mardu efficient and scalable code re randomization
play

MARDU: Efficient and Scalable Code Re-Randomization SYSTOR '20: - PowerPoint PPT Presentation

Nov 02, 2022 •324 likes •630 views

MARDU: Efficient and Scalable Code Re-Randomization SYSTOR '20: Proceedings of the 13th ACM International Systems and Storage Conference Christopher Jelesnianski (Virginia Tech), Jinwoo Yom (Virginia Tech), Changwoo Min (Virginia Tech), Yeongjin

  1. MARDU: Efficient and Scalable Code Re-Randomization SYSTOR '20: Proceedings of the 13th ACM International Systems and Storage Conference Christopher Jelesnianski (Virginia Tech), Jinwoo Yom (Virginia Tech), Changwoo Min (Virginia Tech), Yeongjin Jang (Oregon State University) 1

  2. The Fight against Return Oriented Programming (ROP) Attack Defense Code Injection What is Return Oriented Programming? Data Execution Prevention (DEP) ● An attack that reuses program code to achieve Return Oriented arbitrary code computation Programming (ROP) Address Space Layout Randomization (ASLR) What are Gadgets? Just-In-Time ROP ● Snippets of code that perform specific actions (JIT-ROP) ○ Arithmetic operations Fine-Grained ASLR & eXecute-only Memory ○ Reading/writing to registers (XoM) ○ Etc. Blind ROP (BROP) (Code Inference) Continuous Randomization 2

  3. Current randomization techniques are good ... Code Randomization ● Address Space Layout Randomization (ASLR) + Light-weight - Static code layout - One leak can compromise entire code base ● Re-Randomization Techniques + Continuous churn makes gadgets hard to find - High overhead - Rely on predictable thresholds such as - Time interval - Syscall invocation - Call history 3 3

  4. But they are not practical. Why? ● Users desire acceptable performance Performance (<10% avg & worst-case) ● Users desire strong defenses Security ● Users desire scalability as more Scalability Guarantees computation is moved to the cloud ○ Have system-wide security coverage including shared libraries ● Achieving all three together is hard 4

  5. Outline ● Introduction ● Challenges ● MARDU Design ● Implementation ● Evaluation ● Conclusion 5

  6. Challenges for making a practical randomization defense ● Security challenges ○ Code disclosure: a single leaked pointer allows attacker to obtain code layout of a victim process ● Performance challenges ○ Avoiding useless overwork: Active randomization wastes CPU cycles in case of “what-if” ● Scalability challenges ○ Code Tracking: to support runtime re-randomization tracking and updating of pc-relative code is a necessary and expensive evil ○ Stop-the-world: Updating shared code on-the-fly is challenging especially in concurrent access 6

  7. Outline ● Introduction ● Challenges ● MARDU Design ○ Security: Leveraging code trampolines ○ Scalability: Enabling code sharing ○ Performance: Re-randomization without stopping the world ● Implementation ● Evaluation ● Conclusion 7

  8. Example: Code Control Flow Source Code Traditional Control Flow /* … */ void foo(){ call foo() /* … */ 1 bar(); /* … */ foo: } /* … */ call bar() void bar(){ /* … */ /* … */ 2 4 } ret bar: /* … */ 3 ret 8

  9. MARDU is secure Code ● Code and Trampoline regions protect forward edge Trampoline ○ Trampolines are immutable code targets ○ Protects against code disclosure ● Shadow stack protects backward edge ● Randomization occurs at: ○ Process startup AND ○ Whenever an attack is detected ( on-demand ) ■ Process crash ■ Execute-only memory violation Stack Stack + Shadow Stack ... ... ... local local ret_addr5 local local ret_addr6 ret_addr 9

  10. Example: Securing MARDU Code Source Code Using Code Trampolines Control Flow Intel MPK XoM Coverage void foo(){ /* … */ Code Region Trampoline Region Shadow Stack bar(); foo_body: bar_trampoline: /* … */ ... /* … */ jmp bar_body 3 2 jmp bar_trampoline() } foo_ret0_tr foo_trampoline: foo_ret0: jmp foo_body 1 void bar(){ /* … */ /* … */ foo_ret0_trampoline: jmp ShadowStack_top } jmp foo_ret0 5 bar_body: /* … */ jmp ShadowStack_top 4 10

  11. Outline ● Introduction ● Challenges ● MARDU Design ○ Security: Leveraging code trampolines ○ Scalability: Enabling code sharing ○ Performance: Re-randomization without stopping the world ● Implementation ● Evaluation ● Conclusion 11

  12. MARDU is scalable ● MARDU is capable of code sharing (e.g., shared libraries) ○ No previous randomization scheme is capable of runtime re-randomization AND code sharing ● MARDU leverages position independent code ( -fPIC ) for easy fixups of PC-relative code. ● MARDU supports mixed instrumented and non-instrumented libraries 12

