LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra - - PowerPoint PPT Presentation

lr 2 lr le leakage re resilient
SMART_READER_LITE
LIVE PREVIEW

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra - - PowerPoint PPT Presentation

Feb 13, 2023 182 likes •581 views

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

slide-1
SLIDE 1

LR LR2: : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices

Kjell Braden†§, Stephen Crane‡, Lucas Davi†, Michael Franz∗, Per Larsen∗‡, Christopher Liebchen†, Ahmad-Reza Sadeghi†

†TU Darmstadt *UC Irvine §EURECOM ‡Immunant, Inc.

slide-2
SLIDE 2
slide-3
SLIDE 3

Today’s Explo loits & Mit itig igations

Code Data

Application

Code Pointer call *ptr Function A

slide-4
SLIDE 4

Today’s Explo loits & Mit itig igations

Code Data

Application

Code Pointer Code Pointer call *ptr Function A

Overwrite

slide-5
SLIDE 5

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization Code Pointer Code Pointer call *ptr Function A

?

Overwrite

slide-6
SLIDE 6

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization Code Pointer Code Pointer call *ptr Function A

Overwrite

  • Code-Pointer Disclosure

[Serna BH USA’12]

Read then

slide-7
SLIDE 7

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization

  • Fine-grained Code

Randomization Code Pointer Code Pointer call *ptr Function A

Overwrite

  • Code-Pointer Disclosure

[Serna BH USA’12]

Read then

? ?

?

?

?

?

?

slide-8
SLIDE 8

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization

  • Fine-grained Code

Randomization Code Pointer Code Pointer call *ptr Function A

Overwrite

  • Code-Pointer Disclosure

[Serna BH USA’12]

Read then

  • JIT-ROP

[Snow et al. IEEE S&P’13]

slide-9
SLIDE 9

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization

  • Fine-grained Code

Randomization

  • Execute-only

Memory Code Pointer Code Pointer call *ptr Function A

Overwrite

  • Code-Pointer Disclosure

[Serna BH USA’12]

Read then

  • JIT-ROP

[Snow et al. IEEE S&P’13]

? ?

?

?

?

?

?

Execute

  • nly
slide-10
SLIDE 10

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization

  • Fine-grained Code

Randomization

  • Execute-only

Memory Code Pointer Code Pointer call *ptr Function A

Overwrite

  • Code-Pointer Disclosure

[Serna BH USA’12]

Read then

  • JIT-ROP

[Snow et al. IEEE S&P’13]

? ?

?

?

?

?

?

Execute

  • nly
  • Isomeron (Attack)

[Davi et al. NDSS’15] Code Pointer Code Fragment Code Fragment

slide-11
SLIDE 11

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization

  • Fine-grained Code

Randomization

  • Execute-only

Memory Code Pointer Code Pointer call *ptr Function A

Overwrite

  • Code-Pointer Disclosure

[Serna BH USA’12]

Read then

  • JIT-ROP

[Snow et al. IEEE S&P’13]

? ?

?

?

?

?

?

Execute

  • nly
  • Isomeron (Attack)

[Davi et al. NDSS’15]

  • Code-Pointer Hiding

Code-Pointer Hiding

Execute only

Code Pointer

slide-12
SLIDE 12

Today’s Explo loits & Mit itig igations

Code Data

Application

  • Address Space

Layout Randomization

  • Fine-grained Code

Randomization

  • Execute-only

Memory Readactor [IEEE S&P’15] Readactor++ [CCS’15] Code Pointer Code Pointer call *ptr Function A

Overwrite

  • Code-Pointer Disclosure

[Serna BH USA’12]

Read then

  • JIT-ROP

[Snow et al. IEEE S&P’13]

? ?

?

?

?

?

?

Execute

  • nly
  • Isomeron (Attack)

[Davi et al. NDSS’15]

  • Code-Pointer Hiding

Code-Pointer Hiding

Execute only

Code Pointer

slide-13
SLIDE 13

Ex Exec ecut ute-only Memory ry

Execute-Only Memory Support Application

Readactor [IEEE S&P’15] Memory Virtualization XnR [CCS’14] HideM [CODASPY’15] MMU TLB-Splitting

Desktop/ Server

Application

slide-14
SLIDE 14

Ex Exec ecut ute-only Memory ry

Execute-Only Memory Support Application

Desktop/ Server Mobile

Application

slide-15
SLIDE 15

Ex Exec ecut ute-only Memory ry

Execute-Only Memory Support Application

This Talk:

