binary maintains a dynamic whitelist. A dynamic whitelist the randomized data structure layout. What’s more, all is a buffer which is allocated in the heap and inserted by the definitions of the data structures are randomized our customized compiler. It consists of the indices of the at compile-time, and padding bytes are inserted into data structures. If a data structure is in the whitelist, DSSR the data structures (Lin et al. 2009). The DSSR binary binary will randomize it in a defense cycle. Otherwise, the is equipped with a set of defense actions denoted by data structure will keep its pre-known layout. The only D  {d , ··· , d }, where each defense action random- 1 n code of DSSR binary that can access the dynamic whitelist izes a particular set of data structures at runtime. The is an independent thread illustrated as follows. defense decision maker adaptively updates its actions. Theadaptiveupdaterule will be brieflydiscussed in Independent Thread Independent thread is a thread Section Feedbacks and adaptive defense.Inorder to get which is inserted by our customized compiler at the entry the feedbacks for the defender, canary detection inserts of DSSR binary. The thread will allocate the dynamic 32-bit specific values for each field into data structures whitelist and update the whitelist periodically. The thread of a DSSR binary. Once DSSR binary detects a polluted calls the UCB-D function, which we will present shortly canary, it indicates an attacker has maliciously modified in “UCB-D algorithm” section, to “know" exactly how to the fields in a data structure; reports the program name update the whitelist. Once the whitelist is updated, the and the target data structure to the security officer. thread will de-randomize the data structures in the pre- Design and implementation vious whitelist, and randomize the data structures in cur- In this section, we first present dynamic data structure lay- rent whitelist. In addition, the thread contains the canary out randomization, and then demonstrate how the canary detection (in “Canary detection”section). detection generates cost-effectiveness utility values. Fur- ther we illustrate the cost-effectiveness utility value and Write Preferring Lock To solve the second challenge; the UCB-D algorithm. i.e., avoiding the inconsistency between the DSSR Chen et al. Cybersecurity (2018) 1:3 Page 5 of 13 statements and the independent thread, we propose defense cycle. Note that the number of polluted canaries a write preferring lock method. We create a mutex is determined by both the attack action (the combination lock and a global counter which calculates how many of attack scripts) and defense action (randomized data DSSR statements are currently executed. The thread will structures). Then the effectiveness can be represented as require a lock before it randomizes/de-randomizes the a mapping from A × D to R, i.e., for defense cycle t,the data structures,and release thelockafterit finishes the effectiveness is r(t) = r(a(t), d(t)). randomization/de-randomization. Before the thread does If adaptive DSLR does not incur any cost, then the best the randomization/de-randomization, it waits until all defense is to randomize all feasible data structures. How- the concurrent DSSR statements are completed; i.e., the ever the study of SALADS (Chen et al. 2015)shows that global counter is 0. DSSR statements will check the lock the performance overhead is proportional to the number before accessing the data structure. If the lock is occupied of randomized data structures. For example, SALADS by the thread, the statements will wait. When DSSR state- introduces 110%, 120% runtime overhead when random- ments are executed, they will firstly increase the global izing 20% of data structures in gzip and gap respectively. counter by 1, and after accessing the data structure, the We use the number of randomized data structures to global counter decreases by 1. quantify the cost in each defense cycle. The number of randomized data structures is only determined by the Canary detection defense action. Then the cost can be represented as a The canary detection scheme generates cost-effectiveness mapping from D to R, i.e., for defense cycle t,the cost is utility values. In particular, the canary detection is exe- c(t) = c(d(t)). cuted in the thread at the end of each defense cycle based Since the numbers of DSMAs and the numbers of data on the memory forensic analysis. It scans the canaries in structures in all defense cycles are finite, the utility val- the randomized data structures and compares current val- ues in all defense cycles are also bounded. More formally, − + − + ues with a random canary value (Crispin et al. 1998). The there are u and u such that ∀t ∈ T, u(t) ∈[ u , u ]. random canary is chosen at the beginning of each defense Additionally, the defender knows the bounds. Note that cycle through/dev/urandom. If a canary in a data struc- there might be some DSMAs that cannot achieve their ture is polluted, we regard it as