从细粒度代码多样性到JIT-ROP再到只执行内存:攻击者和防御者之间的猫捉老鼠游戏仍在继续

M. Franz
{"title":"从细粒度代码多样性到JIT-ROP再到只执行内存:攻击者和防御者之间的猫捉老鼠游戏仍在继续","authors":"M. Franz","doi":"10.1145/2808475.2808488","DOIUrl":null,"url":null,"abstract":"Today's software monoculture creates asymmetric threats. An attacker needs to find only one way in, while defenders need to guard a lot of ground. Adversaries can fully debug and perfect their attacks on their own computers, exactly replicating the environment that they will later be targeting. One possible defense is software diversity, which raises the bar to attackers. A diversification engine automatically generates a large number of different versions of the same program, potentially one unique version for every computer. These all behave in exactly the same way from the perspective of the end-user, but they implement their functionality in subtly different ways. As a result, a specific attack will succeed on only a small fraction of targets and a large number of different attack vectors would be needed to take over a significant percentage of them. Because an attacker has no way of knowing a priori which specific attack will succeed on which specific target, this method also very significantly increases the cost of attacks directed at specific targets. Unfortunately, attackers have now started assembling their attacks on the target itself, circumventing diversity. In order to prevent this, we need to make all executable code on the target platform unreadable by the attacker. We present a solution that keeps randomized executable code completely hidden from the attacker, preventing even the latest class of dynamically assembled code reuse attacks ('JIT-ROP'). We will also report on a set of new software diversity techniques that can additionally also defend against side-channel attacks by dynamically and systematically randomizing the control flow of programs. Previous software diversity techniques transform each program trace identically. Our new technique instead transforms programs to make each program trace unique. This approach offers probabilistic protection against both online and off-line side-channel attacks, including timing and cache-based attacks. In particular, we create a large number of unique program execution paths by automatically generating diversified replicas for parts of an input program. At runtime we then randomly and frequently switch between these replicas. As a consequence, no two executions of the same program are ever alike, even when the same inputs are used. Our method requires no manual effort or hardware changes, has a reasonable performance impact, and reduces side-channel information leakage significantly when applied to known attacks on AES.","PeriodicalId":20578,"journal":{"name":"Proceedings of the Second ACM Workshop on Moving Target Defense","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2015-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"From Fine Grained Code Diversity to JIT-ROP to Execute-Only Memory: The Cat and Mouse Game Between Attackers and Defenders Continues\",\"authors\":\"M. Franz\",\"doi\":\"10.1145/2808475.2808488\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Today's software monoculture creates asymmetric threats. An attacker needs to find only one way in, while defenders need to guard a lot of ground. Adversaries can fully debug and perfect their attacks on their own computers, exactly replicating the environment that they will later be targeting. One possible defense is software diversity, which raises the bar to attackers. A diversification engine automatically generates a large number of different versions of the same program, potentially one unique version for every computer. These all behave in exactly the same way from the perspective of the end-user, but they implement their functionality in subtly different ways. As a result, a specific attack will succeed on only a small fraction of targets and a large number of different attack vectors would be needed to take over a significant percentage of them. Because an attacker has no way of knowing a priori which specific attack will succeed on which specific target, this method also very significantly increases the cost of attacks directed at specific targets. Unfortunately, attackers have now started assembling their attacks on the target itself, circumventing diversity. In order to prevent this, we need to make all executable code on the target platform unreadable by the attacker. We present a solution that keeps randomized executable code completely hidden from the attacker, preventing even the latest class of dynamically assembled code reuse attacks ('JIT-ROP'). We will also report on a set of new software diversity techniques that can additionally also defend against side-channel attacks by dynamically and systematically randomizing the control flow of programs. Previous software diversity techniques transform each program trace identically. Our new technique instead transforms programs to make each program trace unique. This approach offers probabilistic protection against both online and off-line side-channel attacks, including timing and cache-based attacks. In particular, we create a large number of unique program execution paths by automatically generating diversified replicas for parts of an input program. At runtime we then randomly and frequently switch between these replicas. As a consequence, no two executions of the same program are ever alike, even when the same inputs are used. Our method requires no manual effort or hardware changes, has a reasonable performance impact, and reduces side-channel information leakage significantly when applied to known attacks on AES.\",\"PeriodicalId\":20578,\"journal\":{\"name\":\"Proceedings of the Second ACM Workshop on Moving Target Defense\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-10-12\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the Second ACM Workshop on Moving Target Defense\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2808475.2808488\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Second ACM Workshop on Moving Target Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2808475.2808488","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3

