Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software

Memory management is one of the main tasks of an Operating System, where the data of each process running in the system is kept. In this context, there exist several types of attacks that exploit memory-related vulnerabilities, forcing Operating Systems to feature memory protection techniques that make difficult to exploit them. One of these techniques is ASLR, whose function is to introduce randomness into the virtual address space of a process. The goal of this work was to measure, analyze and compare the behavior of ASLR on the 64-bit versions of Windows 10 and Ubuntu 18.04 LTS. The results have shown that the implementation of ASLR has improved significantly on these two Operating Systems compared to previous versions. However, there are aspects, such as partial correlations or a frequency distribution that is not always uniform, so it can still be improved.

Download Full-text

Breaking Kernel Address Space Layout Randomization with Intel TSX

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16 ◽

10.1145/2976749.2978321 ◽

2016 ◽

Cited By ~ 41

Author(s):

Yeongjin Jang ◽

Sangho Lee ◽

Taesoo Kim

Keyword(s):

Address Space ◽

Space Layout ◽

Address Space Layout Randomization

Download Full-text

A Function Level Randomization Technique to Mitigate ROP Attacks

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.765-767.871 ◽

2013 ◽

Vol 765-767 ◽

pp. 871-878

Author(s):

Liang Xiao ◽

Xun Zhan ◽

Tao Zheng

Keyword(s):

Binary Code ◽

Buffer Overflow ◽

Target System ◽

Limited Time ◽

Brute Force ◽

Address Space ◽

Return Oriented Programming ◽

Space Layout ◽

Address Space Layout Randomization

ROP (Return-Oriented Programming) is a kind of attack technique which makes use of the existing binary code of target systems. ASLR (Address Space Layout Randomization) is widely used to protect systems from buffer-overflow attacks by introducing artificial diversity to software. With ASLR software can be immune from ROP attacks to some extent. Due to the fact that ASLR cant randomize base addresses of executables code segments and its utility on 32-bit architectures is limited by the number of bits available for address randomization, attackers can successfully exploit a target system by using brute force in limited time. Thus, we proposed FLR, a function level randomization technique to mitigate ROP attacks. FLR randomly permutes functions in executables, making attackers assumptions on executables incorrect. We implemented a prototype of FLR and randomized ten executables. ROP attacks succeeded without FLR and failed with FLR.

Download Full-text

DeepReturn: A deep neural network can learn how to detect previously-unseen ROP payloads without using any heuristics

Journal of Computer Security ◽

10.3233/jcs-191368 ◽

2020 ◽

Vol 28 (5) ◽

pp. 499-523

Author(s):

Xusheng Li ◽

Zhisheng Hu ◽

Haizhou Wang ◽

Yiwei Fu ◽

Ping Chen ◽

...

Keyword(s):

Neural Network ◽

Deep Neural Network ◽

False Positive Rate ◽

Detection Methods ◽

Detection Accuracy ◽

Address Space ◽

High Detection Rate ◽

Positive Rate ◽

In The Wild ◽

Space Layout

Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present DeepReturn, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that DeepReturn has high detection rate (99.3%) and a very low false positive rate (0.01%). DeepReturn successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. DeepReturn is non-intrusive and does not incur any runtime overhead to the protected program.

Download Full-text