SlideShare a Scribd company logo

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Download as PPTX, PDF
Yue Chen, profile picture
Yue Chen

The document discusses 'Remix', a live randomization technique aimed at improving security against code reuse attacks such as buffer overflow and return-oriented programming by dynamically randomizing basic blocks within functions. It addresses challenges in maintaining execution integrity during randomization and proposes methods to update control-flow instructions. Performance evaluations suggest Remix can achieve finer-grained randomization with manageable overhead, contributing to enhanced software security.

Engineering
Related topics:
System Security
1 of 41
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
Code Reuse Attack • Buffer Overflow -> Code Injection Attack
Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute
Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute • Return-oriented Programming Attack – Discover gadgets from existing code, chain them by ret instruction – Turing complete
Code Reuse Attack Existing Code Chained Gadgets
ASLR Address Space Layout Randomization Executable Library1 Library1 Executable
ASLR - Problem Library1 Executable Pointer Leak
ASLR - Problem Library1 Executable Pointer Leak De-randomized
Goal • Live randomization during runtime • Finer-grained randomization unit • Low performance overhead
Remix Live basic block (BB) randomization within functions
Remix Live basic block (BB) randomization within functions Advantages: No function pointer migration Good spatial locality
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds
Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds After 2.13 seconds
Challenges • Chain randomized basic blocks together – Need extra space – Instruction update • Stale pointer migration
Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function
Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret mov … add … mov … mov … add … jle …
Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Before Remix
Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Before Remix After Remix
Extra Space Case 2: Displacement Length One-byte displacement: jmp +0x10 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Four-byte displacement: jmp +0x00001000 Before Remix After Remix
Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed!
Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: • Function alignment • Loop alignment
Instruction Update Q: Which instructions need updating ?
Instruction Update Q: Which instructions need updating ? A: Control-flow related ones
Instruction Update Two-step update (e.g., unconditional direct jmp): Basic Block 1 Basic Block 2 Basic Block 3 Original After BB Reordering Step one: Jumps to Original Address of BB 3 Step two: Jumps to Current Address of BB 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 jmp
Instruction Update • Direct call: Step-one update • Indirect call: No update needed • Direct jump: Step-one and step-two update • Indirect jump: Discussed later • PC-relative addressing: Step-one update
Indirect Jump • Jump to functions – Unmoved – PLT/GOT – Tail/Sibling Call • Jump to basic blocks – See next
Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness
Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness • Where? - Return address - Jump table (switch/case) - Saved context (e.g., setjmp/longjmp) - Kernel exception table …
Optimization  Speed up randomization procedure: • Metadata Maintenance – Basic block information (e.g., location) – Code/data that need updating
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle
Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle Randomize
Bundle Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 The bundling layout is different from time to time. – Unpredictable! Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Randomize
Implementation • Compiler – Slightly modified LLVM • Linux userspace applications – Ptrace, an isolated small agent to perform the randomization • Freebsd kernel modules – smp_rendezvous
Evaluation - Security • Finer-grained randomization: – Entropy boost • Live randomization during runtime: – Destroy discovered gadgets immediately Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!
Evaluation - Performance SPEC CPU 2006 Performance Overhead
Evaluation - Performance SPEC CPU 2006 Size Increase
Evaluation - Performance Apache Web Server Performance Overhead (by ApacheBench) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
Evaluation - Performance ReiserFS Performance Overhead (by IOZone) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
Q&A

More Related Content

PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
PPTX
Intel processor trace - What are Recorded?
Pipat Methavanitpong
 
PPTX
Os lectures
Adnan Ghafoor
 
PPTX
Threads in Operating System | Multithreading | Interprocess Communication
Shivam Mitra
 
PPTX
BAM experiences in large scale deployments
AIMS Innovation
 
PPTX
Release Cycle Changes
HPCC Systems
 
PPTX
Process management in operating system | process states | PCB | FORK() | Zomb...
Shivam Mitra
 
PDF
File Systems: Why, How and Where
Kernel TLV
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Intel processor trace - What are Recorded?
Pipat Methavanitpong
 
Os lectures
Adnan Ghafoor
 
Threads in Operating System | Multithreading | Interprocess Communication
Shivam Mitra
 
BAM experiences in large scale deployments
AIMS Innovation
 
Release Cycle Changes
HPCC Systems
 
Process management in operating system | process states | PCB | FORK() | Zomb...
Shivam Mitra
 
File Systems: Why, How and Where
Kernel TLV
 

Viewers also liked (20)

DOCX
Rashid new cv 2014
Rashid Ali
 
PDF
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
Yael Garten
 
PDF
White paper hadoop performancetuning
Anil Reddy
 
PPTX
Data Infused Product Design and Insights at LinkedIn
Yael Garten
 
PDF
Impala SQL Support
Yue Chen
 
PPTX
Admission Control in Impala
Cloudera, Inc.
 
