Profile-guided Automated Software Diversity Andrei Homescu Steven Neisius Per Larsen Stefan Brunthaler Michael Franz University of California, Irvine International Symposium on Code Generation and Optimization 2013 Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 1/32
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Profile-guided Automated Software Diversity
Andrei Homescu Steven Neisius Per LarsenStefan Brunthaler Michael Franz
University of California, Irvine
International Symposium onCode Generation and Optimization
2013
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 1/32
Motivation
Overview
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 2/32
Synopsis
Code-reuse attacks are hard to defeat.
Diversity makes code-reuse nearlyimpossible.Unfortunately, there is considerableoverhead.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 3/32
Synopsis
Code-reuse attacks are hard to defeat.Diversity makes code-reuse nearlyimpossible.
Unfortunately, there is considerableoverhead.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 3/32
Synopsis
Code-reuse attacks are hard to defeat.Diversity makes code-reuse nearlyimpossible.Unfortunately, there is considerableoverhead.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 3/32
Motivation
Code-reuse Attacks
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 4/32
History of Code Reuse Attacks
Initially:Attacker writes to memory and divertsflow control.
Then:W⊕X prevents code injection.
Now:Attacker strings code gadgets together.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 5/32
History of Code Reuse Attacks
Initially:Attacker writes to memory and divertsflow control.
Then:W⊕X prevents code injection.
Now:Attacker strings code gadgets together.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 5/32
History of Code Reuse Attacks
Initially:Attacker writes to memory and divertsflow control.
Then:W⊕X prevents code injection.
Now:Attacker strings code gadgets together.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 5/32
What are Gadgets?
Valid x86 code.Any length.Ends with a free branch.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 6/32
Primary Source of Code-reuse Attacks
Attacker has the program code.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 7/32
Primary Source of Code-reuse Attacks
Attacker has the program code.
Developer
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 7/32
Primary Source of Code-reuse Attacks
Attacker has the program code.
Developer
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 7/32
Code-reuse Attack Example
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 8/32
Code-reuse Attack Example
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 8/32
Code-reuse Attack Example
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 8/32
Ultimate Defense
"The ultimate defense is to drive thecomplexity of the ultimate attack up sohigh that the cost of attack is too high tobe worth performing."
Operating system protection through program evolution.F. Cohen, 1993.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 9/32
Motivation
Software Diversity
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 10/32
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 11/32
How We Diversify
MulticompilerBuilt on LLVM
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 12/32
NOP Insertion
BeforeDiversification
After NOPInsertion
89 11MOV [ECX], EDX
01 c3ADD EBX, EAX
ADC [ECX], EAX RETGadget:
... ...
MOV [ECX], EDX
01 c3ADD EBX, EAX
90NOP
... ...Gadget: Removed 89 11
NOP insertion is most effective.
(Breaks 99.99% of gadgets)
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 13/32
NOP Insertion
BeforeDiversification
After NOPInsertion
89 11MOV [ECX], EDX
01 c3ADD EBX, EAX
ADC [ECX], EAX RETGadget:
... ...
MOV [ECX], EDX
01 c3ADD EBX, EAX
90NOP
... ...Gadget: Removed 89 11
NOP insertion is most effective.
(Breaks 99.99% of gadgets)
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 13/32
NOP Insertion
0
5
10
15
20
25
400.perlbench
401.bzip2
403.gcc
429.mcf
433.milc
444.namd
445.gobmk
447.dealII
450.soplex
453.povray
456.hmmer
458.sjeng
462.libquantum
464.h264ref
470.lbm
471.omnetpp
473.astar
482.sphinx3
483.xalancbmk
Geometric M
ean
Benchmark
Slo
wd
ow
n %
pNOP=50% pNOP=30%
Highest performance impact.
(Overhead up to 25%)
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 14/32
Contribution
Profile-guided Diversity
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 15/32
Profile-guided Optimization
Traditionally used to direct more aggressiveoptimization on hot code.
The majority of run-time is spent in a smallportion of the code.The majority of the diversity overhead isfrom a small portion of the code.No, this will not make exploits run faster.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 16/32
Profile-guided Optimization
Traditionally used to direct more aggressiveoptimization on hot code.The majority of run-time is spent in a smallportion of the code.
The majority of the diversity overhead isfrom a small portion of the code.No, this will not make exploits run faster.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 16/32
Profile-guided Optimization
Traditionally used to direct more aggressiveoptimization on hot code.The majority of run-time is spent in a smallportion of the code.The majority of the diversity overhead isfrom a small portion of the code.
No, this will not make exploits run faster.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 16/32
Profile-guided Optimization
Traditionally used to direct more aggressiveoptimization on hot code.The majority of run-time is spent in a smallportion of the code.The majority of the diversity overhead isfrom a small portion of the code.No, this will not make exploits run faster.
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 16/32
Insertion Probability
NOPs
inse
rted
Cold Hot
Pnop
foo ( ) ;for ( i n t i =0 ; i <100 ; i ++ ) {
bar ( ) ;for ( i n t i =0 ; i <100 ; i ++ ) {
baz ( ) ; } }
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 17/32
Insertion Probability
exec
utio
n co
unts
Cold Hot0
Xmax
NOPs
inse
rted
Cold Hot
Pnop
foo ( ) ;for ( i n t i =0 ; i <100 ; i ++ ) {
bar ( ) ;for ( i n t i =0 ; i <100 ; i ++ ) {
baz ( ) ; } }
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 17/32
Insertion Probability
exec
utio
n co
unts
Cold Hot0
Xmax
NOPs
inse
rted
Cold Hot
Pmax
Pmin
pNOP (x) = pmax − (pmax − pmin)log(1+x)
log(1+xmax)
foo ( ) ;for ( i n t i =0 ; i <100 ; i ++ ) {
bar ( ) ;for ( i n t i =0 ; i <100 ; i ++ ) {
baz ( ) ; } }
Homescu, Neisius, Larsen, Brunthaler, Franz Profile-guided Automated Software Diversity 17/32