one failed DSMA. To attack goal but bypass all canaries. Therefore, the util- quickly pinpoint the canary, we maintain an array to ity cannot precisely represent the cost-effectiveness of a record the addresses of the canaries and mark each ele- defense action because the effectiveness part r may con- ment as 0 or 1,where 1 indicates that the canary needs tain error. We introduce utility error to represent bypass- ing DSMAs. More formally, the utility error for each to be checked. After DSSR statements complete the data structure access, the canary detection checks whether the defense cycle t is denoted as (t) and u(t) = u (t) − (t), data structure type is in the whitelist, and then DSSR where u (t) is the ground truth utility if all failed DSMAs statements will update the array for the corresponding can be detected and (t) represents thenumberoffailed canaries. DSMAs which bypass the canary detection. Our canaries are randomized by the adaptive DSLR and thus diffi- Cost-effectiveness utility cult to bypass. So (t) is small. This will be validated in The UCB-D algorithm is a utility-based reinforcement “Evaluation”section. learning algorithm. As mentioned in “Feedbacks and adaptive defense” section, the key idea of SALAD- UCB-D algorithm SPlus is to utilize feedbacks generated by the server in With the cost-effectiveness utility value, the defense history to evaluate the corresponding defense actions problem can be formulated as: how to choose a and gradually identify the optimal actions. We define sequence of defense actions to maximize the sum of utility to quantify the cost-effectiveness of a defense received utility values during the vulnerability window action. In particular, the utility is in the form of u = T. For simplicity, we define the sum as the aggre- W r − W c,where r is the effectiveness and c is the cost. r c gate utility. The UCB-D algorithm (an extension of And the constant weights W and W are chosen accord- r c the UCB algorithm in Multi-armed Bandit problems ing to the preference of the defender on security and (Kuleshov and Precup 2014; Lai and Robbins 1985)) efficiency. is proposed to solve the problem. A set of notations The most straightforward quantification of the effec- will be introduced as follows before the steps of the tiveness is the number of failed DSMAs during a defense algorithm: cycle. It is mentioned in “Canary detection”section that if a canary in a data structure is polluted, we regard it 1 is an indicator function: 1 = 1 if  is true as one failed DSMA. Therefore, we use the number of {} {} polluted canaries to quantify the effectiveness in each and 1 = 0 if  is false. {} Chen et al. Cybersecurity (2018) 1:3 Page 6 of 13 Algorithm 1 The UCB-D Algorithm An attractive feature of the UCB-D algorithm is that the defender can maximize the aggregate utility value with 1: for d ∈ D do limited information of DSMAs. In particular, the algo- 2: T (1) = 0; rithm only requires the defender to know its previous 3: μ ¯ (1) = 0; actions and their induced utility values. In contrast, it 4: end for does not require the defender to pinpoint the attacked 5: for t = 1; t ≤ N; t ++ do data structures. In the UCB-D algorithm, the defender, 6: for d ∈ D do on one hand, uses average utility value (the first term 7: if T (t) == 0 then of I (t)) in the history predict how well an action might 8: I (t) =+∞; d work in the future and selects the most successful action, 9: else + − 2ln(t) and on the other hand, tries less successful actions by 10: I (t) =¯ μ (t) + (u − u ) ; d d T (t) the penalty term (the second term of I (t)). Through 11: end if the repeated interactions with the attacker, the defender 12: end for gradually identifies the data structures which are more 13: d(t) = arg max I (t); d∈D likely attacked and randomizes them more often than 14: T (t + 1) = T (t) + 1; d(t) d(t) others. 15: for d ∈ D \{d(t)} do 16: T (t + 1) = T (t) d d Adversarial reasoning scheme 17: end for From the experiments in next section, we will see SAL- 18: Defender receives u(t); ADSPlus can provide good effectiveness with low per- 19: for d ∈ D do formance overhead. In this section, we discuss another capability of SALADSPlus: it can enable the security offi- 20: μ ¯ (t + 1) = (u(τ )1 ); d {d(τ )=d} T (t+1) τ =1 cer to do two-level adversarial reasoning in real time. 21: end for First, the security officer can determine whether a zero- 22: end for day attack is DSMA or not. Second, if a zero-day attack is DSMA, the security officer can do program level rea- soning to infer the target program of the DSMA. This t−1 two-level adversarial reasoning is elaborated as follows. T (t) = 1 is the number of times defense d {d(τ )=d} τ =1 action d has been chosen by the end of defense cycle First Level Adversarial Reasoning The basic idea of the t − 1. first level adversarial reasoning is to compare a zero-day t−1 attack with some known attacks (including DSMAs and ∀d ∈ D, μ ¯ (t) = u(τ )1 represents d {d(τ )=d} T (t) non-DSMAs) at runtime and infer whether the