  13. Example: Sharing MARDU code MARDU Patch .text Section Info Section Code Trampoline Fixups MARDU-compiled Region (C) Region (T) Binary/Library Place Trampoline Region Perform patching 2 Place Code Region 4 Random Offset 3 C T In-Kernel Randomized code cache 1 0xffffffff81171000 Map Kernel Memory 13

  14. Example: Sharing MARDU code webserver libc.so dbserver libc.so MARDU MARDU C T C T C T C T Process 1 Process 2 Userspace Userspace 5 0x7fa67811a000 6 0x7fb67811b000 libc.so C T In-Kernel Randomized 0xffffffff81171000 code cache 14

  15. Outline ● Introduction ● Challenges ● MARDU Design ○ Security: Leveraging code trampolines ○ Scalability: Enabling code sharing ○ Performance: Re-randomization without stopping the world ● Implementation ● Evaluation ● Conclusion 15

  16. Re-Randomization without stopping the world webserver libc.so dbserver libc.so MARDU MARDU C T C T C T C T Process 1 Process 2 Userspace Userspace C v1 T v1 In-Kernel Randomized code cache 0xffffffff81171000 16

  17. Re-Randomization without stopping the world ● Gadgets previously deduced are webserver libc.so now stale MARDU C T C v1 C v2 T v2 T v1 ● Randomization is repeated Process 1 whenever another attack event is Userspace detected 3 2 ● Randomization is replicated for ALL ASSOCIATED shared code of a Map Code v2 to Map Trampoline v2 victim process userspace to userspace C v1 T v1 C v2 T v2 In-Kernel 4 Unmap old region Randomized code cache 0xffffffff81171000 1 0xffffffff2245d000 Map new region 17

  18. MARDU is performant ● Trampolines ○ No Runtime Instrumentation Tracking ● Trampolines leverage immutable code ○ No stop-the-world mechanisms ● Re-active re-randomization ○ Only when attack detected ( on-demand ) ○ Responsibility of exiting (crashed) process/thread 18

  19. Outline ● Introduction ● Challenges ● MARDU Design ● Implementation ● Evaluation ● Conclusion 19

  20. MARDU Implementation ● Working Prototype ● Compiler ○ LLVM/Clang 6.0.0 ○ 3.5K LOC LLVM ● Kernel Compiler Infrastructure ○ X86-64 linux 4.17.0 ○ 4K LOC ● musl LibC ○ General C library 20

  21. Outline ● Introduction ● Challenges ● MARDU Design ● Implementation ● Evaluation ○ How to evaluate MARDU? ○ Security: MARDU against popular ROP attacks ○ Performance: Compute Bound -> minimal runtime overhead ○ Scalability: Concurrent Web server -> negligible runtime overhead and scalability ● Conclusion 21

  22. How to evaluate MARDU? 1) How secure is MARDU, against current known and popular attacks on randomization? 2) How much performance overhead does MARDU impose? 3) How scalable is MARDU in terms of load time, memory savings, and re-randomization, particularly for concurrent processes (such as a real-world web server)? 22

  23. Outline ● Introduction ● Challenges ● MARDU Design ● Implementation ● Evaluation ○ How to evaluate MARDU? ○ Security: MARDU against popular ROP attacks ○ Performance: Compute Bound -> minimal runtime overhead ○ Scalability: Concurrent Web server -> negligible runtime overhead and scalability ● Conclusion 23

  24. How MARDU defends against popular ROP ● Blind ROP (BROP) & Code Inference Attacks ○ MARDU: XoM protected code triggers a permission violation and re-randomization of code ○ MARDU: Re-randomization makes all previous collected layout information stale ○ MARDU: Usage of trampolines & function granularity randomization makes correlation prediction challenging for attackers ● JIT-ROP Attacks ● Low Profile Attacks ● Code Pointer Offsetting Attacks 24

  25. Outline ● Introduction ● Challenges ● MARDU Design ● Implementation ● Evaluation ○ How to evaluate MARDU? ○ Security: MARDU against popular ROP attacks ○ Performance: Compute Bound -> minimal runtime overhead ○ Scalability: Concurrent Web server -> negligible runtime overhead and scalability ● Conclusion 25

  26. Experimental Setup and Applications ● Experimental Setup ○ All programs compiled with MARDU LLVM compiler and -O2 -fPIC optimization flags ○ Platform: ■ 24-core (48-Hardware thread) machine with two Intel Xeon Silver 4116 CPUs (2.10 GHz) ■ 128 GB DRAM ● Applications ○ SPEC CPU 2006 (All C applications) ○ NGINX web server 26