PDF
Cloudera Impala Source Code Explanation and Analysis
Yue Chen
 
PPTX
Apache Impala (incubating) 2.5 Performance Update
Cloudera, Inc.
 
PDF
Hadoop application architectures - Fraud detection tutorial
hadooparchbook
 
PPTX
How to use your data science team: Becoming a data-driven organization
Yael Garten
 
PDF
SecPod: A Framework for Virtualization-based Security Systems
Yue Chen
 
PPTX
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Cloudera, Inc.
 
PDF
Nested Types in Impala
Cloudera, Inc.
 
PDF
Architecting next generation big data platform
hadooparchbook
 
PPTX
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Cloudera, Inc.
 
PDF
What no one tells you about writing a streaming app
hadooparchbook
 
PPTX
Hoodie: Incremental processing on hadoop
Prasanna Rajaperumal
 
PDF
Top 5 mistakes when writing Spark applications
hadooparchbook
 
PDF
Top 5 mistakes when writing Spark applications
hadooparchbook
 
PDF
Streaming architecture patterns
hadooparchbook
 
Rashid new cv 2014
Rashid Ali
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
Yael Garten
 
White paper hadoop performancetuning
Anil Reddy
 
Data Infused Product Design and Insights at LinkedIn
Yael Garten
 
Impala SQL Support
Yue Chen
 
Admission Control in Impala
Cloudera, Inc.
 
Cloudera Impala Source Code Explanation and Analysis
Yue Chen
 
Apache Impala (incubating) 2.5 Performance Update
Cloudera, Inc.
 
Hadoop application architectures - Fraud detection tutorial
hadooparchbook
 
How to use your data science team: Becoming a data-driven organization
Yael Garten
 
SecPod: A Framework for Virtualization-based Security Systems
Yue Chen
 
Data Modeling for Data Science: Simplify Your Workload with Complex Types in ...
Cloudera, Inc.
 
Nested Types in Impala
Cloudera, Inc.
 
Architecting next generation big data platform
hadooparchbook
 
Faster Batch Processing with Cloudera 5.7: Hive-on-Spark is ready for production
Cloudera, Inc.
 
What no one tells you about writing a streaming app
hadooparchbook
 
Hoodie: Incremental processing on hadoop
Prasanna Rajaperumal
 
Top 5 mistakes when writing Spark applications
hadooparchbook
 
Top 5 mistakes when writing Spark applications
hadooparchbook
 
Streaming architecture patterns
hadooparchbook
 
Ad

Similar to Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime) (20)

PDF
Automated deployments using envoy by John Blackmore
TechExeter
 
PDF
Db2-for-zOS-Hot-Topics-and-Best-Practices-with-John-Campbell-Part-1.pdf
ssuser78a4cf
 
PDF
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
PPTX
Exploiting the windows kernel
Japneet Singh
 
PDF
Search at Twitter: Presented by Michael Busch, Twitter
Lucidworks
 
PDF
es_hardware_handout
Mohammad Ranjbar
 
PDF
CNIT 127: Ch 2: Stack Overflows in Linux
Sam Bowne
 
PPTX
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafka
confluent
 
PDF
Asynchronous Programming in Kotlin with Coroutines
Tobias Schürg
 
PDF
5. Stream Ciphers
Sam Bowne
 
PDF
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
PDF
CNIT 127: Ch 2: Stack overflows on Linux
Sam Bowne
 
PDF
Make static instrumentation great again, High performance fuzzing for Windows...
Lucas Leong
 
PPTX
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Blue Raster
 
PDF
DEF CON 27 - JEFF DILEO - evil e bpf in depth
Felipe Prado
 
PPT
Chapter 02 modified
Jugal Doshi
 
PDF
Ch5 process synchronization
Welly Dian Astika
 
PPTX
Kafka replication apachecon_2013
Jun Rao
 
PDF
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
Brian Vandegriend
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
Automated deployments using envoy by John Blackmore
TechExeter
 
Db2-for-zOS-Hot-Topics-and-Best-Practices-with-John-Campbell-Part-1.pdf
ssuser78a4cf
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
Exploiting the windows kernel
Japneet Singh
 
Search at Twitter: Presented by Michael Busch, Twitter
Lucidworks
 
es_hardware_handout
Mohammad Ranjbar
 
CNIT 127: Ch 2: Stack Overflows in Linux
Sam Bowne
 
Kafka Summit NYC 2017 - Deep Dive Into Apache Kafka
confluent
 
Asynchronous Programming in Kotlin with Coroutines
Tobias Schürg
 
5. Stream Ciphers
Sam Bowne
 
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
Sam Bowne
 
Make static instrumentation great again, High performance fuzzing for Windows...
Lucas Leong
 
Python Multiprocessing Spoon-fed - Blue Raster Esri Developer Summit 2013 Lig...
Blue Raster
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
Felipe Prado
 
