Position-Independent Code Reuse:On the Effectiveness of ASLR in the Absence of Information Disclosure

Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions 'close' to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations

VPS: Excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching

Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (vps), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, vps achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, vps ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, vps explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of vps on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC

Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few 'hidden' application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them

Anatomical characterization of vagal nodose afferent innervation and ending morphologies at the murine heart using a transgenic approach

Heart is an extensively innervated organ and its function is strictly coordinated by autonomic neural circuits. After pathological events such as myocardial infarction (MI), cardiac nerves undergo a structural and functional remodeling contributing to cardiac dysfunction. Although the efferent component of the cardiac nerves has been well described, sensory innervation of the heart has not been defined in detail. Considering its importance, comprehensive description of vagal afferent innervation on the whole heart would enable a better description of autonomic imbalances manifesting as sympathoexcitation and vagal withdrawal in post-ischemic states. To address this issue, we globally mapped the vagal nodose afferent fibers innervating the whole murine heart with unprecedented resolution. By using the Phox2b-Cre::tdTomato transgenic mouse line, we described the detailed distribution and distinct vagal sensory ending morphologies at both the dorsal and ventral sides of the mouse heart. By neural tracing analysis, we quantitated the distribution and prevalence of vagal afferent nerve fibers with varying diameters across dorsal and ventral surfaces of the heart. Moreover, we demonstrated that vagal afferents formed flower spray and end-net-like endings within the atria and ventricles. As distinct from the atria, vagal afferents formed intramuscular array-like endings within the ventricles. Furthermore, we showed that vagal afferents undergo structural remodeling by forming axonal sprouts around the infarct area in post-MI hearts. These findings improve our understanding of the potential effect of vagal afferent remodeling on autonomic imbalance and generation of cardiac arrhythmias and could prospectively contribute to the development of more effective neuromodulatory therapies

A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level

Current binary-level Control-Flow Integrity (CFI) techniques are weak in determining the set of valid targets for indirect control flow transfers on the forward edge. In particular, the lack of source code forces existing techniques to resort to a conservative address-taken policy that overapproximates this set. In contrast, source-level solutions can accurately infer the targets of indirect calls and thus detect malicious control-flow transfers more precisely. Given that source code is not always available, however, offering similar quality of protection at the binary level is important, but, unquestionably, more challenging than ever: recent work demonstrates powerful attacks such as Counterfeit Object-oriented Programming (COOP), which made the community believe that protecting software against control-flow diversion attacks at the binary level is rather impossible. In this paper, we propose binary-level analysis techniques to significantly reduce the number of possible targets for indirect branches. More specifically, we reconstruct a conservative approximation of target function prototypes by means of use-def analysis at possible callees. We then couple this with liveness analysis at each indirect callsite to derive a many-to-many relationship between callsites and target callees with a much higher precision compared to prior binary-level solutions. Experimental results on popular server programs and on SPEC CPU2006 show that TypeArmor, a prototype implementation of our approach, is efficient - with a runtime overhead of less than 3%. Furthermore, we evaluate to what extent TypeArmor can mitigate COOP and other advanced attacks and show that our approach can significantly reduce the number of targets on the forward edge. Moreover, we show that TypeArmor breaks published COOP exploits, providing concrete evidence that strict binary-level CFI can still mitigate advanced attacks, despite the absence of source information or C++ semantics