35 research outputs found
Analyzing the Gadgets Towards a Metric to Measure Gadget Quality
Current low-level exploits often rely on code-reuse, whereby short sections
of code (gadgets) are chained together into a coherent exploit that can be
executed without the need to inject any code. Several protection mechanisms
attempt to eliminate this attack vector by applying code transformations to
reduce the number of available gadgets. Nevertheless, it has emerged that the
residual gadgets can still be sufficient to conduct a successful attack.
Crucially, the lack of a common metric for "gadget quality" hinders the
effective comparison of current mitigations. This work proposes four metrics
that assign scores to a set of gadgets, measuring quality, usefulness, and
practicality. We apply these metrics to binaries produced when compiling
programs for architectures implementing Intel's recent MPX CPU extensions. Our
results demonstrate a 17% increase in useful gadgets in MPX binaries, and a
decrease in side-effects and preconditions, making them better suited for ROP
attacks.Comment: International Symposium on Engineering Secure Software and Systems,
Apr 2016, London, United Kingdo
Shining Light On Shadow Stacks
Control-Flow Hijacking attacks are the dominant attack vector against C/C++
programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the
forward edge,i.e., indirect calls through function pointers and virtual calls.
Protecting the backward edge is left to stack canaries, which are easily
bypassed through information leaks. Shadow Stacks are a fully precise mechanism
for protecting backwards edges, and should be deployed with CFI mitigations. We
present a comprehensive analysis of all possible shadow stack mechanisms along
three axes: performance, compatibility, and security. For performance
comparisons we use SPEC CPU2006, while security and compatibility are
qualitatively analyzed. Based on our study, we renew calls for a shadow stack
design that leverages a dedicated register, resulting in low performance
overhead, and minimal memory overhead, but sacrifices compatibility. We present
case studies of our implementation of such a design, Shadesmar, on Phoronix and
Apache to demonstrate the feasibility of dedicating a general purpose register
to a security monitor on modern architectures, and the deployability of
Shadesmar. Our comprehensive analysis, including detailed case studies for our
novel design, allows compiler designers and practitioners to select the correct
shadow stack design for different usage scenarios.Comment: To Appear in IEEE Security and Privacy 201
Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features
An operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead
An Improved Method on Static Binary Analysis to Enhance the Context-Sensitive CFI
Control Flow Integrity (CFI) is one of the most
promising technique to defend Code-Reuse Attacks (CRAs).
Traditional CFI Systems and recent Context-Sensitive CFI use coarse
control flow graphs (CFGs) to analyze whether the control flow
hijack occurs, left vast space for attackers at indirect call-sites. Coarse
CFGs make it difficult to decide which target to execute at indirect
control-flow transfers, and weaken the existing CFI systems actually.
It is an unsolved problem to extract CFGs precisely and perfectly
from binaries now. In this paper, we present an algorithm to get a
more precise CFG from binaries. Parameters are analyzed at indirect
call-sites and functions firstly. By comparing counts of parameters
prepared before call-sites and consumed by functions, targets of
indirect calls are reduced. Then the control flow would be more
constrained at indirect call-sites in runtime. Combined with CCFI,
we implement our policy. Experimental results on some popular
programs show that our approach is efficient. Further analysis show
that it can mitigate COOP and other advanced attacks