Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

Stony Brook Binary Randomizer (SBR)

Soumyakant Priyadarshan, Huan Nguyen, and R. Sekar

See our ACSAC paper for an overview of our approach.

Introduction

Stony Brook Binary Randomizer (SBR) is a code randomization tool designed to operate on stripped COTS binaries. The primary motivation behind developing SBR is to create a deployable code randomization system with minimal performance overhead and good security against indirect disclosure based ROP attacks. SBR works well with executables as well as shared libraries and has been extensively tested against wide range of applications (600 MB of binary code) and low level libraries such as glibc, ld.so and libpthread.so. The robustness of SBR makes it an ideal candidate to randomize and protect an application's entire code space. Unlike recent works that heavily rely on relocation information and limit themselves only to position independent executables (PIEs), SBR can randomize both modern PIE binaries as well as non-PIE binaries. The disassembly and instrumentation technique employed by SBR has proven to work with binaries having data embedded in code.

Key features

  • Compatibility with COTS binaries: Today's software distribution model is centered around binaries. Even open source software is predominantly distributed in binary format for convenience. Source-based randomization techniques do not play well with this model: they not only require per-user recompilation, but also the distribution of distinct binaries and distinct patches for distinct users. Worse, some open-source software may rely on libraries or packages whose source code is not available. And of course, source-based randomization is not an option for closed-source applications.
  • Completeness: Randomization defenses are secure only to the extent they are complete. If parts of an application are not randomized, e.g., (some) libraries, then attackers can find and exploit gadgets from these components. Operating on binaries gives SBR the ability to randomize all code, including hand written assembly and code portions inserted by compiler tool chain, e.g., initialization and clean up functions present in every executable. Such code portions are usually missed by source code based approaches.
  • Compatibility and error handling and reporting: A lot of real world applications such as firefox and libreoffice utilize exception handling functionality. Even low level libraries such as glibc employs C++ exceptions. By preserving stack tracing and C++ exception handling functionality, SBR goes one step further in ensuring deployability in real world.
  • Robustness: Ability to correctly instrument complex real world applications gives SBR an edge over contemporary randomization tools. SBR has been tested on low-level system libraries containing substantial hand-written assembly, such as the glibc and libpthread.so system libraries and the the system loader ld.so. Altogether, it has been tested on over 600MB of binaries, including 200 of the most commonly used libraries on Ubuntu Linux. It has been successfully tested with these libraries, as well as the coreutils, bintutils, SPEC benchmark suite and other complex applications such as vlc, gimp, wireshark and evince.
  • Performance: SBR introduces a minimal overhead of 2.26\% and hence is the perfect tool for real world deployment.
  • Better protection: SBR's threat model assumes the target application has C++ exception handling metadata (EH metadata). Availability of this metadata at the runtime may be advantageous for attackers who can leak information regarding program's code layout. SBR's novel randomization model LLR(k) achieves an entropy of 84-bits in this threat model and ensures better protection. In addition, SBR has the option of employing novel EH metadata optimizations that reduce the size of metadata and ensure minimal leakage.
  • Polymorphic randomization: Along with the novel randomization technique, SBR also supports many pre-existing randomization techniques:
    • ZJR: Zero Jump Randomization [CCR, S&P '19].
    • BBR: Basic block randomization
    • PHR: Pointer-hiding randomization [Readactor, S&P '15].
    • PHR + LLR(k): Apply PHR followed by LLR(k).

Download and Installation

Shipped under GPLv3. The download is available in the form of a preconfigured Linux VM image in the open virtual architecture (ova) format.

Acknowledgements

This work was supported by ONR (N00014-17-1-2891) and in part by NSF (CNS-1918667).


Home Contact NSI Computer Science Stony Brook University

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.