Randomize the Running Function When It Is Disclosed
Address space layout randomization (ASLR) can hide code addresses, which has been widely adopted by security solutions. However, code probes can bypass it. In real attack scenarios, a single code probe can only obtain very limited code information instead of the information of the entire code segmen...
Gespeichert in:
| Veröffentlicht in: | IEEE transactions on computers 2024-06, Vol.73 (6), p.1516-1530 |
|---|---|
| Hauptverfasser: | , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 1530 |
|---|---|
| container_issue | 6 |
| container_start_page | 1516 |
| container_title | IEEE transactions on computers |
| container_volume | 73 |
| creator | Li, YongGang Bao, Yu Chung, Yeh-Ching |
| description | Address space layout randomization (ASLR) can hide code addresses, which has been widely adopted by security solutions. However, code probes can bypass it. In real attack scenarios, a single code probe can only obtain very limited code information instead of the information of the entire code segment. So, randomizing the entire code segment is unnecessary. How to minimize the size of the randomized object is a key to reducing the complexity and overhead for ASLR methods. Moreover, ASLR needs to be completed between the time after code probe occurs and before the probed code is used by attackers, otherwise it is meaningless. How to select an appropriate randomization time point is a basic condition for achieving effective address hiding. In this paper, we propose a runtime partial randomization method RandFun. It only randomizes the probed function with parallel threads. And the randomization is performed when and only when potential code probes are detected. In addition, RandFun can protect the probed code from being used as gadgets, whether during or after randomization. Experiments and analysis show RandFun has a good defense effect on code probes and only introduces 1.6% overhead to CPU. |
| doi_str_mv | 10.1109/TC.2024.3371776 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_10458890</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10458890</ieee_id><sourcerecordid>3053297342</sourcerecordid><originalsourceid>FETCH-LOGICAL-c244t-9ea32b49de9d72f6713b2b421a1793c90c17044c5e7a255d62a19654ef40b96f3</originalsourceid><addsrcrecordid>eNpNkE1Lw0AURQdRsFbXblwMuE775rtvKdFqoSCUiMthOpnYlHZSM8lCf70p7cLV48K598Eh5J7BhDHAaZFPOHA5EcIwY_QFGTGlTIao9CUZAbBZhkLCNblJaQsAmgOOiFi5WDb7-jfQbhPoqo-xjl903kff1U2kn5sQ6aKji0Sf6-R3TQrlLbmq3C6Fu_Mdk4_5S5G_Zcv310X-tMw8l7LLMDjB1xLLgKXhlTZMrIfMmWMGhUfwzICUXgXjuFKl5o6hVjJUEtaoKzEmj6fdQ9t89yF1dtv0bRxeWgFKcDRC8oGanijfNim1obKHtt679scysEcztsjt0Yw9mxkaD6dGHUL4R0s1myGIP4A4XH4</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3053297342</pqid></control><display><type>article</type><title>Randomize the Running Function When It Is Disclosed</title><source>IEEE</source><creator>Li, YongGang ; Bao, Yu ; Chung, Yeh-Ching</creator><creatorcontrib>Li, YongGang ; Bao, Yu ; Chung, Yeh-Ching</creatorcontrib><description>Address space layout randomization (ASLR) can hide code addresses, which has been widely adopted by security solutions. However, code probes can bypass it. In real attack scenarios, a single code probe can only obtain very limited code information instead of the information of the entire code segment. So, randomizing the entire code segment is unnecessary. How to minimize the size of the randomized object is a key to reducing the complexity and overhead for ASLR methods. Moreover, ASLR needs to be completed between the time after code probe occurs and before the probed code is used by attackers, otherwise it is meaningless. How to select an appropriate randomization time point is a basic condition for achieving effective address hiding. In this paper, we propose a runtime partial randomization method RandFun. It only randomizes the probed function with parallel threads. And the randomization is performed when and only when potential code probes are detected. In addition, RandFun can protect the probed code from being used as gadgets, whether during or after randomization. Experiments and analysis show RandFun has a good defense effect on code probes and only introduces 1.6% overhead to CPU.</description><identifier>ISSN: 0018-9340</identifier><identifier>EISSN: 1557-9956</identifier><identifier>DOI: 10.1109/TC.2024.3371776</identifier><identifier>CODEN: ITCOB4</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>access control ; Code probes ; code reuse attacks ; Codes ; control flow ; Layout ; operating system ; Payloads ; Probes ; Randomization ; Runtime ; Segments ; Source coding ; Switches</subject><ispartof>IEEE transactions on computers, 2024-06, Vol.73 (6), p.1516-1530</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2024</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c244t-9ea32b49de9d72f6713b2b421a1793c90c17044c5e7a255d62a19654ef40b96f3</cites><orcidid>0000-0002-3289-0330 ; 0000-0002-8704-9821</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10458890$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27901,27902,54733</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10458890$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Li, YongGang</creatorcontrib><creatorcontrib>Bao, Yu</creatorcontrib><creatorcontrib>Chung, Yeh-Ching</creatorcontrib><title>Randomize the Running Function When It Is Disclosed</title><title>IEEE transactions on computers</title><addtitle>TC</addtitle><description>Address space layout randomization (ASLR) can hide code addresses, which has been widely adopted by security solutions. However, code probes can bypass it. In real attack scenarios, a single code probe can only obtain very limited code information instead of the information of the entire code segment. So, randomizing the entire code segment is unnecessary. How to minimize the size of the randomized object is a key to reducing the complexity and overhead for ASLR methods. Moreover, ASLR needs to be completed between the time after code probe occurs and before the probed code is used by attackers, otherwise it is meaningless. How to select an appropriate randomization time point is a basic condition for achieving effective address hiding. In this paper, we propose a runtime partial randomization method RandFun. It only randomizes the probed function with parallel threads. And the randomization is performed when and only when potential code probes are detected. In addition, RandFun can protect the probed code from being used as gadgets, whether during or after randomization. Experiments and analysis show RandFun has a good defense effect on code probes and only introduces 1.6% overhead to CPU.