Address-Space Randomization for Windows Systems
Total Page:16
File Type:pdf, Size:1020Kb
Address-Space Randomization for Windows Systems∗ Lixin Li and JamesE.Just R.Sekar Global InfoTek, Inc., Reston, VA Stony Brook University, Stony Brook, NY {nli,jjust}@globalinfotek.com [email protected] Abstract Wehntrust [21] and Ozone [20]. In addition, Windows Address-space randomization (ASR) is a promising Vista is going to be shipped with a limited implemen- solution to defend against memory corruption attacks tation of ASR [9]. However, these products suffer from that have contributed to about three-quarters of US- one or more of the following drawbacks: CERT advisories in the past few years. Several tech- • Insufficient range of randomization. Windows Vista niques have been proposed for implementing ASR on randomizes base addresses over a range of 256 possi- Linux, but its application to Microsoft Windows, the ble values. This level of randomization is hardly suf- largest monoculture on the Internet, has not received ficient to defeat targeted attacks: the attacker simply as much attention. We address this problem in this pa- needs to try their attack an average of 128 times be- per and describe a solution that provides about 15-bits fore succeeding. This isn’t likely to significantly slow of randomness in the locations of all (code or data) ob- down self-replicating worms either. Wehntrust and jects. Our randomization is applicable to all processes Ozone provide more randomization, but significantly on a Windows box, including all core system services, less than that of DAWSON in some memory regions as well as applications such as web browsers, office ap- such as the stack. plications, and so on. Our solution has been deployed • Incomplete randomization. Often, only a subset continuously for about a year on a desktop system used of memory regions are randomized. For instance, daily, and is robust enough for production use. Wehntrust does not randomize some memory regions. With Ozone, no information is available beyond the 1 Introduction fact that the stack and the DLLs are randomized. An overwhelming majority of security advisories from Unfortunately, if the address of any writable memory US CERT in recent years has been attributed to mem- region is predictable, the attacker can modify their ory corruption attacks. Typically, these attacks en- attack so as to inject code into this region and ex- able a remote attacker to execute arbitrary code on ecute it. Therefore, DAWSON randomizes all such the victim system, thereby providing a mechanism for memory regions. self-propagating worms, installation of backdoors (in- • Lack of detailed analysis. With Wehntrust and cluding “bot” software), spyware, or rootkits. Address- Ozone, even the most basic information about their space randomization (ASR) [16, 3, 23, 4] provides a implementation (e.g., the complete list of memory general defense against memory corruption attacks. regions that are randomized) isn’t available. As a Although several ASR techniques have been described result, one cannot independently analyze or evalu- for Linux [16, 3, 23, 4], to the best of our knowledge, ate the quality of protection provided by them. In there hasn’t been any previous work describing ASR contrast, we provide a detailed analytical as well as for the largest monoculture on the Internet, namely, experimental evaluation of DAWSON. the Microsoft Windows platform. We address this 1.1 Contributions of this paper problem, and describe a system called DAWSON (“Di- versity Algorithms for Worrisome SOftware and Net- • Development of practical techniques for real- works”) that provides about 15-bits of randomness in izing ASR on Windows. The architecture of Win- the locations of all code or data. dows is quite different from UNIX, and poses several In parallel with our work, some commercial prod- unique challenges that necessitate the development ucts for Windows ASR have begun to emerge, namely, of new techniques for realizing randomization. Some of these challenges are: ∗This work was partially funded by Defense Advanced Research Project Agency under contract FA8750-04-C-0244. – Difficulty of relocating critical DLLs. Security- Sekar’s work was also supported in part by an ONR grant critical DLLs such as ntdll and kernel32 are N000140110967 and NSF grants CNS-0208877 and CCR- 0205376. The views and conclusions contained in this document mapped to a fixed memory location by Windows are those of the authors and should not be interpreted as rep- very early in the boot process. Since most of the resenting the official policies, either expressed or implied, of the Defense Advanced Research Project Agency, NSF, ONR, or the APIs targeted by attack code, including all of the U.S. Government. system calls, reside in these DLLs, we needed to Figure 1. Memory Error Exploits. develop techniques to relocate these DLLs. of DAWSON with previous work in Section 3. Our – Lack of access to OS or application source