Mitigation of Advanced Code Reuse Attacks
The threat posed by advanced Code-Reuse Attacks (CRAs) (e.g., COOP, Recursive-COOP, Subversive-C, etc.) is on the rise. CRAs, (a type of control-flow hijacking attacks), are ranked by NVD, OSVDB and Security Focus as having the highest security threat of all software-based attacks, see Tables 3 and 4 in [Oliveira et al., IFIP SEC'16] paper.
Advanced CRAs are particularly hard to defend against since: 1) classical symbolic execution based techniques (e.g., static/dynamic/hybrid) for bug detection have difficulties to scale (e.g., path explosion, variable explosion, program-dependent efficacy, environment interactions, etc.) and find all potential program memory corruptions, 2) traditional coarse-grained Control Flow Integrity (CFI) approaches have been rendered useless (see, Microsoft, Control Flow Guard), and 3) hardware-based shadows stacks (see, Intel Control-flow Enforcement) are useless since advanced CRAs do not violate the caller/return address calling convention.
Thus, we want to develop tools based on novel techniques which can mitigate these types of attacks. We basically want to mitigate these attacks in two ways. First, we want to analyze source code statically with the help of symbolic execution and SMT in order to detect/fix bug types which are most commonly causing memory corruptions (a) errors (e.g., integer overflows and buffer overflows)*. Notice that memory corruptions can manifest without the presence of (*). Second, the source/binary code of a program can be hardened with fine-grained CFI checks such that the attack surface will be considerably reduced or even removed.
In the past, we successfully developed techniques that use symbolic code execution, with Satisfiability Modulo Theories (SMT), in order to identify and automatically patch the most common bugs which can cause memory corruptions in C/C++ source code (i.e., integer and buffer overflows):
- automatic detection of integer overflows in C code, see [Muntean et al., ISSA'15].
- automatic repair of buffer overflows in C code, see [Muntean et al., SAFECOMP'15].
- automatic repair of integer overflows in C code accross multiple precissions, see [Muntean et al., tba].
In our current research, we want to develop new techniques to mitigate advanced CRAs. Some current research directions are:
- binary hardening techniques used during program loading/or before (e.g., using DynInst, IDAPro, PIN, to insert CFI based checks at caller/callee pairs, etc.)
- source code hardening by recompilation (e.g., using LLVM and GCC refinement passes, etc.)
- run-time based techniques (e.g., using binary hardening with hardware support, etc.)
- Advanced Code-Reuse Attacks formalization in order to precisely measure (quantitatively and qualitatively) the attack surface reduction before and after a program was hardened against such an attack.
In conclusion, our research goal is to develop new user space tools, based on novel techniques which can be used during coding and after the release phase, in order to harden or protect against advanced CRAs.
Researcher(s): Paul Muntean, Peng Xu