Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits

Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar

Stony Brook University Department of Computer Science

USENIX Security Symposium, 2003Tracy WagnerCDA 6938 March 22, 2007

Outline

Introduction Attack Goals and Methods Address Obfuscation

Transformations Implementation Concerns Effectiveness Performance Conclusion Strengths/Weaknesses/Future

Work

Introduction

Exploits of memory programming errors Stack smashing Integer overflow Heap overflow Double-free vulnerability

C/C++ low level control Require precise knowledge of

victim program

Introduction

Address Obfuscation Make relative or absolute addresses

of program code and data impossible to predict

On execution, virtual addresses are randomized

Exploits become non-deterministic Effective against large-scale attacks

Randomization strategies for both data and code locations

Attack Goals

Cause the target program to execute attack code

Attack Code Injected Code – provided by

attacker Existing Code – already part of

program

How Do We Attack?

Direct Change Control Flow of Program –

change a code pointer Return address – stack Function pointers – stack, heap, static

area Global offset table (GOT)

Indirect Change Security-Critical Data used in

the course of execution Arguments to system calls Variables holding sensitive data

How Do We Attack? Address-Dependent Attacks

Can corrupt code-pointer or data-pointer

Overwrite pointer value with the absolute address of attacker-defined data or code

Relative Address-Dependent Attacks Corrupts non-pointer data Need to know relative distance between

buffer and location of item to corrupt

Address Obfuscation Goal is to Randomize:

Absolute locations of all code and data Relative distances between data items

Transformations Randomize Base Addresses of Memory

Regions Permute the Order of

Variables/Routines Introduce Random Gaps Between

Objects

Base Address Randomization Changing the base addresses of

code and data by a random amount

Over a large range (1 – 100 million) results in highly unpredictable virtual addresses

Does not increase the physical memory requirements

Some virtual address space becomes unusable

Base Address Randomization Base address of stack

All stack addresses randomized Subtract a large random value from

stack pointer

Base address of heap Randomizes absolute locations of

data Allocate a large block of random

size

Base Address Randomization Starting address of DLLs

Randomize location of all code and static data

Prevents existing code attacks, static data corruption

Locations of routines and static data Randomize all functions and associated

static data in the executable Similar to DLL randomization

Variable/Routine Permutations Three possible transformations

Order of local variables in stack frame

Order of static variables Order of routines in shared libraries

or in executable Defends against relative distance

exploits Difficult to predict distances

Random Gaps Between Objects When relative order of objects

cannot be changed

Add random padding: Stack frames Between malloc requests Variables in static area Gaps within routines (add jump

instructions)

Implementation - Timing

Performing Transformations Compile-time, link-time,

installation-time, load-time Higher performance when closer

to compile-time Delaying transformations:

Can apply to third party software System tools not modified

Implementation - Timing

Determining Randomization Amounts Transformation time Beginning of program execution Continuously, during execution

Continuously is most secure Performance or compatibility

issues may force other choices Transformation time – necessary

to re-transform code periodically

Effectiveness Not foolproof, but will increase work Defends against attacks which

involve overwriting a single value without ability to read memory contents

Can be defeated in specific instances Program allows reading of memory

contents Double pointer attack Partial overwrite attack

Performance

Static relocation at link-time (1) Dynamic relocation at load-time

(2) Transformations

Relocate base of stack, heap, and code regions

Introduce random gaps within stack frames for each routine, at the end of each malloc-requested block

Performance Static relocation at link-time

essentially no runtime overhead Dynamic relocation at load-time has

noticeable overhead but provides broad protection for DLL distribution

Conclusion

Addresses root cause of buffer overflow exploits Predictable location of data

Generic mechanism providing wide range of applications

Causes attacker to start from scratch for each system attack

Slows the spread of self-replicating attacks

Strengths

Developed and analyzed range of transformations that can be implemented with low runtime overheads

Permits randomization of variable and routine locations

Protects against a wide range of attacks

Easily applied to existing code, selective applications

Weaknesses Transformation time randomizations

introduce opportunity for local attacker

Adding jump instructions to skip over inserted gaps within routines would provide more information to attacker

Programs have to be periodically re-obfuscated because some randomizations have been fixed at transformation times

Vulnerable to some specially crafted attacks in current implementation

Future Work Further implementation of

described transformations Improve randomization at binary

level Tool to work with existing binaries Add information section to binary

Move towards randomizing at start of program execution and continuously changing during execution to avoid necessity of re-obfuscation