zero-day τ =1 the empirical average utility the defender actually attack is DSMA or not. Note that the utility defined in receives by choosing defense action d by the end of “Cost-effectiveness utility”section canbeusedtoquantify defense cycle t − 1. cost-effectiveness of our defense. Since our defense is only 2ln(t) + − effective when defending against DSMAs (determined by ∀d ∈ D, I (t) = μ ¯ (t) + (u − u ) d d T (t) the DSSR Binary), the aggregate utility values of DSMAs represents the upper confidence index of action d at and non-DSMAs are very different. Therefore by compar- the beginning of defense cycle t. ing the aggregate utility of the zero-day attack with those of known attacks, the security officer can tell whether In particular, at the beginning of the defense cycle t,the the zero-day attack is DSMA or not. The aggregate utility defender updates I (t) of each defense action (Line 6–11). values of the known attacks are achieved in Matlab simu- The indices of the actions that have never been chosen lations. We simulate SALADSPlus and the known attacks are set to be far larger than others’. In this way, these in Matlab because the simulations are much faster than actions will be chosen with higher priorities (Line 7–8). the real experiments in web servers. And the simulation For the actions that have been chosen before, their indices results are similar to the real experiment results. This sim- are updated based on their empirical average utility val- ilarity is ensured by the following three aspects: (1) The ues (Line 9–11). The defender chooses the new action d(t) with the largest index (Line 13) and updates the num- Matlab simulations have the same features as the real- bers of times each defense action has been chosen (Lines world vulnerable web servers in terms of data structure 14–17). At the end of the defense cycle t, the defender types and instances. It is difficult to simulate the whole receives utility value u(t) (Line 18) and then updates servers in Matlab, but we simulate the data structures and the empirical average utility values of all defense actions the related manipulations in Matlab. (2) The same UCB- (Line 19–20). D algorithm is implemented in both the real-world web Chen et al. Cybersecurity (2018) 1:3 Page 7 of 13 servers and the Matlab simulations. (3) The simulated beginning of each defence cycle, we randomize the data attacks have the same features as known CVEs in terms of structures in one group based on the UCB-D algorithm. targets and attack frequencies. How attacks are launched We launch six real world Second Level Adversarial Reasoning If a zero-day attack attacks shown in Table 1.Inthe firstattack, thebuffer is a DSMA, the security officer can further infer which overflow bug in openssl (CVE-2002-0656 2002)is program the DSMA is targeting. This adversarial rea- exploited to overwrite a data structure instance session soning capability is provided by the canary detection. (of type ssl_session_st)and malloc_chunk, The canary detection reports two messages when some whose details have been presented in “Data Structure Manipulation Attack (DSMA)” section. In the second canaries are polluted: (1) the type of polluted data struc- attack, the integer truncation bug in (CVE-2001-0144 tures; (2) the program name which is inserted into the DSSR programs. With the program name and data struc- 2001) is exploited to overflow the pw_uid in passwd ture type, the security officer can quickly pinpoint the type and do privilege escalation. The third attack exploits target program. This second level adversarial reasoning is the heap overflow bug in (CVE-2015-0235 2015), which only meaningful when SALADSPlus is effective; i.e., the will pollute malloc_chunk. In the fourth attack, the zero-day attack does not succeed. For example, the attack stack overflow bug in (CVE-1999-0071 1999)isexploited (CVE-2002-0656 2002) lasted several days against SAL- to overflow timeval. In the fifth attack, Heartbleed ADSPlus but still failed . This effectiveness, which will be bug (CVE-2014-0160 2014) is exploited to over-read 2- validated in “Evaluation” section, gives the security officer bytes buffer and leak sensitive data. In the sixth attack, sufficienttimetolocatethe target programofthe zero- the same bug in openssh (CVE-2001-0144 2001)is used day attack. Note that the first level adversarial reasoning is to modify an authentication flag (Chen et al. 2005) important because the security officer can quickly rule out and circumvent the authentication check. This attack non-DSMAs and do second level adversarial reasoning. does not affect any data structure, and we denote it as do_authentication attack. Both Heartbleed and Evaluation do_authentication attacks are non-DSMAs. In this section, we present the evaluation of SALAD- SPlus. We first introduce the evaluation environment in Effectiveness We compile the selected programs with “Real-world environment” section. We then evaluate the static DSLR and SALADSPlus, respectively. During our effectiveness