  27. How MARDU performs Web server (NGINX) 5.5% NGINX AVG Degradation: 4.4% 27 27

  28. MARDU randomization with scalability ● Re-randomization latency scales approximately linearly with number of fixups required ● Cold start randomization latency for any number of workers for NGINX is 61ms ● Re-randomization latency plateau’s even when under attack 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Clean Code 1 / 24 Clean Code What is clean code? Elegant and efficient. Bjarne

Clean Code 1 / 24 Clean Code What is clean code? Elegant and efficient. Bjarne

Clean Code 1 / 24 Clean Code What is clean code? Elegant and efficient. Bjarne Stroustrup Simple and direct. Readable. Grady Booch Understandable by others, tested, literate. Dave Thomas Code works pretty much as

351 views • 24 slides
Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham

Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham

Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello OSDI 2016

1.2k views • 93 slides
Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An algorithm that uses (or can use) random coin flips in order to make decisions We will see: randomization can be a powerful tool to Make

497 views • 21 slides
Efficient and Scalable Operating System Provisioning with Kadeploy3 Luc Sarzyniec &lt;

Efficient and Scalable Operating System Provisioning with Kadeploy3 Luc Sarzyniec &lt;

Efficient and Scalable Operating System Provisioning with Kadeploy3 Luc Sarzyniec &lt; luc.sarzyniec@inria.fr &gt; Grid5000 Plan 1 Introduction Use cases Challenges Key features 2 Kadeploy internals 3 Example usages at large scale 4

632 views • 26 slides
S6357 Towards Efficient Communication Methods and Models for Scalable GPU-Centric Computing

S6357 Towards Efficient Communication Methods and Models for Scalable GPU-Centric Computing

S6357 Towards Efficient Communication Methods and Models for Scalable GPU-Centric Computing Systems Holger Frning Computer Engineering Group Ruprecht-Karls University of Heidelberg GPU Technology Conference 2016 About us JProf. Dr.

484 views • 33 slides
Efficient and Scalable Multi-Source Streaming Broadcast on GPU Clusters for Deep Learning

Efficient and Scalable Multi-Source Streaming Broadcast on GPU Clusters for Deep Learning

Efficient and Scalable Multi-Source Streaming Broadcast on GPU Clusters for Deep Learning Ching-Hsiang Chu 1 , Xiaoyi Lu 1 , Ammar A. Awan 1 , Hari Subramoni 1 , Jahanzeb Hashmi 1 , Bracy Elton 2 and Dhabaleswar K. (DK) Panda 1 1 Department of

746 views • 28 slides
Towards Scalable and Efficient FPGA Stencil Accelerators el Deest 1 Nicolas Estibals 1 Tomofumi

Towards Scalable and Efficient FPGA Stencil Accelerators el Deest 1 Nicolas Estibals 1 Tomofumi

Towards Scalable and Efficient FPGA Stencil Accelerators el Deest 1 Nicolas Estibals 1 Tomofumi Yuki 2 Ga Steven Derrien 1 Sanjay Rajopadhye 3 1 IRISA / Universit 2 INRIA / LIP / ENS Lyon e de Rennes 1 / Cairn 3 Colorado State University

826 views • 38 slides
Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH)

700 views • 35 slides
GraphWalker: An I/O-Efficient and Resource-Friendly Graph Analytic System for Fast and Scalable

GraphWalker: An I/O-Efficient and Resource-Friendly Graph Analytic System for Fast and Scalable

GraphWalker: An I/O-Efficient and Resource-Friendly Graph Analytic System for Fast and Scalable Random Walks Rui Wang , Yongkun Li , Hong Xie , Yinlong Xu , John C.S. Lui* University of Science and Technology of China

566 views • 23 slides
Small and highly efficient hydrothermal liquefaction (HTL) units for scalable mass implementation

Small and highly efficient hydrothermal liquefaction (HTL) units for scalable mass implementation

Small and highly efficient hydrothermal liquefaction (HTL) units for scalable mass implementation in biomass conversion Ib Johannsen, V.Milkevych, D.More, B.S.Kielsgaard, K.Anastasakis, P.Biller Bio2Oil IVS and Dept. of Engineering, Aarhus

442 views • 28 slides
Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine

Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine

Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine Andreea Sandu, Emil Slusanschi, Alin Murarasu, Andreea Serban, Alexandru Herisanu, Teodor Stoenescu University Politehnica of Bucharest Computer

447 views • 21 slides
Where is the FEEB? The Effectiveness of Instruction Set Randomization Ana Sovarel, David Evans

Where is the FEEB? The Effectiveness of Instruction Set Randomization Ana Sovarel, David Evans

Where is the FEEB? The Effectiveness of Instruction Set Randomization Ana Sovarel, David Evans and Nathanael Paul Presented by Sandra Rueda CSE 598A - Spring 2007 - Sandra Rueda Page 1 Code Injection Attacks High level description:

