LLVM-based address space randomization

Student: Silviu Baranga (IPA)
Owner: Lorenzo Cavallaro sullivan@cs.vu.nl / Cristiano Giuffrida giuffrida@cs.vu.nl
SVN branch name: N/A

Description

Memory errors are one of the largest class of vulnerabilities affecting the security of software. A successful memory error exploitation can lead to arbitrary code execution on the victims' machines. The outcome can be catastrophic as the attacker takes practically over the vulnerable process and can perform any action he wishes for (e.g., install additional malware).

Once an exploit is available, an attacker can automatically perform large-scale attacks and violate all the systems running the vulnerable version of the software. This is because every instance of the software is identical and existing vulnerabilities can deterministically be exploited (monoculture of the software). The research community has long studied the problem and produced several countermeasures each and every one with its own pros and cons. One of the most successful techniques, so far, is address space randomization (ASR). The idea is to diversify the memory layout of each instance of a given process such that an attack can no longer exploit a memory error in a deterministic way.

Successful approaches to this problem have used a number of techniques at different levels of granularity, including kernel-based ASR, binary rewriting ASR, and source-to-source ASR transformations [1]. The goal of this IPA project is to build a robust ASR tool based on LLVM [2]. The availability of LLVM for an emerging number of platforms makes this project of general applicability. For instance, we aim at using this tool to diversify Minix3 OS components, as well as generic user-space applications on commodity operating systems. A compiler-based approach designed on top of LLVM gives a great level of flexibility and allows to implement fine-grained transformations.

The tool produced as the outcome of the IPA project must be evaluated in different environments and under realistic attack scenarios.

References

[1] Efficient Techniques for Comprehensive Protection from Memory Error Exploits

  Sandeep Bhatkar, R. Sekar, and Daniel DuVarney \\
  USENIX Security Symposium (USENIX Security) August, 2005\\
  http://seclab.cs.sunysb.edu/seclab/pubs/usenix_sec05.pdf

[2] http://www.llvm.org