Chapter 02 modified
Jugal Doshi
 
Ch5 process synchronization
Welly Dian Astika
 
Kafka replication apachecon_2013
Jun Rao
 
2016-jenkins-world-jenkins_and_load_sharing_facility_lsf_enables_rapid_delive...
Brian Vandegriend
 
Practical Windows Kernel Exploitation
zeroSteiner
 
Ad

More from Yue Chen (7)

PDF
KARMA: Adaptive Android Kernel Live Patching
Yue Chen
 
PDF
EncExec: Secure In-Cache Execution
Yue Chen
 
PDF
Ravel: Pinpointing Vulnerabilities
Yue Chen
 
PDF
Pinpointing Vulnerabilities (Ravel)
Yue Chen
 
PDF
Inside Parquet Format
Yue Chen
 
PDF
Inside HDFS Append
Yue Chen
 
PDF
How Impala Works
Yue Chen
 
KARMA: Adaptive Android Kernel Live Patching
Yue Chen
 
EncExec: Secure In-Cache Execution
Yue Chen
 
Ravel: Pinpointing Vulnerabilities
Yue Chen
 
Pinpointing Vulnerabilities (Ravel)
Yue Chen
 
Inside Parquet Format
Yue Chen
 
Inside HDFS Append
Yue Chen
 
How Impala Works
Yue Chen
 

Recently uploaded (20)

PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PDF
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PDF
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
PPTX
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
PPTX
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
PDF
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
PPTX
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
PDF
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
PDF
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Well-logging-methods_new................
ZafriFarid
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
Project quality management in manufacturing
BarMusaTetik
 
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

  • 1. Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
  • 2. Code Reuse Attack • Buffer Overflow -> Code Injection Attack
  • 3. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute
  • 4. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute • Return-oriented Programming Attack – Discover gadgets from existing code, chain them by ret instruction – Turing complete
  • 5. Code Reuse Attack Existing Code Chained Gadgets
  • 6. ASLR Address Space Layout Randomization Executable Library1 Library1 Executable
  • 9. Goal • Live randomization during runtime • Finer-grained randomization unit • Low performance overhead
  • 10. Remix Live basic block (BB) randomization within functions
  • 11. Remix Live basic block (BB) randomization within functions Advantages: No function pointer migration Good spatial locality
  • 12. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A
  • 13. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds
  • 14. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds After 2.13 seconds
  • 15. Challenges • Chain randomized basic blocks together – Need extra space – Instruction update • Stale pointer migration
  • 16. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function
  • 17. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret mov … add … mov … mov … add … jle …
  • 18. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Before Remix
  • 19. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Before Remix After Remix
  • 20. Extra Space Case 2: Displacement Length One-byte displacement: jmp +0x10 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Four-byte displacement: jmp +0x00001000 Before Remix After Remix
  • 21. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed!
  • 22. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: • Function alignment • Loop alignment
  • 23. Instruction Update Q: Which instructions need updating ?
  • 24. Instruction Update Q: Which instructions need updating ? A: Control-flow related ones
  • 25. Instruction Update Two-step update (e.g., unconditional direct jmp): Basic Block 1 Basic Block 2 Basic Block 3 Original After BB Reordering Step one: Jumps to Original Address of BB 3 Step two: Jumps to Current Address of BB 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 jmp
  • 26. Instruction Update • Direct call: Step-one update • Indirect call: No update needed • Direct jump: Step-one and step-two update • Indirect jump: Discussed later • PC-relative addressing: Step-one update
  • 27. Indirect Jump • Jump to functions – Unmoved – PLT/GOT – Tail/Sibling Call • Jump to basic blocks – See next
  • 28. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness
  • 29. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness • Where? - Return address - Jump table (switch/case) - Saved context (e.g., setjmp/longjmp) - Kernel exception table …
  • 30. Optimization  Speed up randomization procedure: • Metadata Maintenance – Basic block information (e.g., location) – Code/data that need updating
  • 31. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop
  • 32. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle
  • 33. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle Randomize
  • 34. Bundle Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 The bundling layout is different from time to time. – Unpredictable! Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Randomize
  • 35. Implementation • Compiler – Slightly modified LLVM • Linux userspace applications – Ptrace, an isolated small agent to perform the randomization • Freebsd kernel modules – smp_rendezvous
  • 36. Evaluation - Security • Finer-grained randomization: – Entropy boost • Live randomization during runtime: – Destroy discovered gadgets immediately Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!
  • 37. Evaluation - Performance SPEC CPU 2006 Performance Overhead
  • 38. Evaluation - Performance SPEC CPU 2006 Size Increase
  • 39. Evaluation - Performance Apache Web Server Performance Overhead (by ApacheBench) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  • 40. Evaluation - Performance ReiserFS Performance Overhead (by IOZone) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  • 41. Q&A