ARM? is the prevalent processor architecture for embedded and mobile applications. For the smartphones, it is the processor for which software applications are running, whether the platform is with Apple’s iOS or Google’s Android. Software operations under these platforms are prone to semantic gap, which refers to potential difference between intended operations described in software and actual operations done by processor. Attacks that compromise program control flows, which result in these mantic gaps, are a major attack type in modern software attacks. Many recent software protection schemes for servers and desktops focus on protecting program control flows, but there are little protection tools available for protecting program control flows of mobile applications for ARM processor architecture. This paper uses a program counter (PC) encoding technique (PC-Encoding) to harden program control flows under ARM processor architecture. The PC-Encoding directly encodes control flow target addresses that will load into the PC. It is simple and intuitive to implement and incur little overhead. Encoding the control flow target addresses can minimize the semantic gap by preventing potential compromises of the control flows. This paper describes our efforts of implementing PC-Encoding to harden portable binaries in ELF (Executable and Linkable Format).
References
[1]
Ahn, Y.-J., Lee, Y., Choi, J. and Lee, G. (2014) Countering Code Injection Attack at TLB Miss IEEE Computer, 47, 66-72. https://doi.org/10.1109/MC.2013.228
[2]
Microsoft. A Detailed Description of the Data Execution Prevention (DEP) Feature in Windows XP Service Pack 2,Windows XP Tablet PC Edition 2005, and Windows Server 2003. https://support.microsoft.com/en-us/kb/875352
[3]
Park, Y.J., Zhang, Z. and Lee, G. (2006) Micro-Architectural Protection against Buffer Overflow Attack. IEEE Micro, 26, 62-71.
https://doi.org/10.1109/MM.2006.76
[4]
Red Hat. New Security Enhancements in Red Hat Enterprise Linux v.3, update3.
http://h10032.www1.hp.com/ctg/Manual/c00387685.pdf
[5]
Roemer, R., Buchanan, E., Shacham, H. and Savage, S. (2012) Return-Oriented Programing: Systems, Languages, and Applications. ACM Transactions on Information and System Security, 15, 2:1-2:34.
[6]
Bletsch, T., Jiang, X., Freeh, V.W. and Liang, Z. (2011) Jump-Oriented Programming: A New Class of Codereuse Attack. Proceedings of the 6th ASIACCS, pp. 30-40, March. https://doi.org/10.1145/1966913.1966919
[7]
Buchanan, E., Roemer, R., Shacham, H. and Savage, S. (2008) When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. ACM Conference on Computer and Communications Security (CCS), Alexander, 27-31 October 2008, 27-38. https://doi.org/10.1145/1455770.1455776
[8]
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H. and Winandy, M. (2010) Return-Oriented Programming without Returns. ACM Conference on Computer and Communications Security (CCS), Chicago, 4-8 October 2010, 559-572.
[9]
Dai Zovi, D. (2010) Practical Return-Oriented Programming. SOURCE Boston.
[10]
Davi, L., Dmitrienko, A., Sadeghi, A.R. and Winandy, M. (2010) Return-Oriented Programming without Returns on ARM. Technical Report HGI-TR-2010-002, Ruhr-University Bochum, July 2010.
http://www.trust.rub.de/home/publications/DaDmSaWi2010
[11]
Ahn, D. and Lee, G. (2015) A Memory Access Validation Scheme against Payload Injection Attacks. IEEE Transactions on Dependable and Secure Computing, 12, 387-399. https://doi.org/10.1109/TDSC.2014.2355844
[12]
Ruan, Y., Kalyanasundaram, S. and Zou, X. (2016) Survey of Return-Oriented Programming Defense Mechanisms. Security and Communication Networks, 9, 1247-1265. https://doi.org/10.1002/sec.1406
[13]
Forrest, S., Hofmeyr, S. and Somayaji, A. (2008) The Evolution of System-Call Monitoring. Annual Computer Security Applications Conference, Anaheim, 8-12 December 2008, 418-430. https://doi.org/10.1109/acsac.2008.54
[14]
Abadi, M., Budiu, M., Erlingsson, U. and Ligatti, J. (2009) Control-Flow Integrity: Principles, Implementations, and Applications. ACM Transactions on Information and System Security, 15, 1-40. https://doi.org/10.1145/2240276.2240279
[15]
Pewny, J. and Holz, T. (2013) Control-Flow Restrictor: Compiler-Based CFI for iOS. Proceedings of the 29th Annual Computer Security Applications Conference, New Orleans, 9-13 December 2013, 309-318.