of SALADSPlus in “Effectiveness”section experiments,wealsoenableASLRintheexecutionenvi- and its performance overhead in “Performance overhead” ronments. We compare the defense results of static DSLR section. We finally verify the adversarial reasoning capa- and SALADSPlus by launching the six attacks respec- bility of SALADSPlus in “Adversarial reasoning”section. tively. Defense results are also shown in Table 1.The results demonstrate that in two hours, all six attacks can succeed when static DSLR is deployed. When SAL- Real-world environment ADSPlus is deployed, DSMAs cannot succeed within We implement SALADSPlus on the top of gcc-4.5.0 with 12K lines of C code added. All evaluation experiments are two hours but the non-DSMAs; e.g., Heartbleed and conducted on an Intel(R) Core(TM) i5 machine with 4GB do_authenticated attack, can succeed. memory running Red Hat Linux 7.3 with Linux kernel version 2.4.18. Justification of Effectiveness Part in Utility The cost- effectiveness is represented by the difference between Effectiveness the number of failed DSMAs (effectiveness part) and How DSSR applications are generated We generate the number of randomized data structure instances (cost DSSR applications via using SALADSPlus to compile part). As mentioned in “Cost-effectiveness utility”section, open source programs, including apache-1.1.1, SALADSPlus uses the canary detection to indicate the openssh-2.1.1p4, openssl-0.9.6d,and failed DSMAs. Therefore we define the number of pol- glibc-2.2.2. The DSSR applications contain 348, 47, luted canaries as the effectiveness part in our utility. 132, and 2329 data structure types, respectively. The fol- Table 2 shows that the polluted data structures detected lowing experiments are conducted on a vulnerable apache by the canary detection can reflect failed DSMAs, which web server (apache-1.1.1 compiled with openssl-0.9.6d justifies the effectiveness part of our utility. and glibc-2.2.2) and a vulnerable ssh server (openssh- 2.1.1p4 compiled with glibc-2.2.2). For the vulnerable Performance overhead servers, we divide data structures to five groups, where Runtime Overhead To evaluate the runtime over- each group has 20% data structures. We choose the length head introduced by SALADSPlus, we test a number of the defense cycle as 1/5/10 seconds, respectively. At the of programs, including SPECInt2006, httpd-1.1.1, Chen et al. Cybersecurity (2018) 1:3 Page 8 of 13 Table 1 Defense results of DSSR applications in two hours Programs CVE # Bugs Data Structure Static DSLR SALADSPlus openssl-0.9.6d CVE-2002-0656 KEY ARG bug (CVE-2002-0656 2002) ssl_session_st × malloc_chunk glibc-2.2.2 CVE-2015-0235 GHOST bug (CVE-2015-0235 2015) malloc_chunk × openssh-2.1.1 CVE-2001-0144 CRC-32 bug (CVE-2001-0144 2001) passwd × apache-1.1.1 CVE-1999-0071 Cookie bug (CVE-1999-0071 1999)timeval × openssl-1.0.1c CVE-2014-0160 Heartbleed bug (CVE-2014-0160 2014)N/A ×× openssh-2.1.1 CVE-2001-0144 do_authentication (CVE-2001-0144 2001)N/A ×× openssh-2.1.1p4 and openssl-0.9.6d.Weinsert with those in Matlab simulations to validate the similar- the instrumented code to calculate the number of ran- ity between results of the Matlab simulations and real- domized data structure instances at runtime. Table 3 world web server experiments. The results are shown shows the results. The defense cycles are 1/5/10 seconds in Fig. 4.Wecan seethatthe aggregateutilityvalues and in each defense cycle, 20% data structures are ran- of both the DSMAs and non-DSMAs (Heartbleed and domized. As Fig. 2 shown, theaverage runtimeoverheads do_authentication) achieved in Matlab simulations are 5.3%, 3.7%, 1.8% on average. The performance results are similar to those achieved in Apache and Openssh show that the runtime overhead is in parallel to the experiments respectively. randomized data structure instances. First Level Adversarial Reasoning We use mutations of Memory Overhead We compare the memory usage of the attacks to simulate the zero-day attacks, and then DSSR programs with original programs. As Fig. 3 shows, compare the aggregate utility values of the mutated the memory overhead is 1.8% on average. The memory attacks achieved in Apache and Openssh experiments overhead is orthogonal to the defense cycle, and mainly with those of the known attacks in simulations to tell introduced by the paddings and canaries. whether the zero-day attacks are DSMAs or not. We mutate the attack scripts in two ways: (1) changing the Adversarial reasoning attack target; (2) merging multiple attack scripts into one. In this section, we verify that SALADSPlus enables the the First, we change the attack script by exploiting CVE- security officer to do adversarial reasoning in real time. 2001-0144 (CVE-2001-0144 2001): instead of modifying pw_uid in passwd, we write an additional attack script Simulation Settings First we simulate SALADSPlus and to manipulate pw_passwd in passwd.Second, we merge the same six attacks in Matlab and get their corresponding the attack scripts that exploit