Measuring Attack Surface Reduction in the Presence of Code (Re-)Randomization
Just-in-time return-oriented programming (JIT-ROP) technique allows one to dynamically discover instruction pages and launch code reuse attacks, effectively bypassing most fine-grained address space layout randomization (ASLR) protection. However, in-depth questions regarding the impact of code (re-)randomization on code reuse attacks have not been studied. For example, how do starting pointers in JIT-ROP impact gadget availability?; how would one compute the re-randomization interval effectively to defeat JIT-ROP attacks? what impact do fine-grained randomization and re-randomization have on the Turing completeness of JIT-ROP payloads? We conduct a comprehensive measurement study on the effectiveness of fine-grained code randomization and re-randomization, with 5 tools, 13 applications, and 19 dynamic libraries. We provide methodologies to measure JIT-ROP gadget availability, quality, and their Turing completeness, as well as to empirically determine the upper bound of re-randomization intervals in re-randomization schemes. Experiments show that instruction reordering is the only fine-grained single-round randomization approach that thwarts current gadget finding techniques under the JIT-ROP threat model. Our results also show that the locations of leaked pointers used in JIT-ROP attacks have no impacts on gadget availability, suggesting high pointer-based connectivity among code pages.
READ FULL TEXT