</description><subject>access control</subject><subject>Code probes</subject><subject>code reuse attacks</subject><subject>Codes</subject><subject>control flow</subject><subject>Layout</subject><subject>operating system</subject><subject>Payloads</subject><subject>Probes</subject><subject>Randomization</subject><subject>Runtime</subject><subject>Segments</subject><subject>Source coding</subject><subject>Switches</subject><issn>0018-9340</issn><issn>1557-9956</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkE1Lw0AURQdRsFbXblwMuE775rtvKdFqoSCUiMthOpnYlHZSM8lCf70p7cLV48K598Eh5J7BhDHAaZFPOHA5EcIwY_QFGTGlTIao9CUZAbBZhkLCNblJaQsAmgOOiFi5WDb7-jfQbhPoqo-xjl903kff1U2kn5sQ6aKji0Sf6-R3TQrlLbmq3C6Fu_Mdk4_5S5G_Zcv310X-tMw8l7LLMDjB1xLLgKXhlTZMrIfMmWMGhUfwzICUXgXjuFKl5o6hVjJUEtaoKzEmj6fdQ9t89yF1dtv0bRxeWgFKcDRC8oGanijfNim1obKHtt679scysEcztsjt0Yw9mxkaD6dGHUL4R0s1myGIP4A4XH4</recordid><startdate>20240601</startdate><enddate>20240601</enddate><creator>Li, YongGang</creator><creator>Bao, Yu</creator><creator>Chung, Yeh-Ching</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0002-3289-0330</orcidid><orcidid>https://orcid.org/0000-0002-8704-9821</orcidid></search><sort><creationdate>20240601</creationdate><title>Randomize the Running Function When It Is Disclosed</title><author>Li, YongGang ; Bao, Yu ; Chung, Yeh-Ching</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c244t-9ea32b49de9d72f6713b2b421a1793c90c17044c5e7a255d62a19654ef40b96f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>access control</topic><topic>Code probes</topic><topic>code reuse attacks</topic><topic>Codes</topic><topic>control flow</topic><topic>Layout</topic><topic>operating system</topic><topic>Payloads</topic><topic>Probes</topic><topic>Randomization</topic><topic>Runtime</topic><topic>Segments</topic><topic>Source coding</topic><topic>Switches</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Li, YongGang</creatorcontrib><creatorcontrib>Bao, Yu</creatorcontrib><creatorcontrib>Chung, Yeh-Ching</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005–Present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998–Present</collection><collection>IEEE</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on computers</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Li, YongGang</au><au>Bao, Yu</au><au>Chung, Yeh-Ching</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Randomize the Running Function When It Is Disclosed</atitle><jtitle>IEEE transactions on computers</jtitle><stitle>TC</stitle><date>2024-06-01</date><risdate>2024</risdate><volume>73</volume><issue>6</issue><spage>1516</spage><epage>1530</epage><pages>1516-1530</pages><issn>0018-9340</issn><eissn>1557-9956</eissn><coden>ITCOB4</coden><abstract>Address space layout randomization (ASLR) can hide code addresses, which has been widely adopted by security solutions. However, code probes can bypass it. In real attack scenarios, a single code probe can only obtain very limited code information instead of the information of the entire code segment. So, randomizing the entire code segment is unnecessary. How to minimize the size of the randomized object is a key to reducing the complexity and overhead for ASLR methods. Moreover, ASLR needs to be completed between the time after code probe occurs and before the probed code is used by attackers, otherwise it is meaningless. How to select an appropriate randomization time point is a basic condition for achieving effective address hiding. In this paper, we propose a runtime partial randomization method RandFun. It only randomizes the probed function with parallel threads. And the randomization is performed when and only when potential code probes are detected. In addition, RandFun can protect the probed code from being used as gadgets, whether during or after randomization. Experiments and analysis show RandFun has a good defense effect on code probes and only introduces 1.6% overhead to CPU.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TC.2024.3371776</doi><tpages>15</tpages><orcidid>https://orcid.org/0000-0002-3289-0330</orcidid><orcidid>https://orcid.org/0000-0002-8704-9821</orcidid></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 0018-9340 |
| ispartof | IEEE transactions on computers, 2024-06, Vol.73 (6), p.1516-1530 |
| issn | 0018-9340 1557-9956 |
| language | eng |
| recordid | cdi_ieee_primary_10458890 |
| source | IEEE |
| subjects | access control Code probes code reuse attacks Codes control flow Layout operating system Payloads Probes Randomization Runtime Segments Source coding Switches |
| title | Randomize the Running Function When It Is Disclosed |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-29T06%3A42%3A35IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Randomize%20the%20Running%20Function%20When%20It%20Is%20Disclosed&rft.jtitle=IEEE%20transactions%20on%20computers&rft.au=Li,%20YongGang&rft.date=2024-06-01&rft.volume=73&rft.issue=6&rft.spage=1516&rft.epage=1530&rft.pages=1516-1530&rft.issn=0018-9340&rft.eissn=1557-9956&rft.coden=ITCOB4&rft_id=info:doi/10.1109/TC.2024.3371776&rft_dat=%3Cproquest_RIE%3E3053297342%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3053297342&rft_id=info:pmid/&rft_ieee_id=10458890&rfr_iscdi=true |