openssl (CVE-2002-0656 aggregate utility values. The Matlab simulations have the 2002) and apache (CVE-1999-0071 1999)intoone attack same features as the vulnerable apache web server and ssh at the mixing ratio of 10 to 1. Figure 5 shows that the server in terms of data structure types and instances. We curves of the mutated attacks are similar to original select 5 seconds as the length of one defense cycle. And DSMAs, but different from the non-DSMA, which verify the simulated attacks have the same features as CVEs in the first level adversarial reasoning. terms of targets and attack frequency. Second Level Adversarial Reasoning For zero-day Validation of the Similarity First we compare the aggre- DSMAs, we infer their target programs. From the experi- gate utility values in Apache and Openssh experiments mental results, all the four DSMAs mentioned in Section Table 2 Justification of Effectiveness in Utility Programs CVE # Bugs # Polluted ds in 5s # Attacks in 5s openssl-0.9.6d CVE-2002-0656 KEY ARG bug (CVE-2002-0656 2002)10 10 glibc-2.2.2 CVE-2015-0235 GHOST bug (CVE-2015-0235 2015)16 16 openssh-2.1.1 CVE-2001-0144 CRC-32 bug (CVE-2001-0144 2001)10 10 apache-1.1.1 CVE-1999-0071 Cookie bug (CVE-1999-0071 1999)50 50 Chen et al. Cybersecurity (2018) 1:3 Page 9 of 13 Table 3 The number of randomized data structure instances at runtime Programs httpd-1.1.1 openssh-2.1.1 openssl-0.9.6d astar bzip2 gcc h264ref # Instances 114 89 245 12 1093 689 47 Programs libquantum omnetpp sjeng gobmk hmmer mcf perlbench specrand # Instances 19 24 13 15 14 23 98 0 Effectiveness can be detected by the canary detection. of facilitating following attack attempts should be The correct target programs’ names and the polluted data very small. structures are reported to the security officer. The canary detection can detect continuous buffer over- write attacks, which are the main form of buffer overflow. Discussion There are several methods to bypass the canary detec- Our adaptive defense can perform adversarial reasoning tion (Litchfield 2003;TeamC 2009). However, most of to tell whether the attack is DSMA or not. However, if the bypass canary methods are focused on stack cookie the attacker knows the defense, it can tailor the attack (Team C 2009). Some methods (Litchfield 2003) even need actions; e.g., extending the duration of an attack try to to hook the data structures (e.g., exception handler reg- several defense cycles. As such, the canary detection may istration structure) to bypass. In contrast, our adaptive not be able to detect the DSMA in some defense cycles, DSLR can raise the bar for this kind of bypassing. In addi- and cost-effectiveness utility values in these defense cycles tion, discrete write approaches, which use bugs like format may be very close to non-DSMA. Nonetheless, the defense string (OWASP 2009), can modify target data objects can still get the feedbacks from the server and adaptively without changing the value of the canary. As such, dis- update its actions. As time goes by, the defender will crete write can circumvent the canary detection. What’s gradually choose better actions so the long term aggre- more, to circumvent the canary detection, an attacker can gate utility will improve and be different from that of the resort to memory content leakage (e.g., memory disclo- non-DSMA. sure (Snow et al. 2013), uninitialized memory tracking Our adaptive defense is deployed before any patches are (Chenetal. 2011), side channel (Bittau et al. 2014;Seibert generated and the zero-day memory corruption bugs are et al. 2014;Zhang et al. 2012)). At client-side, the canaries located. During the vulnerability window, the defender may be easier to be read than sever-side, because just-in- has limited knowledge of the attacks. Under this limited time compilers (e.g., Javascript and Actionscript engines) knowledge, it is not realistic for the defender to guaran- may help the attacker to poke around memory (Blazakis tee that no DSMA can succeed. However, as one form 2010). State-of-the-art protection CFI (Abadi et al. 2005; of moving target defense, our goal is to increase DSMA Bletsch et al. 2011;Egele et al. 2012; Zhang and Sekar 2013) and ASLR (Backes 2014; Bhatkar et al. 2003, 2005; costs and make it harder for the attacker to succeed. In particular, a DSMA might succeed in one defense cycle. Hiser et al. 2012;Kil et al. 2006; Keromytis et al. 2012; But when the same attack is launched the next time, Paleari et al. 2009;The PaXTeam 2003b; Wartell et al. theattackerstill hastospend averylarge pricetosuc- 2012; Bigelow et al. 2015;Davietal. 2015; Giuffrida et al. ceed. In addition, a failed attack could tamper with some 2012;Luetal. 