From Fine Grained Code Diversity to JIT-ROP to Execute-Only Memory: The Cat and Mouse Game Between Attackers and Defenders Continues

Today's software monoculture creates asymmetric threats. An attacker needs to find only one way in, while defenders need to guard a lot of ground. Adversaries can fully debug and perfect their attacks on their own computers, exactly replicating the environment that they will later be targeting. One possible defense is software diversity, which raises the bar to attackers. A diversification engine automatically generates a large number of different versions of the same program, potentially one unique version for every computer. These all behave in exactly the same way from the perspective of the end-user, but they implement their functionality in subtly different ways. As a result, a specific attack will succeed on only a small fraction of targets and a large number of different attack vectors would be needed to take over a significant percentage of them. Because an attacker has no way of knowing a priori which specific attack will succeed on which specific target, this method also very significantly increases the cost of attacks directed at specific targets. Unfortunately, attackers have now started assembling their attacks on the target itself, circumventing diversity. In order to prevent this, we need to make all executable code on the target platform unreadable by the attacker. We present a solution that keeps randomized executable code completely hidden from the attacker, preventing even the latest class of dynamically assembled code reuse attacks ('JIT-ROP'). We will also report on a set of new software diversity techniques that can additionally also defend against side-channel attacks by dynamically and systematically randomizing the control flow of programs. Previous software diversity techniques transform each program trace identically. Our new technique instead transforms programs to make each program trace unique. This approach offers probabilistic protection against both online and off-line side-channel attacks, including timing and cache-based attacks. In particular, we create a large number of unique program execution paths by automatically generating diversified replicas for parts of an input program. At runtime we then randomly and frequently switch between these replicas. As a consequence, no two executions of the same program are ever alike, even when the same inputs are used. Our method requires no manual effort or hardware changes, has a reasonable performance impact, and reduces side-channel information leakage significantly when applied to known attacks on AES.