code. technical approach is described in Section 4, followed This means that the primary approach used by by analytical and experimental evaluation in Sections 5 Linux ASR implementations, namely, modification and 6 respectively. Finally, concluding remarks appear of the kernel source, is not an option on Windows. in Section 7. – Lack of UNIX-style shared libraries. In UNIX, dynamically loaded libraries contain position- 2 ASR and Memory Corruption Attacks independent code, which allows them to be shared even if they are loaded at different addresses by dif- Intuitively, a memory error occurs in C programs when ferent processes. In contrast, Windows DLLs need the object accessed via a pointer expression is different to be stored at the same memory address by all from its referent, i.e., the object intended by the pro- processes that share a single copy of the DLL. grammer. Memory errors are classified into spatial and • temporal errors. Temporal errors occur when a pointer Robust implementation. DAWSON applies ASR is dereferenced beyond the lifetime of its referent, e.g., to all Windows services, as well as user applications. access to freed (or reallocated) memory. Security ex- We have had this system running on a production ploits haven’t targeted temporal errors, and indeed, it laptop installed with Windows XP, Office, and SQL is unclear how they can be used in attacks. Conse- and IIS servers. In addition to the standard set quently, security research has focused on spatial errors, of OS services and applications, we have routinely which are caused by (a) dereferencing a pointer that used Office applications, Windows development tools holds a value outside of the bounds of its referent, or (MSVC, .Net, etc.), SQL and IIS servers, and web (b) dereferencing a non-pointer or a corrupted pointer browsers (e.g., IE and Firefox), and haven’t experi- value. enced any compatibility or robustness issues. Perfor- mance overhead of DAWSON is typically under 5%. Figure 1 classifies spatial memory error exploits based on whether pointer corruption is involved or not; • Analytical evaluation of effectiveness. We de- and if so, whether the corrupted pointer refers to a data velop a classification of memory corruption attacks, or code object; and if this object holds values provided and use it subsequently to compare previous works. (“injected”) by the attacker or values already existing We then provide a detailed analytical evaluation of in victim process memory. Within “pointer corruption our approach and provide estimates of success prob- attacks,” we include attacks that corrupt values used abilities for various types of attacks. in address computation, e.g., an integer value used as • Experimental evaluation. We have evaluated the an array subscript. ability of DAWSON to defeat memory corruption at- Absolute address randomization (AAR), used in tacks using 5 real-world exploits, as well as a range [16, 3, 23], randomizes the absolute memory address of sophisticated memory corruption attacks on a syn- of various code and data objects, but the relative dis- thetic application. tances between objects aren’t randomized. AAR blocks 1.2 Paper Organization pointer corruption attacks, since the attacker is no longer able to predict the object that will be refer- We begin with a classification of memory corruption enced by a corrupted pointer value. For instance, a attacks in Section 2 and describe the strengths and stack-smashing attack involves overwriting the return weaknesses of ASR in defending against these attacks. address on the stack with a value that points to a buffer With this background, we then provide a comparison variable used to hold attacker-provided data. The lo- cation of this variable becomes unpredictable in the limitation can totally undermine the effectiveness of presence of AAR, thus defeating the attack. AAR, as we describe below. If a code region S is not Relative address randomization (RAR) techniques randomized, then the attacker can execute a return-to- [4] randomize inter-object distances as well, and hence existing code attack into S. Of particular relevance in can defeat non-pointer attacks. DAWSON imple- Windows is the common use of the instruction sequence ments only AAR, and hence addresses only the pointer- jmp esp which causes a control-transfer to the top of corruption attacks (4 of the 5 categories shown in Fig- the stack. During attacks, it is common for the top of ure 1). In practice, AAR is very effective since mem- the stack to contain attacker provided data. Thus, this ory error exploits reported so far have been based on instruction sequence allows for execution of injected pointer corruption. code. Any unrandomized writable section W poses a ma- 2.1 Limitations of AAR jor threat, as it is possible to mount a 2-step attack as We list the known limitations of ASR here, referring follows. In the first step, the attacker injects a short the reader to previous works such as [3] for details.