246 views • 20 slides
Efficient and Scalable Deep Leaning: Automated and Federated Ligeng Zhu Brief Bio Was born

Efficient and Scalable Deep Leaning: Automated and Federated Ligeng Zhu Brief Bio Was born

Efficient and Scalable Deep Leaning: Automated and Federated Ligeng Zhu Brief Bio Was born in Taizhou, Zhejiang Province, China. Entered Zhejiang University to pursue study in CS. Dual degree program at Simon Fraser University, also

598 views • 58 slides
PP-Index: Using Permutation Prefixes for Efficient and Scalable Approximate Similarity Search

PP-Index: Using Permutation Prefixes for Efficient and Scalable Approximate Similarity Search

PP-Index: Using Permutation Prefixes for Efficient and Scalable Approximate Similarity Search Andrea Esuli andrea.esuli@isti.cnr.it Istituto di Scienza e Tecnologie dellInformazione A. Faedo Consiglio Nazionale delle Ricerche Via

860 views • 48 slides
KANDOO A FRAMEWORK FOR EFFICIENT &amp; SCALABLE OFFLOADING OF CONTROL APPLICATIONS Soheil

KANDOO A FRAMEWORK FOR EFFICIENT &amp; SCALABLE OFFLOADING OF CONTROL APPLICATIONS Soheil

KANDOO A FRAMEWORK FOR EFFICIENT &amp; SCALABLE OFFLOADING OF CONTROL APPLICATIONS Soheil Hassas Yeganeh Yashar Ganjali soheil@cs.toronto.edu yganjali@cs.toronto.edu EVENTS. Rare Control Plane Link state changes Frequent and

611 views • 25 slides
Randomization DS-GA 1013 / MATH-GA 2824 Mathematical Tools for Data Science

Randomization DS-GA 1013 / MATH-GA 2824 Mathematical Tools for Data Science

Randomization DS-GA 1013 / MATH-GA 2824 Mathematical Tools for Data Science https://cims.nyu.edu/~cfgranda/pages/MTDS_spring19/index.html Carlos Fernandez-Granda Motivating applications Gaussian random variables Randomized dimensionality

1.97k views • 178 slides
Improving the Randomization Step in Feasibility Pump using WalkSAT Santanu S. Dey Joint work

Improving the Randomization Step in Feasibility Pump using WalkSAT Santanu S. Dey Joint work

Improving the Randomization Step in Feasibility Pump using WalkSAT Santanu S. Dey Joint work with: Andres Iroume, Marco Molinaro, Domenico Salvagnin Discrepancy &amp; IP workshop, 2018 Feasibility Pump using Sparsity in real&quot; Integer

1.79k views • 54 slides
Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski)

Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski)

Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski) MIT Detecting Network Effects Randomizing Over Randomized Experiments Guillaume Saint Jacques Martin Saveski Jean Pouget-Abadie MIT MIT

1.16k views • 89 slides
Graphical Representation of Causal Effects November 10, 2016 Lords Paradox: Observed Data

Graphical Representation of Causal Effects November 10, 2016 Lords Paradox: Observed Data

Graphical Representation of Causal Effects November 10, 2016 Lords Paradox: Observed Data Units: Students; Covariates: Sex, September Weight; Potential Outcomes: June Weight under Treatment and Control; Treatment = University diet; Control

389 views • 18 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
1 Take a broad view of what constitutes therapies: changing intensity, switching medication,

1 Take a broad view of what constitutes therapies: changing intensity, switching medication,

60 minutes Sequential Multiple Assignment Randomized Trials (SMARTs)? What are SMARTs? Why do we need SMARTs? Discuss the role of critical decisions and treatment options to plan and provide the rational for a SMART Utilizing theory to plan a

778 views • 43 slides
CS 147: Computer Systems Performance Analysis Higher Designs and Other Considerations 1 / 25

CS 147: Computer Systems Performance Analysis Higher Designs and Other Considerations 1 / 25

CS147 2015-06-15 CS 147: Computer Systems Performance Analysis Higher Designs and Other Considerations CS 147: Computer Systems Performance Analysis Higher Designs and Other Considerations 1 / 25 Overview CS147 Overview 2015-06-15

745 views • 26 slides
Repeated Games with Perfect Monitoring Mihai Manea MIT Repeated Games normal-form stage game

Repeated Games with Perfect Monitoring Mihai Manea MIT Repeated Games normal-form stage game

Repeated Games with Perfect Monitoring Mihai Manea MIT Repeated Games normal-form stage game G = ( N , A , u ) players simultaneously play game G at time t = 0 , 1 , . . . at each date t , players observe all past actions: h t = ( a 0

163 views • 14 slides

More recommend