Stony Brook Binary Randomizer (SBR)
Soumyakant Priyadarshan, Huan Nguyen, and R. SekarSee our ACSAC paper for an overview of our approach.
- Compatibility with COTS binaries: Today's software distribution model is centered around binaries. Even open source software is predominantly distributed in binary format for convenience. Source-based randomization techniques do not play well with this model: they not only require per-user recompilation, but also the distribution of distinct binaries and distinct patches for distinct users. Worse, some open-source software may rely on libraries or packages whose source code is not available. And of course, source-based randomization is not an option for closed-source applications.
- Completeness: Randomization defenses are secure only to the extent they are complete. If parts of an application are not randomized, e.g., (some) libraries, then attackers can find and exploit gadgets from these components. Operating on binaries gives SBR the ability to randomize all code, including hand written assembly and code portions inserted by compiler tool chain, e.g., initialization and clean up functions present in every executable. Such code portions are usually missed by source code based approaches.
- Compatibility and error handling and reporting: A lot of real world applications such as firefox and libreoffice utilize exception handling functionality. Even low level libraries such as glibc employs C++ exceptions. By preserving stack tracing and C++ exception handling functionality, SBR goes one step further in ensuring deployability in real world.
- Robustness: Ability to correctly instrument complex real world applications gives SBR an edge over contemporary randomization tools. SBR has been tested on low-level system libraries containing substantial hand-written assembly, such as the glibc and libpthread.so system libraries and the the system loader ld.so. Altogether, it has been tested on over 600MB of binaries, including 200 of the most commonly used libraries on Ubuntu Linux. It has been successfully tested with these libraries, as well as the coreutils, bintutils, SPEC benchmark suite and other complex applications such as vlc, gimp, wireshark and evince.
- Performance: SBR introduces a minimal overhead of 2.26\% and hence is the perfect tool for real world deployment.
- Better protection: SBR's threat model assumes the target application has C++ exception handling metadata (EH metadata). Availability of this metadata at the runtime may be advantageous for attackers who can leak information regarding program's code layout. SBR's novel randomization model LLR(k) achieves an entropy of 84-bits in this threat model and ensures better protection. In addition, SBR has the option of employing novel EH metadata optimizations that reduce the size of metadata and ensure minimal leakage.
- Polymorphic randomization: Along with the novel randomization
technique, SBR also supports many pre-existing randomization techniques:
- ZJR: Zero Jump Randomization [CCR, S&P '19].
- BBR: Basic block randomization
- PHR: Pointer-hiding randomization [Readactor, S&P '15].
- PHR + LLR(k): Apply PHR followed by LLR(k).
Shipped under GPLv3. The download is available in the form of a preconfigured Linux VM image in the open virtual architecture (ova) format.
This work was supported by ONR (N00014-17-1-2891) and in part by NSF (CNS-1918667).