2016) raise the bar for the attacker to get data and have some side effects. But due to randomiza- the information of memory layout. tion, the attacker should have no idea of the locations of When the canary detection discovers the DSMAs, it is a the tampered data in a short period. So the probability malicious/unsafe event clearly. If the point is that attackers Fig. 2 Runtime overhead Chen et al. Cybersecurity (2018) 1:3 Page 10 of 13 Fig. 3 Memory overhead may continue poking around in a brute-force fashion, then Related work blocking the attack after the detection of several consec- In this section, we focus on two potential defenses utive crashes/canary overwrites seems to be a good idea. against DSMAs: Data Flow Integrity and Data-Plane However, this kind of defense (stopping the process) actu- Randomization. ally has the same results under DDoS attacks. In addition, merely stopping cannot prevent the next but the same Data Flow Integrity DFI was first proposed by Miguel DSMAs. Castro et al. (2006). By using static analysis, DFI computes Fig. 4 a- b: Comparisons among the aggregate utility values in Matlab simulations and Apache experiments when defending against openssl (CVE-2002-0656), glibc (CVE-2015-0235), apache (CVE-1999-0071), and Heartbleed (CVE-2014-0610); c - d: the comparison among the aggregate utility values in Matlab simulations and Openssh experiments when defending against glibc (CVE-2015-0235), openssh (CVE-2001-0144), and do_authentication (CVE-2001-0144) Chen et al. Cybersecurity (2018) 1:3 Page 11 of 13 Fig. 5 a- b Compare the aggregate utility values of apache + openssl (CVE-2002-0656 & CVE-1999-0071), and Heartbleed (CVE-2014-0610) in real server experiments with the aggregate utility values in Matlab simulations; c - d compare the aggregate utility values of openssh mutation (CVE-2001-0144) and do_authentication (CVE-2001-0144) in real server experiments with the aggregate utility values in Matlab simulations a Data Flow Graph and checks whether the definition Data-Plane Randomization Data Space Randomization of each data object is legal at run-time. A tailored DFI (DSR) (Bhatkar and Sekar 2008; Cadar et al. 2008)was (Song et al. 2016) was proposed to solve the privilege esca- proposed to prevent non-control-flow attacks by XOR- lation attack in the kernel. A complete enforcement of ing data with random masks. However DSR introduces DFI can defend against DSMAs, however, complete DFI high performance overhead since all the data objects suffers from performance overhead as high as 103% (Cas- need to be randomized. Static DSLR (Lin et al. 2009; tro et al. 2006). Tailored DFI (Song et al. 2016)focusing Stanley et al. 2013;Xinet al. 2010)was proposed to on privilege escalation attacks in the kernel can defeat prevent data structure manipulation attacks, via modi- small parts of DSMAs, but the majority of DSMAs are fying the definition of a data structure to reorder the out-of-scope of that work. Recently, researchers leverage fields. However, static DSLR has several limitations. First, hardware to assist the DFI and improve the runtime over- the layout randomized by static DSLR is determined at head (Song et al. 2016). However, the techniques heavily compile time, and it is vulnerable to brute force attacks depend on new features of the newest CPU (processor (Stacham et al. 2004). Second, static DSLR requires man- tracing), which is not in use by the majority of web ser- ual efforts to determine which data structure can be ran- vice providers. By comparison, our method not only has domized. Xin et al. (Xin et al. 2010) extend static DSLR reasonable performance overhead, but also is hardware and propose to use a constraint set to select randomizable independent. data structures. But their technique cannot handle nested Chen et al. Cybersecurity (2018) 1:3 Page 12 of 13 data structures and ignores all data structures associated Received: 4 January 2018 Accepted: 17 April 2018 with pointer operations. Recently, SALADS (Chen et al. 2015) was proposed to achieve dynamical data structure References layout re-randomization. However, the set of randomized Abadi M, Budiu M, Erlingsson U, Ligatti J (2005) Control-flow integrity. In: ACM data structures selected by an expert is fixed through- Conference on Computer and Communications Security (CCS ’05). ACM, New York out the whole lifetime of a process. In addition, SALADS Auer P, Cesa-Bianchi N, Fischer P (2002) Finite-time analysis of the multiarmed suffers from high runtime overhead. bandit problem. Mach Learn 47(2-3):235–256 Backes M, Nürnberger S (2014) Oxymoron: Making fine-grained memory Conclusion randomization practical by allowing code sharing. In: USENIX Security Symposium (Security ’14). USENIX Association, San Diego We present SALADSPlus, a new adaptive DSLR with Bhatkar E, Duvarney DC, Sekar R (2003) Address obfuscation: an efficient adversarial reasoning, that automatically translates a pro- approach to combat a broad range of memory error exploits. In: USENIX gram to a data structure self-randomizing (DSSR) pro- Security Symposium (Security ’03). USENIX Association, San Diego Bhatkar S, Sekar R (2008) Data space randomization. In: International gram. At runtime, a DSSR program periodically selects Conference on Detection of Intrusions and Malware, and Vulnerability and randomizes a set of data structures