摘要

今天的软件单一文化造成了不对称的威胁。攻击者只需要找到一条路,而防御者则需要守住大片土地。攻击者可以在自己的计算机上完全调试和完善他们的攻击,精确地复制他们以后要攻击的环境。一个可能的防御是软件的多样性,这提高了攻击者的门槛。多样化引擎会自动生成同一程序的大量不同版本,可能每台计算机都有一个独特的版本。从最终用户的角度来看,它们都以完全相同的方式运行,但它们以微妙的不同方式实现其功能。因此,特定的攻击只会在一小部分目标上成功,而需要大量不同的攻击向量来接管其中很大一部分目标。因为攻击者无法先验地知道哪个特定的攻击会在哪个特定的目标上成功,所以这种方法也极大地增加了针对特定目标的攻击的成本。不幸的是,攻击者现在已经开始集中攻击目标本身,绕过多样性。为了防止这种情况,我们需要使攻击者无法读取目标平台上的所有可执行代码。我们提出了一种解决方案,使随机可执行代码完全隐藏于攻击者,甚至可以防止最新的动态汇编代码重用攻击(JIT-ROP)。我们还将报告一组新的软件多样性技术,这些技术还可以通过动态和系统地随机化程序的控制流来防御侧信道攻击。以前的软件多样性技术对每个程序轨迹的转换是相同的。我们的新技术将程序转换为使每个程序跟踪唯一。这种方法提供了针对在线和离线侧通道攻击的概率保护,包括定时和基于缓存的攻击。特别是,我们通过自动为输入程序的各个部分生成不同的副本来创建大量独特的程序执行路径。在运行时,我们会随机且频繁地在这些副本之间切换。因此,即使使用了相同的输入,同一个程序的两次执行也不会是相同的。我们的方法不需要人工操作或硬件更改,具有合理的性能影响,并且在应用于对AES的已知攻击时显著减少了侧信道信息泄漏。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
From Fine Grained Code Diversity to JIT-ROP to Execute-Only Memory: The Cat and Mouse Game Between Attackers and Defenders Continues
Today's software monoculture creates asymmetric threats. An attacker needs to find only one way in, while defenders need to guard a lot of ground. Adversaries can fully debug and perfect their attacks on their own computers, exactly replicating the environment that they will later be targeting. One possible defense is software diversity, which raises the bar to attackers. A diversification engine automatically generates a large number of different versions of the same program, potentially one unique version for every computer. These all behave in exactly the same way from the perspective of the end-user, but they implement their functionality in subtly different ways. As a result, a specific attack will succeed on only a small fraction of targets and a large number of different attack vectors would be needed to take over a significant percentage of them. Because an attacker has no way of knowing a priori which specific attack will succeed on which specific target, this method also very significantly increases the cost of attacks directed at specific targets. Unfortunately, attackers have now started assembling their attacks on the target itself, circumventing diversity. In order to prevent this, we need to make all executable code on the target platform unreadable by the attacker. We present a solution that keeps randomized executable code completely hidden from the attacker, preventing even the latest class of dynamically assembled code reuse attacks ('JIT-ROP'). We will also report on a set of new software diversity techniques that can additionally also defend against side-channel attacks by dynamically and systematically randomizing the control flow of programs. Previous software diversity techniques transform each program trace identically. Our new technique instead transforms programs to make each program trace unique. This approach offers probabilistic protection against both online and off-line side-channel attacks, including timing and cache-based attacks. In particular, we create a large number of unique program execution paths by automatically generating diversified replicas for parts of an input program. At runtime we then randomly and frequently switch between these replicas. As a consequence, no two executions of the same program are ever alike, even when the same inputs are used. Our method requires no manual effort or hardware changes, has a reasonable performance impact, and reduces side-channel information leakage significantly when applied to known attacks on AES.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信