1 / 34

Reviving Instruction Set Randomization

Reviving Instruction Set Randomization. Kanad Sinha * , Vasileios Kemerlis ɫ , Simha Sethumadhavan * * Columbia University ɫ Brown University. Traditional Instruction Set Randomization Provides illusion of a secret instruction set Counters code injection attacks

batson
Download Presentation

Reviving Instruction Set Randomization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reviving Instruction Set Randomization Kanad Sinha*, VasileiosKemerlisɫ, SimhaSethumadhavan* *Columbia University ɫBrown University

  2. Traditional Instruction Set Randomization • Provides illusion of a secret instruction set • Counters code injection attacks • Considered outdated because of code reuse attacks Contributions: Polyglot Novel hardware ISR scheme • Effective against state-of-the art code reuse attacks • Strengthens code injection countermeasures • Highly performant (old s/w overhead ~70%, new overhead trivial) • Full system FPGA prototype protecting bootup to OS to apps

  3. background

  4. Code Injection Program Code

  5. Code Injection Program Code Exploit Code

  6. Code Injection countered with ISR Program Code Decryption Engine Drawback #1: No code page sharing

  7. Code Injection countered with ISR Program Code Decryption Engine Drawback #2: Slow

  8. Code Injection countered with ISR Program Code Decryption Engine Drawback #3: Weak encryption

  9. Code Injection countered with ISR Program Code Decryption Engine Exploit Code

  10. ISR is susceptible to code reuse attacks mov %g0, %o0 jmp 0xdeadf00d add %g1, %g1, %g2 ta 0x8a Weak encryption reversible, allows code scanning mov %g4, %o1 ret

  11. Drawbacks of previous ISR works No page sharing  Impractical S/W decryption  Slow Weak encryption  Easily reversible

  12. polyglot

  13. Strong Code Encryption + Code randomization + Key Secrecy + Page Sharing = Use ISR against code-reuse attacks

  14. Strong Code Encryption + Code randomization + Key Secrecy + Page Sharing = Use ISR against code-reuse attacks Prevent code reversing

  15. Strong Code Encryption + Code randomization + Key Secrecy + Page Sharing = Use ISR against code-reuse attacks Prevent predictable code layout

  16. Strong Code Encryption + Code randomization + Key Secrecy + Page Sharing = Use ISR against code-reuse attacks Prevent key leaks

  17. Strong Code Encryption + Code randomization + Key Secrecy + Page Sharing = Use ISR against code-reuse attacks Allows shared libs and copy-on-write

  18. Strong Code Encryption + Code randomization + Key Secrecy + Page Sharing = Use ISR against code-reuse attacks

  19. Strong Code Encryption + Code randomization + Key Secrecy + Page Sharing = Use ISR against code-reuse attacks Bonus: Works for the entire kernel and bootloader!

  20. Hardware

  21. AES <Code> Code Page ITLB DTLB I-cache … Translation Pipeline ECIES ISR PTE H/W Page Walker … D-cache MMU Page Table

  22. Page Miss AES <Code> ITLB Code Page ISR PTE Regular PTE I-cache 10 … Translation ECIES Key ISR PTE H/W Page Walker … MMU Page Table

  23. Page Miss AES <Code> ITLB Code Page Translation I-cache … Translation ECIES ISR PTE H/W Page Walker … MMU Page Table

  24. Address Instruction Miss AES + AES <Code> ITLB Code Page Translation Parallelize decryption and fetch I-cache … Translation ECIES ISR PTE H/W Page Walker … MMU Page Table

  25. Address Instruction Miss AES <Code> + AES <Code> ITLB <Code> Code Page Translation Parallelize decryption and fetch I-cache … Translation ECIES ISR PTE H/W Page Walker … MMU Page Table

  26. Address Instruction Miss AES <Code> + AES <Code> ITLB <Code> Code Page Translation 4.6% slower on prototype, much less so on actual systems! I-cache … Translation ECIES ISR PTE H/W Page Walker … MMU Page Table

  27. Polyglot in action Bootloader

  28. Polyglot in action User application

  29. Conclusion Polyglot counters state-of-the-art code reuse attacks Practical and performant despite using strong encryption “On” from the very first instruction executed Polyglot revamps ISR to make it effective in the modern era while being fast, expansive, and practical

  30. [extra] Page Table Page Table Value Format 2 1 0 31 Page Table // Lvl 2 Page Table // Lvl 1 Regular PTE 10 Regular PTD 01 ISR PTE 11 Regular PTE ISR PTD 10 Key

  31. [extra] Binary Creation ELF Header ELF Header ELF Header … … … .text .text .text Code Page … … … Code Page … … … .isr_map … Keys asymmetrically encrypted ISR Asymmetric Keys

  32. [Extra] Evaluation • Modified Leon3-based SPARC32 platform implemented in FPGA • Fully encrypted bootloader + Linux + apps + shared libraries

  33. [extra] distribution ecosystem App request Download request with public key Download request with unique ID Binary App DB Encrypt Encrypted binary Encrypted binary User key Unique ID User User App Server Key DB Gateway (a) (b)

  34. [extra] related work • Oxymoron • Readactor, Readactor++ • Heisenbyte • CPI • Dynamic rerandomization • Execute-only memory

More Related