based on the Assessment (DIMVA ’08). Springer-Verlag, Berlin UCB-D algorithm. Besides, SALADSPlus could perform Bhatkar S, Sekar R, DuVarney DC (2005) Efficient techniques for comprehensive protection from memory error exploits. In: USENIX Security Symposium adversary reasoning to indicate whether there is DSMA or (Security ’05). USENIX Association, San Diego not, and further locate the target program of the attack. Bigelow D, Hobson T, Rudd R, Streilein W, Okhravi H (2015) Timely SALADSPlus is the first effective defense with low over- rerandomization for mitigating memory disclosures. In: Proceedings of the head against DSMA. Moreover, adversarial reasoning is 22nd Conference on Computer and Communications Security (CCS ’15). ACM, New York a unique feature of our defense. We have implemented Bittau A, Belay A, Mashtizadeh A, Mazieres D, Boneh D (2014) Hacking blind. In: SALADSPlus based on gcc-4.5.0. Experimental results IEEE Symposium on Security and Privacy (Oakland ’14). IEEE Computer show that the runtime overheads are 1.8%, 3.7%, and 5.3% Society, Washington Blazakis D (2010) Interpreter exploitation. In: USENIX Conference on Offensive when the defense cycles are selected as 10s, 5s, and 1s Technologies (WOOT ’10). IEEE Computer Society, Washington respectively. Bletsch T, Jiang X, Freeh V (2011) Mitigating code-reuse attacks with control-flow locking. In: Annual Computer Security Applications Conference (ACSAC ’11). ACM, New York Endnotes Cadar C, Akritidis P, Costa M, Martin J-P, Castro M (2008) Data randomization. ASLR randomizes the base addresses of both data and In: MSR-TR-2008-120. Microsoft Research, Cambridge Castro M, Costa M, Harris T (2006) Securing software by enforcing data-flow code in the memory. integrity. In: Proceedings of the 7th Symposium on Operating Systems CFI disables deviations from the being-protected pro- Design and Implementation (OSDI’06). USENIX Association, Berkeley Chen H, Mao Y, Wang X, Zhou D, Zeldovich N, Kaashoek MF (2011) Linux kernel gram’s original control-flow graph. vulnerabilities: State-of-the-art defenses and open problems. In: We used brute force attacks to guess the layout of Asia-Pacific Workshop on Systems (APSys ’11). ACM, New York Chen P, Xu J, Lin Z, Xu D, Mao B, Liu P (2015) A practical approach for adaptive ssl_session_st when we did the experiments. data structure layout randomization. In: Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS’15). Springer, Acknowledgements Switzerland This work was supported by ARO W911NF-13-1-0421 (MURI), NSF Chen S, Xu J, Sezer EC, Gauriar P, Iyer RK (2005) Non-control-data attacks are CNS-1422594, and NSF CNS-1505664. realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium (Security ’05). USENIX Association, San Diego Crispin C, Calton P, Dave M, Heather H, Jonathan W, Peat B, Steve B, Aaron G, Authors’ contributions Perry W, Qian Z (1998) Stackguard: automatic adaptive detection and PC carried out the background, idea proposal, system implementation and prevention of buffer-overflow attacks. In: USENIX Security Symposium evaluation, ZH designed the UCB-D algorithm, participated in the experiments (Security ’98). USENIX Association, San Diego and drafted the manuscript. JX carried out the improvements of the manuscripts. MZ participated in the problem formulation, designed the UCB-D CVE-1999-0071 (1999) Apache-cookie bug. http://seclab.cs.ucdavis.edu/ algorithm and drafted the manuscript. PL conceived of the study and projects/testing/vulner/39.html participated in its design and coordination. All authors read and approved the CVE-2001-0144 (2001) SSH CRC-32 compensation attack detector. http://www. final manuscript. securityfocus.com/bid/2347/discuss CVE-2002-0656 (2002) Apache openssl heap overflow exploit. http://www. phreedom.org/research/exploits/apache-openssl/ Competing interests CVE-2014-0160 (2014) Heartbleed Bug The authors declare that they have no competing interests. CVE-2015-0235 (2015) Ghost: glibc gethostbyname buffer overflow. https://www.qualys.com/2015/01/27/cve-2015-0235/GHOST-CVE-2015- Publisher’s Note 0235.txt Springer Nature remains neutral with regard to jurisdictional claims in Davi L, Liebchen C, Sadeghi A-R, Snow KZ, Monrose F (2015) Isomeron: published maps and institutional affiliations. Code randomization resilient to (just-in-time) return-oriented programming. In: Annual Network and Distributed System Security Symposium (NDSS ’15). NDSS Symposium, San Diego Author details Egele M, Fischer T, Holz T, Hund R, Nurnberger S, Sadeghi AR, Davi L, College of Information Sciences and Technology, The Pennsylvania State Dmitrienko A (2012) Mocfi: A framework to mitigate control-flow attacks University, University Park 16802, PA, USA. The School of Electrical on smartphones,. In: Annual Network and Distributed System Security Engineering and Computer Science, The Pennsylvania State University, State Symposium (NDSS’12). NDSS Symposium, San Diego College, University Park 16801, PA, USA. Chen et al. Cybersecurity (2018) 1:3 Page 