Defeating Zombie Gadgets by Re-randomizing Code upon Disclosure

Over the past few years, return-oriented programming (ROP) attacks have emerged as a prominent strategy for hijacking control of software. The full power and flexibility of ROP attacks was recently demonstrated using just-in-time ROP tactics (JIT-ROP), whereby an adversary repeatedly leverages a mem...

Full description

Saved in:
Bibliographic Details
Published inEngineering Secure Software and Systems Vol. 10379; pp. 143 - 160
Main Authors Morton, Micah, Koo, Hyungjoon, Li, Forrest, Snow, Kevin Z., Polychronakis, Michalis, Monrose, Fabian
Format Book Chapter
LanguageEnglish
Published Switzerland Springer International Publishing AG 01.01.2017
Springer International Publishing
SeriesLecture Notes in Computer Science
Subjects
Code inference
Code reuse
Destructive reads
JIT-ROP
Online AccessGet full text
ISBN3319621041
9783319621043
ISSN0302-9743
1611-3349
DOI10.1007/978-3-319-62105-0_10

Cover

More Information
Summary:Over the past few years, return-oriented programming (ROP) attacks have emerged as a prominent strategy for hijacking control of software. The full power and flexibility of ROP attacks was recently demonstrated using just-in-time ROP tactics (JIT-ROP), whereby an adversary repeatedly leverages a memory disclosure vulnerability to identify useful instruction sequences and compile them into a functional ROP payload at runtime. Since the advent of just-in-time code reuse attacks, numerous proposals have surfaced for mitigating them, the most practical of which involve the re-randomization of code at runtime or the destruction of gadgets upon their disclosure. Even so, several avenues exist for performing code inference, which allows JIT-ROP attacks to infer values at specific code locations without directly reading the memory contents of those bytes. This is done by reloading code of interest or implicitly determining the state of randomized code. These so-called “zombie gadgets” completely undermine defenses that rely on destroying code bytes once they are read. To mitigate these attacks, we present a low-overhead, binary-compatible defense which ensures an attacker is unable to execute gadgets that were identified through code reloading or code inference. We have implemented a prototype of the proposed defense for closed-source Windows binaries, and demonstrate that our approach effectively prevents zombie gadget attacks with negligible runtime overhead.
ISBN:3319621041
9783319621043
ISSN:0302-9743
1611-3349
DOI:10.1007/978-3-319-62105-0_10