https://doi.org/10.1145/2523649.2523674
[16]
Zeng, B., Tan, G., and Morrisett, G. (2011) Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing. Proceedings of the 18th ACM conference on Computer and Communications Security, Chicago, 17-21 October 2011, 29-40. https://doi.org/10.1145/2046707.2046713
[17]
Zhang, M. and Sekar, R. (2013) Control Flow Integrity for COTS Binaries. 22nd USENIX Security Symposium, Washington DC, 14-16 August 2013, 337-352.
[18]
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D. and Zou, W. (2013) Practical Control Flow Integrity and Randomization for Binary Executables. Proceedings of the IEEE Security and Privacy Symposium, San Francisco, 19-22 May 2013, 559-573.
[19]
Goktas, E., Athanasopoulos, E., Bos, H. and Portokalidis, G. (2014) Out of Control: Overcoming Control-Flow Integrity. Proceedings of the 2014 IEEE Symposium on Security and Privacy, San Jose, 18-21 May 2014, 575-589.
https://doi.org/10.1109/SP.2014.43
[20]
Lee, G. and Tyagi, A. (2000) Encoded Program Counter: Self-Protection from Buffer Overflow Attacks. International Conference on Internet Computing, Las Vegas, 26-29 June 2000, 387-394.
[21]
Lee, G. and Pyo, C. (2013) Method and Apparatus for Securing Indirect Function Calls by Using Program Counter Encoding. US Patent No. US8583939 B2.
[22]
Pyo, C. and Lee, G. (2002) Encoding Function Pointers and Memory Arrangement Checking against Buffer Overflow Attack. 4th International Conference on Information and Communications Security, Lecture Notes in Computer Science 2513, Singapore, 9-12 December 2002, 25-36. https://doi.org/10.1007/3-540-36159-6_3
[23]
Barrantes, E.G., Ackley, D.H., Forrest, S. and Stefanovic, D. (2005) Randomized Instruction Set Emulation. ACM Transactions on Information and System Security, 8, 3-40. https://doi.org/10.1145/1053283.1053286
[24]
Gupta, A., Habibi, J., Kirkpatrick, M.S. and Bertino, E. (2015) Marlin: Mitigating Code Reuse Attacks Using Code Randomization. IEEE Transactions on Dependable and Secure Computing, 12, 326-337. https://doi.org/10.1109/TDSC.2014.2345384
[25]
Computer Science Department at the University of Illinois at Urbana-Champaign. The LLVM Compiler Infrastructure. http://llvm.org
[26]
Sinnadurai, S., Zhao, Q. and Wong, W. (2008) Transparent Runtime Shadow Stack: Protection against Malicious Return Address Modifications.
[27]
Nergal (2001) The Advanced Return-Into-Lib(C) Exploits: PaX Case Study. Phrack Magazine, 58, 54.
[28]
Shacham, H. (2007) The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (on the x86). 14th ACM Conference on Computer and Communications Security, Alexandria, 29 October-2 November 2007, 552-561.
https://doi.org/10.1145/1315245.1315313
[29]
Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V. and Ning, P. (2011) On the Expressiveness of Return-Intolibc Attacks. 14th International Conference on Recent Advances in Intrusion Detection, Menlo Park, 20-21 September 2011, 121-141.
https://doi.org/10.1007/978-3-642-23644-0_7
[30]
Black Hat USA Whitepaper (2010) Payload Already Inside: Data Reuse for ROP Exploits.
[31]
Pax Team. PaX Address Space Layout Randomization (ASLR).
http://pax.grsecurity.net/docs/aslr.txt
[32]
Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N. and Boneh, D. (2004) On the Effectiveness of Addressspace Randomization. 11th ACM Conference on Computer and Communications Security, Washington DC, 25-29 October 2004, 298-307.
[33]
Cowan, C., Pu, C., Maier, D., Hintongif, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P. and Zhang, Q. (1998) Stackguard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. 7th USENIX Security Symposium, San Antonio, 26-29 January 1998, 63-78.
