Bibliography/os_hardening.bib

44 lines
6.5 KiB
BibTeX

@inproceedings{Barabosch2014,
title = "Host-based code injection attacks: A popular technique used by malware",
DOI = "10.1109/MALWARE.2014.6999410",
year = "2014",
booktitle = "2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)",
pages = "8--17",
author = "Barabosch, Thomas and Gerhards-Padilla, Elmar",
}
@INPROCEEDINGS{7546544, author={Snow, Kevin Z. and Rogowski, Roman and Werner, Jan and Koo, Hyungjoon and Monrose, Fabian and Polychronakis, Michalis}, booktitle={2016 IEEE Symposium on Security and Privacy (SP)}, title={Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks}, year={2016}, volume={}, number={}, pages={954-968}, abstract={The concept of destructive code reads is a new defensive strategy that prevents code reuse attacks by coupling fine-grained address space layout randomization with a mitigation for online knowledge gathering that destroys potentially useful gadgets as they are disclosed by an adversary. The intuition is that by destroying code as it is read, an adversary is left with no usable gadgets to reuse in a control-flow hijacking attack. In this paper, we examine the security of this new mitigation. We show that while the concept initially appeared promising, there are several unforeseen attack tactics that render destructive code reads ineffective in practice. Specifically, we introduce techniques for leveraging constructive reloads, wherein multiple copies of native code are loaded into a process' address space (either side-by-side or one-after-another). Constructive reloads allow the adversary to disclose one code copy, destroying it in the process, then use another code copy for their code reuse payload. For situations where constructive reloads are not viable, we show that an alternative, and equally powerful, strategy exists: leveraging code association via implicit reads, which allows an adversary to undo in-place code randomization by inferring the layout of code that follows already disclosed bytes. As a result, the implicitly learned code is not destroyed, and can be used in the adversary's code reuse attack. We demonstrate the effectiveness of our techniques with concrete instantiations of these attacks against popular applications. In light of our successes, we argue that the code inference strategies presented herein paint a cautionary tale for defensive approaches whose security blindly rests on the perceived inability to undo the application of in-place randomization.}, keywords={}, doi={10.1109/SP.2016.61}, ISSN={2375-1207}, month={May},}
@InProceedings{10.1007/978-3-319-62105-0_10,
author="Morton, Micah
and Koo, Hyungjoon
and Li, Forrest
and Snow, Kevin Z.
and Polychronakis, Michalis
and Monrose, Fabian",
editor="Bodden, Eric
and Payer, Mathias
and Athanasopoulos, Elias",
title="Defeating Zombie Gadgets by Re-randomizing Code upon Disclosure",
booktitle="Engineering Secure Software and Systems",
year="2017",
publisher="Springer International Publishing",
address="Cham",
pages="143--160",
abstract="Over the past few years, return-oriented programming (ROP) attacks have emerged as a prominent strategy for hijacking control of software. The full power and flexibility of ROP attacks was recently demonstrated using just-in-time ROP tactics (JIT-ROP), whereby an adversary repeatedly leverages a memory disclosure vulnerability to identify useful instruction sequences and compile them into a functional ROP payload at runtime. Since the advent of just-in-time code reuse attacks, numerous proposals have surfaced for mitigating them, the most practical of which involve the re-randomization of code at runtime or the destruction of gadgets upon their disclosure. Even so, several avenues exist for performing code inference, which allows JIT-ROP attacks to infer values at specific code locations without directly reading the memory contents of those bytes. This is done by reloading code of interest or implicitly determining the state of randomized code. These so-called ``zombie gadgets'' completely undermine defenses that rely on destroying code bytes once they are read. To mitigate these attacks, we present a low-overhead, binary-compatible defense which ensures an attacker is unable to execute gadgets that were identified through code reloading or code inference. We have implemented a prototype of the proposed defense for closed-source Windows binaries, and demonstrate that our approach effectively prevents zombie gadget attacks with negligible runtime overhead.",
isbn="978-3-319-62105-0"
}
@Article{app9142928,
AUTHOR = {Marco-Gisbert, Hector and Ripoll Ripoll, Ismael},
TITLE = {Address Space Layout Randomization Next Generation},
JOURNAL = {Applied Sciences},
VOLUME = {9},
YEAR = {2019},
NUMBER = {14},
ARTICLE-NUMBER = {2928},
URL = {https://www.mdpi.com/2076-3417/9/14/2928},
ISSN = {2076-3417},
ABSTRACT = {Systems that are built using low-power computationally-weak devices, which force developers to favor performance over security; which jointly with its high connectivity, continuous and autonomous operation makes those devices specially appealing to attackers. ASLR (Address Space Layout Randomization) is one of the most effective mitigation techniques against remote code execution attacks, but when it is implemented in a practical system its effectiveness is jeopardized by multiple constraints: the size of the virtual memory space, the potential fragmentation problems, compatibility limitations, etc. As a result, most ASLR implementations (specially in 32-bits) fail to provide the necessary protection. In this paper we propose a taxonomy of all ASLR elements, which categorizes the entropy in three dimensions: (1) how, (2) when and (3) what; and includes novel forms of entropy. Based on this taxonomy we have created, ASLRA, an advanced statistical analysis tool to assess the effectiveness of any ASLR implementation. Our analysis show that all ASLR implementations suffer from several weaknesses, 32-bit systems provide a poor ASLR, and OS X has a broken ASLR in both 32- and 64-bit systems. This is jeopardizing not only servers and end users devices as smartphones but also the whole IoT ecosystem. To overcome all these issues, we present ASLR-NG, a novel ASLR that provides the maximum possible absolute entropy and removes all correlation attacks making ASLR-NG the best solution for both 32- and 64-bit systems. We implemented ASLR-NG in the Linux kernel 4.15. The comparative evaluation shows that ASLR-NG overcomes PaX, Linux and OS X implementations, providing strong protection to prevent attackers from abusing weak ASLRs.},
DOI = {10.3390/app9142928}
}