Address Obfuscation

Background Objective Approach Download


See our USENIX Security Symposium (2003) paper for an overview of this approach.
See our latest development in this approach.

Background

Attacks which exploit memory programming errors (such as buffer overflows) are one of today's most serious security threats. The prevalence of these attacks is due to several factors. First, memory errors are commonplace, primarily due to the popularity of non-memory safe languages such as C and C++. These languages are widely used because of the precise low-level control they provide over system resources, including memory. Unfortunately, this control is more than most programmers can handle, resulting in memory-related programming errors. In addition, memory error such as an unchecked array access can result in a security vulnerabilities. The most widespread attack which exploits such vulnerability is the stack smashing attack , in which a stack-allocated buffer is intentionally overflowed so that a return address stored on the stack is overwritten with the address of injected malicious code. Other vulnerabilities include heap overflows, integer overflows, format-string vulnerabilities and double frees. There have been numerous approaches developed to prevent exploits of these vulnerabilities, but most of these techniques have drawbacks as they either address only specific type of vulnerability or are not efficient enough to be practical.

Objective

To develop an efficient and comprehensive technique which can be used to combat a broad range of memory error exploits. The technique does not require access to source code or modification of system tools such as compilers and linkers. The technique should simply work on program binaries and should not involve OS changes, thereby making it more practical and usable.

Approach

Attacks which exploit memory errors require an attacker to have an in-depth understanding of the internal details of a victim program, including the locations of critical data and/or code. When there is a vulnerability found in a software, and an attack is developed to exploit it, the attacker has good chance of successfully launching similar attacks on a large number of systems using the same software. The Address obfuscation technique addresses the above issues in order make attacker's job difficult. It is a program transformation approach in which a program's code is modified so that each time the transformed code is executed, the virtual addresses of the code and data of the program are randomized. This makes the effect of most memory-error exploits non-deterministic, with only a very small chance of success. Attackers are forced to make many attempts on average before an attack succeeds, with each unsuccessful attack causing the target program to crash, increasing the likelihood that the attack will be detected. Moreover, an attack that succeeds against one victim will not succeed against another victim, or even for a second time against the same victim. This aspect makes it particularly effective against large scale attacks such as Code Red, since each infection attempt requires significantly more resources, thereby greatly reducing the propagation rate of such attacks.


Download

Following software have been transformed to use address obfuscation techniques. These packages have been built for RedHat Linux 7.3. However, they could potentially be installed on later releases of RedHat.


Acknowledgments

This research was supported in part by AFOSR grant F49620-01-1-0332, ONR University Research Initiative Grant N00140110967, and NSF grants CCR-0098154 and CCR-0208877.