TY - GEN
T1 - DynaGuard
T2 - 31st Annual Computer Security Applications Conference, ACSAC 2015
AU - Petsios, Theofilos
AU - Kemerlis, Vasileios P.
AU - Polychronakis, Michalis
AU - Keromytis, Angelos D.
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/12/7
Y1 - 2015/12/7
N2 - Over the past decade many exploit mitigation techniques have been introduced to defend against memory corruption attacks. WX, ASLR, and canary-based protections are nowadays widely deployed and considered standard practice. However, despite the fact that these techniques have evolved over time, they still suffer from limitations that enable skilled adversaries to bypass them. In this work, we focus on countermeasures against the byte-by-byte discovery of stack canaries in forking programs. This limitation, although known for years, has yet to be addressed effectively, and was recently abused by a series of exploits that allowed for the remote compromise of the popular Nginx web server and a full ASLR bypass in x86-64 Linux. We present DynaGuard, an extension to canarybased protections that further armors hardened applications against brute-force canary attacks. We have implemented DynaGuard in two flavors: A compiler-based version, which incurs an average runtime overhead of 1.2%, and a version based on dynamic binary instrumentation, which can protect binary-only applications without requiring access to source code. We have evaluated both implementations using a set of popular server applications and benchmark suites, and examined how the proposed design overcomes the limitations of previous proposals, ensuring application correctness and seamless integration with third-party software.
AB - Over the past decade many exploit mitigation techniques have been introduced to defend against memory corruption attacks. WX, ASLR, and canary-based protections are nowadays widely deployed and considered standard practice. However, despite the fact that these techniques have evolved over time, they still suffer from limitations that enable skilled adversaries to bypass them. In this work, we focus on countermeasures against the byte-by-byte discovery of stack canaries in forking programs. This limitation, although known for years, has yet to be addressed effectively, and was recently abused by a series of exploits that allowed for the remote compromise of the popular Nginx web server and a full ASLR bypass in x86-64 Linux. We present DynaGuard, an extension to canarybased protections that further armors hardened applications against brute-force canary attacks. We have implemented DynaGuard in two flavors: A compiler-based version, which incurs an average runtime overhead of 1.2%, and a version based on dynamic binary instrumentation, which can protect binary-only applications without requiring access to source code. We have evaluated both implementations using a set of popular server applications and benchmark suites, and examined how the proposed design overcomes the limitations of previous proposals, ensuring application correctness and seamless integration with third-party software.
KW - Canary re-randomization
KW - Canary-based protection
UR - https://www.scopus.com/pages/publications/84959339222
U2 - 10.1145/2818000.2818031
DO - 10.1145/2818000.2818031
M3 - Conference contribution
AN - SCOPUS:84959339222
T3 - ACM International Conference Proceeding Series
SP - 351
EP - 360
BT - Proceedings - 31st Annual Computer Security Applications Conference, ACSAC 2015
PB - Association for Computing Machinery
Y2 - 7 December 2015 through 11 December 2015
ER -