Execute-only Memory without Hardware Support Desktop/ Server Mobile

Application

slide-16
SLIDE 16

Th Threat Model

Read Memory (Information Disclosure) Write Memory (Memory Corruption Vulnerability) Perform Computations (Scripting Engine or Locally) Cannot Inject New Code (DEP, W^X)

slide-17
SLIDE 17

LR LR2: : Leakage-Re Resilient La Layout t Randomization

slide-18
SLIDE 18

LR LR2

2 Ov

Overview

  • Fine-grained Code Randomization
  • Software eXecute-only Memory (XoM)
  • Code-Pointer Hiding
  • Return Addresses
  • Forward Pointers
slide-19
SLIDE 19

LR LR2

2 Ov

Overview

  • Software eXecute-only Memory (XoM)
  • Code-Pointer Hiding
  • Return Addresses
slide-20
SLIDE 20

Sof Software e Xo XoM: Id Idea

Read [address] Application Randomized Code Data A

slide-21
SLIDE 21

Sof Software e Xo XoM: Id Idea

Read [address] Application Randomized Code Data A Sandboxing

slide-22
SLIDE 22

Sof Software e Xo XoM: Desig ign

Application

Code B Kernel Data B Code A Data A Stack Heap

slide-23
SLIDE 23

Sof Software e Xo XoM: Desig ign

Application

Code B Kernel Data B Code A Data A Stack Heap

2 GB

Code Data

Trampolines Guard

r1 <- addr r0 <- [r1]

Sandboxing Read Instructions

r1 <- r1 & 0x7FFFFFFF

slide-24
SLIDE 24

Co Code de-Po Pointer Hiding: Re Return Addresses

slide-25
SLIDE 25

Cod Code-Pointer Hid iding: Re Return Addresses

LR PUSH LR POP LR Caller Return Address Caller RA Address B1 Function B CALL Function C Return … B1 Stack

slide-26
SLIDE 26

Cod Code-Pointer Hid iding: Re Return Addresses

LR PUSH LR POP LR Enc(LR, KeyB) Dec(LR, KeyB) Caller Return Address Caller RA Address B1 Enc(LR, KeyB) Function B CALL Function C Return … B1 Stack

slide-27
SLIDE 27

San Sandboxing Read eads: Op Optimizations

slide-28
SLIDE 28

Optim imizations: Loops

For i <- 0 ; i < X ; ++i r1 <- [r0] Mask r0 r0 <- address

slide-29
SLIDE 29

Optim imizations: Loops

For i <- 0 ; i < X ; ++i r1 <- [r0] Mask r0 r0 <- address

slide-30
SLIDE 30

Optim imizations: Loops

For i <- 0 ; i < X ; ++i r1 <- [r0] Mask r0 r1 <- [r0 + i] r0 <- address

slide-31
SLIDE 31

Optim imizations: Loops

For i <- 0 ; i < X ; ++i r1 <- [r0] Mask r0 r1 <- [r0 + i]

2 GBCode Data

Guard Region [r0] r0 <- address

slide-32
SLIDE 32

Im Implementation

slide-33
SLIDE 33

Im Implementatio ion

  • Kernel
  • Stack and Heap Allocations
  • Loader
  • Code and Data Sections
  • Compiler
  • Sandbox Read Instructions

Application

Kernel

2 GBCode Data

Stack Heap Data B Data A Code B Code A

slide-34
SLIDE 34

Evalu luation

  • Security:
  • Code-Reuse Attacks: Function Permutation
  • Direct disclosure: Execute-only Memory
  • Indirect disclosure:
  • Code-pointer Hiding
  • Code/Data section decoupling
  • CPU: Nvidia Tegra Logan K1
  • Performance:
  • 6.6% run-time overhead
  • 5.6% space overhead
slide-35
SLIDE 35

SP SPEC CPU 2006

  • 25
  • 15
  • 5

5 15

Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2

slide-36
SLIDE 36

SP SPEC C CP CPU 2006 Geometric ic Mean

1.45% 2.27% 6.63%

  • 3.96%

6.62%

  • 5
  • 3
  • 1

1 3 5 7

Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2

slide-37
SLIDE 37

LR LR2 and and Software Fault Is Isolation (SFI)

  • Different Threat Models
  • SFI isolates untrusted code
  • LR2 protects trusted code
  • LR2 can protect multiple load instructions by

masking one address

  • SFI sandboxes write and branch instructions
slide-38
SLIDE 38

Co Conclusion

  • First pure software execute-only memory technique
  • Optimized return address protection scheme
  • Performance and security matches state-of-the-art

solutions requiring special, high-end hardware