What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon

Ping Chen; Jun Xu; Zhisheng Hu; Xinyu Xing; Minghui Zhu; Bing Mao; Peng Liu

doi:10.1109/DSN.2017.47

What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon

Ping Chen, Jun Xu, Zhisheng Hu, Xinyu Xing, Minghui Zhu, Bing Mao, Peng Liu

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Scopus citations

Abstract

Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.

Original language	English (US)
Title of host publication	Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	451-462
Number of pages	12
ISBN (Electronic)	9781538605417
DOIs	https://doi.org/10.1109/DSN.2017.47
State	Published - Aug 30 2017
Event	47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 - Denver, United States Duration: Jun 26 2017 → Jun 29 2017

Publication series

Name	Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

Conference

Conference	47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
Country/Territory	United States
City	Denver
Period	6/26/17 → 6/29/17

Funding

IX. ACKNOWLEDGEMENT We would like to thank Jun Wang and Yu Hou for their valuabletechnical supports, and professor Zhiqiang Lin for his valuablecomments on this paper. This work was supported by ARO W911NF-13-1-0421 (MURI), NSF CNS-1422594, NSF CNS-1505664, and Chinese National Natural Science Foundation (NSFC 61073027, NSFC 61272078, NSFC 61321491).

Keywords

Address space randomization
JIT-ROP
OS kernel
binary instrumentation

ASJC Scopus subject areas

Hardware and Architecture
Computer Networks and Communications
Safety, Risk, Reliability and Quality

Access to Document

10.1109/DSN.2017.47

Cite this

Chen, P., Xu, J., Hu, Z., Xing, X., Zhu, M., Mao, B., & Liu, P. (2017). What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon. In Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 (pp. 451-462). Article 8023144 (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2017.47

Chen, Ping ; Xu, Jun ; Hu, Zhisheng et al. / What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon. Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 451-462 (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017).

@inproceedings{7dc2833bbb6c43e4a57643f62c5bee14,

title = "What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon",

abstract = "Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.",

keywords = "Address space randomization, JIT-ROP, OS kernel, binary instrumentation",

author = "Ping Chen and Jun Xu and Zhisheng Hu and Xinyu Xing and Minghui Zhu and Bing Mao and Peng Liu",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 ; Conference date: 26-06-2017 Through 29-06-2017",

year = "2017",

month = aug,

day = "30",

doi = "10.1109/DSN.2017.47",

language = "English (US)",

series = "Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "451--462",

booktitle = "Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017",

address = "United States",

}

Chen, P, Xu, J, Hu, Z, Xing, X, Zhu, M, Mao, B & Liu, P 2017, What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon. in Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017., 8023144, Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017, Institute of Electrical and Electronics Engineers Inc., pp. 451-462, 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017, Denver, United States, 6/26/17. https://doi.org/10.1109/DSN.2017.47

What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon. / Chen, Ping; Xu, Jun; Hu, Zhisheng et al.
Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 451-462 8023144 (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon

AU - Chen, Ping

AU - Xu, Jun

AU - Hu, Zhisheng

AU - Xing, Xinyu

AU - Zhu, Minghui

AU - Mao, Bing

AU - Liu, Peng

PY - 2017/8/30

Y1 - 2017/8/30

N2 - Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.

AB - Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.

KW - Address space randomization

KW - JIT-ROP

KW - OS kernel

KW - binary instrumentation

UR - http://www.scopus.com/inward/record.url?scp=85031667168&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85031667168&partnerID=8YFLogxK

U2 - 10.1109/DSN.2017.47

DO - 10.1109/DSN.2017.47

M3 - Conference contribution

AN - SCOPUS:85031667168

T3 - Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

SP - 451

EP - 462

BT - Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

Y2 - 26 June 2017 through 29 June 2017

ER -

Chen P, Xu J, Hu Z, Xing X, Zhu M, Mao B et al. What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon. In Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 451-462. 8023144. (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017). doi: 10.1109/DSN.2017.47

What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon

Abstract

Publication series

Conference

Funding

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this