13 of 13 Giuffrida C, Kuijsten A, Tanenbaum AS (2012) Enhanced operating system exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep- security through efficient and fine-grained address space randomization. and-aslr/ In: USENIX Conference on Security Symposium (Security ’12). USENIX The PaX Team (2003a) PaX non-executable pages design & implementation. Association, San Diego http://pax.grsecurity.net/docs/noexec.txt Hiser J, Nguyen-Tuong A, Co M, Hall M, Davidson JW (2012) Ilr: Where’d my The PaX Team (2003b) Pax address space layout randomization (ASLR). http:// gadgets go?. In: IEEE Symposium on Security and Privacy (Oakland ’12). pax.grsecurity.net/docs/aslr.txt IEEE Computer Society, Washington Wartell R, Mohan V, Hamlen K, Lin Z (2012) Binary stirring: Self-randomizing Hu H, Chua ZL, Adrian S, Saxena P, Liang Z (2015) Automatic generation of instruction addresses of legacy x86 binary code. In: ACM Conference on data-oriented exploits. In: Proceedings of the 24th USENIX Security Computer and Communications Security (CCS ’12). ACM, New York Symposium (Security ’15). USENIX Association, San Diego Xin Z, Chen H, Han H, Mao B, Xie L (2010) Misleading malware similarities Hu H, Shinde S, Adrian S, Chua ZL, Saxena P, Liang Z (2016) Data-oriented analysis by automatic data structure obfuscation. In: International programming: On the expressiveness of non-control data attacks. In: IEEE Conference on Information Security (ISC ’10). Springer-Verlag, Berlin Symposium on Security and Privacy (Oakland ’16). IEEE Computer Society, Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-vm side channels and Washington their use to extract private keys. In: ACM Conference on Computer and Communications Security (CCS ’12). ACM, New York Keromytis AD, Pappas V, Polychronakis M (2012) Smashing the gadgets: Zhang M, Sekar R (2013) Control flow integrity for cots binaries. In: USENIX Hindering return-oriented programming using in-place code Conference on Security (Security ’13). USENIX Association, San Diego randomization. In: IEEE Symposium on Security and Privacy (Oakland ’12). IEEE Computer Society, Washington Kil C, Jim J, Bookholt C, Xu J, Ning P (2006) Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC ’06). IEEE, Miami Beach Kuleshov V, Precup D (2014) Algorithms for multi-armed bandit problems. In: Proceedings of the seventeenth annual ACM-SIAM symposium on Discrete algorithm, Society for Industrial and Applied Mathematics Philadelphia, PA, USA. pp 928–936. CVE-2014-0160 (2014) https://cve. mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160 Lai TL, Robbins H (1985) Asymptotically efficient adaptive allocation rules. Adv Appl Math 6(1):4–22 Lin Z, Riley RD, Xu D (2009) Polymorphing software by randomizing data structure layout. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’09). Berlin, Springer-Verlag Litchfield D (2003) Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server. https://www.blackhat.com/ presentations/bh-asia-03/bh-asia-03-litchfield.pdf Lu K, Nurnberger S, Backes M, Lee W (2016) How to make aslr win the clone wars: Runtime re-randomization. In: Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS ’16). NDSS Symposium, San Diego Microsoft (2008) A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2. http://support.microsoft.com/kb/ OWASP (2009) Format string. https://www.owasp.org/index.php/Format_ string_attack Paleari R, Roglia GF, Martignoni L (2009) Surgically returning to randomized lib(c). In: Annual Computer Security Applications Conference (ACSAC ’09). ACM, New York Seibert J, Okhravi H, Söderström E (2014) Information leaks without memory disclosures:remote side channel attacks on diversified code. In: ACM Conference on Computer and Communications Security (CCS ’14). ACM, New York Shacham H, Page M, Pfaff B, Goh E-J, Modadugu N, Boneh D (2004) On the effectiveness of address-space randomization. In: ACM Conference on Computer and Communications Security (CCS ’04). ACM, New York Snow KZ, Monrose F, Davi L, Dmitrienko A, Liebchen C, Sadeghi A-R (2013) Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (Oakland ’13). IEEE, Berkeley Song C, Lee B, Lu K, Harris WR, Kim T, Lee W (2016) Enforcing kernel security invariants with data flow integrity. In: Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS ’16). NDSS Symposium, San Diego Song C, Moon H, Alam M, Yun I, Lee B, Kim T, Lee W, Paek Y (2016) Hdfi: Hardware-assisted data-flow isolation. In: Proceedings of IEEE Symposium on Security and Privacy (Oakland ’16). NDSS Symposium, San Diego Stanley DM, Xu D, Spafford EH (2013) Improved kernel security through memory layout randomization. In: International Performance Computing and Communications Conference (IPCCC ’13). IEEE, San Diego Team C (2009) Exploit writing tutorial part 6 : Bypassing stack cookies, safeseh, sehop, hw dep and aslr. https://www.corelan.be/index.php/2009/09/21/

Journal

CybersecuritySpringer Journals

Published: Jun 5, 2018

References

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off