Rest in Protection - A Kernel-level Approach to Mitigate RIP Tampering

Vincent Haupert, Tilo Müller

2017

Abstract

We present RIProtection (Rest In Protection), a novel Linux kernel-based approach that mitigates the tampering of return instruction pointers. RIProtection uses single stepping on branches for instruction-level monitoring to guarantee the integrity of the ret-based control-flow of user-mode programs. Our modular design of RIProtection allows an easy adoption of several security approaches relying on instruction-level monitoring. For this paper, we implemented two exclusive approaches to protect RIPs: XOR-based encryption as well as a shadow stack. Both approaches provide reliable protection of RIPs, while the shadow stack additionally prevents return-oriented programming and withstands information leakages of the user-mode stack. While the performance of RIProtection is a severe drawback, its compatibility with regard to hardware and software requirements is outstanding because it supports virtually all 64-bit programs without recompilation or binary rewriting.

References

  1. Bletsch, T., Jiang, X., and Freeh, V. (2011). Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 7811, pages 353-362, New York, NY, USA. ACM.
  2. Bulba and Kil3r (2000). Bypassing stackguard and stackshield.
  3. Carlini, N. and Wagner, D. (2014). Rop is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 385-399, Berkeley, CA, USA. USENIX Association.
  4. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.- R., Shacham, H., and Winandy, M. (2010). Returnoriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 7810, New York, NY, USA. ACM.
  5. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). Drop: Detecting return-oriented programming malicious code. In Prakash, A. and Sen Gupta, I., editors, Information Systems Security, volume 5905 of Lecture Notes in Computer Science, pages 163-177. Springer Berlin Heidelberg.
  6. Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. (2014). Ropecker: A generic and practical approach for defending against rop attacks. In Proceedings of the 21th Annual Network and Distributed System Security Symposium, NDSS'14. NDSS Association.
  7. Corporation, I. (2014). Intel R 64 and ia-32 architectures software developer's manual, volume 3 (3a, 3b & 3c): System programming guide.
  8. Cowan, C., Beattie, S., Johansen, J., and Wagle, P. (2003). Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 7-7, Berkeley, CA, USA. USENIX Association.
  9. Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. (1998). Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7, SSYM'98, pages 5-5, Berkeley, CA, USA. USENIX Association.
  10. Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F. (2014). Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 401-416, Berkeley, CA, USA. USENIX Association.
  11. Davi, L., Sadeghi, A.-R., and Winandy, M. (2011). Ropdefender: A detection tool to defend against returnoriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 7811, pages 40- 51, New York, NY, USA. ACM.
  12. Defense, M. S. R. . (2012). Introducing enhanced mitigation experience toolkit (emet).
  13. Fratric, I. (2012). Ropguard: Runtime prevention of returnoriented programming attacks.
  14. Gökta¸s, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 417-432, San Diego, CA. USENIX Association.
  15. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. (2012). Ilr: Where'd my gadgets go? In Security and Privacy (SP), 2012 IEEE Symposium on, pages 571-585.
  16. Kaplan, D. (2014). Hardware based return pointer encryption. US Patent App. 13/717,315.
  17. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 7805, pages 190-200, New York, NY, USA. ACM.
  18. Mayer, U. F. (2011). Linux/unix nbench.
  19. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E. (2010). G-free: Defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 7810, pages 49-58, New York, NY, USA. ACM.
  20. Pappas, V., Polychronakis, M., and Keromytis, A. D. (2012). Smashing the gadgets: Hindering returnoriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 7812, pages 601-615, Washington, DC, USA. IEEE Computer Society.
  21. Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent rop exploit mitigation using indirect branch tracing. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 447- 462, Berkeley, CA, USA. USENIX Association.
  22. Roemer, R., Buchanan, E., Shacham, H., and Savage, S. (2010). Return-oriented programming: Systems, languages, and applications.
  23. Schwartz, E. J., Avgerinos, T., and Brumley, D. (2011). Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 25-25, Berkeley, CA, USA. USENIX Association.
  24. Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 7807, pages 552-561, New York, NY, USA. ACM.
  25. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. (2004). On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 7804, pages 298-307, New York, NY, USA. ACM.
  26. Sotirov, A. and Dowd, M. (2008). Bypassing browser memory protections: Setting back browser security by 10 years.
  27. van der Veen, V., dutt Sharma, N., Cavallaro, L., and Bos, H. (2012). Memory errors: The past, the present, and the future. In Balzarotti, D., Stolfo, S., and Cova, M., editors, Research in Attacks, Intrusions, and Defenses, volume 7462 of Lecture Notes in Computer Science, pages 86-106. Springer Berlin Heidelberg.
  28. Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. (2012). Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 7812, pages 157-168, New York, NY, USA. ACM.
  29. Xia, Y., Liu, Y., Chen, H., and Zang, B. (2012). Cfimon: Detecting violation of control flow integrity using performance counters. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pages 1-12.
  30. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. (2013). Practical control flow integrity and randomization for binary executables. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 7813, pages 559-573, Washington, DC, USA. IEEE Computer Society.
Download


Paper Citation


in Harvard Style

Haupert V. and Müller T. (2017). Rest in Protection - A Kernel-level Approach to Mitigate RIP Tampering . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 25-37. DOI: 10.5220/0006083800250037


in Bibtex Style

@conference{icissp17,
author={Vincent Haupert and Tilo Müller},
title={Rest in Protection - A Kernel-level Approach to Mitigate RIP Tampering},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={25-37},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006083800250037},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Rest in Protection - A Kernel-level Approach to Mitigate RIP Tampering
SN - 978-989-758-209-7
AU - Haupert V.
AU - Müller T.
PY - 2017
SP - 25
EP - 37
DO - 10.5220/0006083800250037