Dynamic Detection of Address Leaks
Abstract
An address leak is a software vulnerability that allows an adversary to discover where a program is loaded in memory. Although seemingly harmless, this information gives the adversary the means to circumvent two widespread protection mechanisms: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). In this paper we show, via an example, how to explore an address leak to take control of a remote server running on an operating system protected by ASLR and DEP. We then present a code instrumentation framework that hinders address disclosure at runtime. Finally, we use a static analysis to prove that parts of the program do not need to be instrumented; hence, reducing the instrumentation overhead. We claim in this paper that the combination of the static and dynamic analyses provide us with a reliable and practical way to secure software against address leaks.References
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In SP, pages 387–401. IEEE Computer Society.
Bhatkar, E., Duvarney, D. C., and Sekar, R. (2003). Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In USENIX Security, pages 105–120.
Buchanan, E., Roemer, R., Shacham, H., and Savage, S. (2008). When good instructions go bad: generalizing return-oriented programming to RISC. In CCS, pages 27–38. ACM.
Clause, J., Li, W., and Orso, A. (2007). Dytan: a generic dynamic taint analysis framework. In ISSTA, pages 196–206. ACM.
Cytron, R., Ferrante, J., Rosen, B. K., Wegman, M. N., and Zadeck, F. K. (1991). Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 13(4):451–490.
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In WWW, pages 40–52. ACM.
Keromytis, A. D., Stolfo, S. J., Yang, J., Stavrou, A., Ghosh, A., Engler, D., Dacier, M., Elder, M., and Kienzle, D. (2011). The minestrone architecture combining static and dynamic analysis techniques for software security. In SYSSEC, pages 53–56. IEEE Computer Society.
Lattner, C. and Adve, V. S. (2004). LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75–88. IEEE.
Levy, E. (1996). Smashing the stack for fun and profit. Phrack, 7(49).
Newsome, J. and Song, D. X. (2005). Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS. USENIX.
Qin, F., Wang, C., Li, Z., Kim, H.-s., Zhou, Y., and Wu, Y. (2006). LIFT: A low-overhead practical information flow tracking system for detecting security attacks. In MICRO, pages 135–148. IEEE.
Quadros, G. S. and Pereira, F. M. Q. (2011). Static detection of address leaks. In SBSeg, pages 23–37.
Rimsa, A. A., D’Amorim, M., and Pereira, F. M. Q. (2011). Tainted flow analysis on e-SSA-form programs. In CC, pages 124–143. Springer.
Schwartz, E. J., Avgerinos, T., and Brumley, D. (2010). All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, pages 1–15. IEEE.
Shacham, H. (2007). The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. (2004). On the effectiveness of address-space randomization. In CSS, pages 298–307. ACM.
Wassermann, G. and Su, Z. (2007). Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41. ACM.
Xie, Y. and Aiken, A. (2006). Static detection of security vulnerabilities in scripting languages. In USENIX-SS. USENIX Association.
Zhang, R., Huang, S., Qi, Z., and Guan, H. (2011). Combining static and dynamic analysis to discover software vulnerabilities. In IMIS, pages 175–181. IEEE Computer Society.
Bhatkar, E., Duvarney, D. C., and Sekar, R. (2003). Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In USENIX Security, pages 105–120.
Buchanan, E., Roemer, R., Shacham, H., and Savage, S. (2008). When good instructions go bad: generalizing return-oriented programming to RISC. In CCS, pages 27–38. ACM.
Clause, J., Li, W., and Orso, A. (2007). Dytan: a generic dynamic taint analysis framework. In ISSTA, pages 196–206. ACM.
Cytron, R., Ferrante, J., Rosen, B. K., Wegman, M. N., and Zadeck, F. K. (1991). Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 13(4):451–490.
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In WWW, pages 40–52. ACM.
Keromytis, A. D., Stolfo, S. J., Yang, J., Stavrou, A., Ghosh, A., Engler, D., Dacier, M., Elder, M., and Kienzle, D. (2011). The minestrone architecture combining static and dynamic analysis techniques for software security. In SYSSEC, pages 53–56. IEEE Computer Society.
Lattner, C. and Adve, V. S. (2004). LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75–88. IEEE.
Levy, E. (1996). Smashing the stack for fun and profit. Phrack, 7(49).
Newsome, J. and Song, D. X. (2005). Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS. USENIX.
Qin, F., Wang, C., Li, Z., Kim, H.-s., Zhou, Y., and Wu, Y. (2006). LIFT: A low-overhead practical information flow tracking system for detecting security attacks. In MICRO, pages 135–148. IEEE.
Quadros, G. S. and Pereira, F. M. Q. (2011). Static detection of address leaks. In SBSeg, pages 23–37.
Rimsa, A. A., D’Amorim, M., and Pereira, F. M. Q. (2011). Tainted flow analysis on e-SSA-form programs. In CC, pages 124–143. Springer.
Schwartz, E. J., Avgerinos, T., and Brumley, D. (2010). All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, pages 1–15. IEEE.
Shacham, H. (2007). The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. (2004). On the effectiveness of address-space randomization. In CSS, pages 298–307. ACM.
Wassermann, G. and Su, Z. (2007). Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41. ACM.
Xie, Y. and Aiken, A. (2006). Static detection of security vulnerabilities in scripting languages. In USENIX-SS. USENIX Association.
Zhang, R., Huang, S., Qi, Z., and Guan, H. (2011). Combining static and dynamic analysis to discover software vulnerabilities. In IMIS, pages 175–181. IEEE Computer Society.
Published
2012-11-19
How to Cite
QUADROS, Gabriel Silva; SOUZA, Rafael M.; PEREIRA, Fernando Magno Quintão.
Dynamic Detection of Address Leaks. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 12. , 2012, Curitiba.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2012
.
p. 44-57.
DOI: https://doi.org/10.5753/sbseg.2012.20535.
