Code-reuse attacks are the leading mechanism by which attackers infiltrate systems. Various mitigation techniques have been proposed to defend against these attacks, the most prominent one being control-flow integrity (CFI). CFI is a principled approach that restricts all indirect control flows to adhere to a statically determined control-flow graph (CFG). CFI has gained widespread adoption in industry -- such as Microsoft Control Flow Guard and Intel Control-flow Enforcement Technology. However, recent attacks dubbed CFG mimicry attacks, like control flow bending and counterfeit object-oriented programming, have shown that code-reuse attacks are still possible without violating CFI. Furthermore, data-oriented programming (DOP) has generalized non-control data attacks to achieve Turing-complete computation; it accomplishes this by repeatedly corrupting non-control data to execute a sequence of instructions within the legitimate control flow of the program. In this dissertation, we present techniques to mitigate these advanced code-reuse attacks.
First, this dissertation presents a novel approach to thwart advanced control flow attacks called ProxyCFI. ProxyCFI replaces all code pointers in a program with a less powerful construct: pointer proxies. Pointer proxies are random identifiers associated with each legitimate control flow edge in the program. Pointer proxy values are defined per-function and are re-randomized at program load time to mitigate their disclosure. To ensure that the approach covers the entire control flow of the program, we have a load-time verifier built-in the program loader that performs reachability analyses of the code and verify that there is no vulnerable control flow transfer. ProxyCFI delivers these protections incurring minimal performance overhead, while stopping a broad range of real-world attacks and achieving a 100% coverage of the RIPE x86-64 attack suite.
Second, this dissertation evaluates the effectiveness of previously proposed stack layout randomization techniques against attacks that only utilize relative offset between allocations (e.g., data-oriented programming) and demonstrate that they are ineffective at stopping real-world DOP exploits. We then propose Smokestack, a runtime stack-layout randomization technique that addresses the problems with prior approaches. Smokestack instruments programs to randomize their stack layout at runtime for each invocation of a function. By doing so, Smokestack minimizes the utility of information gained in the probes of chained DOP attacks for later attack stages. Our evaluation on SPEC benchmarks and various real-world applications shows that Smokestack, with a cryptographically secure pseudo random generator, can stop DOP attacks with an average slowdown of 8.7%.
Lastly, we present a technique to randomize heap allocations at runtime to prevent attackers from orchestrating advanced control flow attacks as well as DOP attacks through heap-resident variables. To this end, we explored the use of multi-variant execution (MVX) with each variant having uniquely seeded random heap allocators. This capability enables our system to automatically track heap allocation pointers without the need for storing explicit meta-data. We then re-randomize heap allocations to thwart attacks that perform runtime probes to discover allocations. This technique will provide modular heap allocation protection while maintaining compatibility with legacy binaries.
In all, this thesis presents novel techniques that carve out a new space in advanced code-reuse attack protections, offering a protection strength as good or better than prior solutions. These techniques provide additional protections for advanced control flow attacks and DOP attacks, while incurring minimal performance overheads.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/155142/1/misiker_1.pd
