Binary Stirring: Self-randomizing Instruction Addresses of Legacy - - PowerPoint PPT Presentation
University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code
University of Crete – Computer Science Department CS457 – Introduction to Information Systems Security
Papadaki Eleni 872 Rigakis Nikolaos 2422 Trivyzadakis Zacharias 1466 Zidianaki ioanna 857
Directly inject malicious machine code ¡ Write-xor-execute Protections (DEP , ExecShield) ¡ Redirect control flow to dangerous code inside victim process (ROP) ¡ ASLR (address space layout randomization) ¡ Redirect control from gadgets inside the binary code ¡ IPR (deployment issues), ILR (high performance
¨ A new technique that gives binary code the ability to self-
¨ Input: binary code without any source code, debug
¨ Output: new binary whose basic block addresses are
¨ Evaluation for Windows and Linux platforms shows about
¨ Preserving the semantics of computed jumps ¨ Prevent randomizing data along with the code ¨ Disassembly undecidability: static disassemblers rely
¨ Callback pointers are not used as jump targets by
¨ Position-dependent instructions ¡
into code blocks
unreachable code
¨ Random stirring of the code-only section by a trusted library
¨ This library initializer code always runs before the target
¨ Stale pointers: some code pointers continue to point into the
¨ Static phase translates all computed jump instructions into a
¨ Three main components:
¤ a conservative disassembler ¤ a lookup table generator, and ¤ a load-time reassemble
¨ Takes a target binary and transforms it to a
¨ An address map of the randomizable
¨ Target binaries are first disassembled to assembly code ¨ Disassembler interpret all bytes that constitute valid instruction
¨ Assembly code is partitioned into basic blocks which can be any
¨ Once new code section has been generated, lookup table generator
¨ Since each module loads into virtual address space, it is not possible
¨ STIR library’s initializer ¡code runs, when the rewritten
¨ Lookup table in the linking module’s section is updated ¨ Library that implements stirring is loaded dynamically
¨ Unloaded before stirred binary runs
¨ Callbacks ¨ Position Independent Code ¨ Statically Computed Returns ¨ Short Functions
¨ A callback occurs when the OS uses a code pointer previously passed from
the program as a computed jump destination
¨ Unlike typical computed jumps, callback pointers are not used as jump
targets
¨ The only instructions that use them as jump targets are within the OS
¨ Our jump table implementation overwrites each computed jump target with
a 5-byte tagged pointer
¨ This design assumes that nearby computed jump targets are at least 5
bytes apart; otherwise the two pointers must overlap
¨ Effectiveness ¨ Performance Overhead
¨ Rewriting Time and Space Overheads ¨ Gadget Elimination
99.92% 99.94% 99.96% 99.98% 100.00%
¨ Windows Runtime Overhead ¨ Linux Runtime Overhead
0% 5% 10% 15% 20% gzip vpr mcf parser gap bzip2 twolf mesa art equake
0% 5% base64 cat cksum comm cp expand factor fold head join ls md5sum nl
paste sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf unexpand wc
¨ ASLR ¤ 2n-1 probes where n is the number of bits of randomness ¨ STIR
¤ (2↑𝑜 )!/2(2↑𝑜 ¡−g)! probes where g is the number of
n Must guess each where each gadget is with each probe.
¨ First static rewriter to protect against RoP
¤ Greatly increases search space ¤ Introduces no deployment issues ¤ Tested on 100+ Windows and Linux binaries ¤ 99.99% gadget reduction on average ¤ 1.6% overhead on average ¤ 37% process size increase on average