Browse Prior Art Database

Intramodular Displacement Randomization

IP.com Disclosure Number: IPCOM000210875D
Original Publication Date: 2011-Sep-13
Included in the Prior Art Database: 2011-Sep-13
Document File: 9 page(s) / 476K

Publishing Venue

Microsoft

Related People

Matt Miller: INVENTOR [+4]

Abstract

One of the limitations of contemporary Address Space Layout Randomization (ASLR) implementations is that the base address of a memory region is randomized without altering a region’s internal structure. A canonical example of this can be seen in the form of executable files (DLLs/EXEs) where the internal ordering of sections, code, and data remains fixed even when an executable’s base address has been randomized. This behavior can enable an attacker to deduce the address of all code and data within an executable’s memory region given knowledge of just a single address that is found therein. Attackers have leveraged this ability in practice when determining the address of return-oriented programming (ROP) gadgets. This has enabled attackers to bypass important exploit mitigations such as Data Execution Prevention (DEP) and ASLR. The ability to deduce the address of all code and data within an executable’s memory region is based on the fundamental assumption that the executable’s internal structure remains fixed. In this paper, we describe a method of introducing runtime non-determinism into the displacement between the constituent parts of an executable. This is accomplished by adding metadata to an executable file when it is built which describes the set of offsets where one or more bytes may be inserted at runtime. At runtime, the executable loader then selects a random subset of these offsets and then inserts one or more bytes while retaining functional correctness of the executable. This has the effect of breaking displacement guarantees and prevents an attacker from reliably assuming where all code and data is located even with knowledge of one or more address.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 15% of the total text.

Document Author (alias)

mamill

Defensive Publication Title 

Intramodular Displacement Randomization

Name(s) of All Contributors

Matt Miller

Ken Johnson

Nitin Kumar Goel

Julien Vanegue

 

Summary of the Defensive Publication/Abstract

One of the limitations of contemporary Address Space Layout Randomization (ASLR) implementations is that the base address of a memory region is randomized without altering a region’s internal structure.  A canonical example of this can be seen in the form of executable files (DLLs/EXEs) where the internal ordering of sections, code, and data remains fixed even when an executable’s base address has been randomized.  This behavior can enable an attacker to deduce the address of all code and data within an executable’s memory region given knowledge of just a single address that is found therein.  Attackers have leveraged this ability in practice when determining the address of return-oriented programming (ROP) gadgets.  This has enabled attackers to bypass important exploit mitigations such as Data Execution Prevention (DEP) and ASLR.

The ability to deduce the address of all code and data within an executable’s memory region is based on the fundamental assumption that the executable’s internal structure remains fixed. In this paper, we describe a method of introducing runtime non-determinism into the displacement between the constituent parts of an executable. This is accomplished by adding metadata to an executable file when it is built which describes the set of offsets where one or more bytes may be inserted at runtime.  At runtime, the executable loader then selects a random subset of these offsets and then inserts one or more bytes while retaining functional correctness of the executable.  This has the effect of breaking displacement guarantees and prevents an attacker from reliably assuming where all code and data is located even with knowledge of one or more address.

Description:  Include architectural diagrams and system level data flow diagrams if: 1) they have already been prepared or 2) they are needed to enable another developer to implement your defensive publication. Target 1-2 pages, and not more than 5 pages.  

Breaking the displacement guarantees within an executable file’s memory region can be accomplished by dynamically inserting one or more bytes at a set of offsets that are randomly selected at runtime.  This has the effect of preventing an attacker who knows the absolute memory address of one offset from reliably assuming the displacement to other offsets found within the executable’s memory region.  The following description focuses on how this method can be realized in practice for Portable Execution (PE) files that run on the Windows operating system.  The general methodology is also applicable to other executable file formats.

The following key steps are involved:

1.     At link time

a.     Metadata emission: metadata is added to the PE file that describes the set of offsets (...