Abstract
Stack-based attacks typically require that attackers have a good understanding of the stack layout of the victim program. In this paper, we leverage specific features on ARM architecture and propose a practical technique that introduces randomness to the stack layout when an Android application executes. We employ minimal binary rewriting on the Android app that produces randomized executable of the same size which can be executed on an unmodified Android operating system. Our experiments on applying this randomization on the most popular 20 free Android apps on Google Play show that the randomization coverage of functions increases from 65 % (by a state-of-the-art randomization approach) to 97.6 % with, on average, 4 and 7 bits of randomness applied to each 16-bit and 32-bit function, respectively. We also show that it is effective in defending against stack-based memory vulnerabilities and real-world ROP attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Hopper Disassembler: http://www.hopperapp.com.
- 2.
We utilized one fewer bit as we chose not to include r0 for simplicity since it usually carries the return value; however, it could be included if the function does not return anything.
References
One, A.: Smashing the stack for fun and profit. Phrack Magazine (1996)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the ACM CCS (2007)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the ACM CCS (2010)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the ACM ASIACCS (2011)
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the IEEE Symposium on Security and Privacy (2013)
Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the USENIX Security (2014)
Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: Proceedings of the USENIX Security (2014)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the ACM CCS (2008)
Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the ACM CCS (2008)
Team, P.: Pax address space layout randomization(ASLR) (2003). https://pax.grsecurity.net/docs/aslr.txt
Apple: iOS securityguide (2014).https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Google: security enhancements in android 1.5through 4.1. https://source.android.com/devices/tech/security/enhancements/enhancements41.html
Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the ACM CCS (2004)
Durden, T.: Bypassing pax ALSR protection. Phrack Magazine (2002)
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the USENIX Security (2003)
Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: Proceedings of the ISOC NDSS (2015)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the USENIX Security (2005)
Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the ACM CCS (2012)
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the IEEE Symposium on Security and Privacy (2013)
O’Sullivan, P., Anand, K., Kotha, A., Smithson, M., Barua, R., Keromytis, A.D.: Retrofitting security in COTS software with binary rewriting. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 154–172. Springer, Heidelberg (2011)
Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)
Horn, J.: CVE-2014-7911 (2014). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7911
Horn, J.: CVE-2014-7911: Android \(<\) 5.0 Privilege Escalation using ObjectInputStream (2014). http://seclists.org/fulldisclosure/2014/Nov/51
Lavi, Y., Markus, N.: CVE-2014-7911: A deep dive analysis of android system service vulnerability and exploitation (2015). http://goo.gl/XMCM2J
retme7: Local root exploit for Nexus5 Android 4.4.4 (KTU84p) (2015).https://github.com/retme7/CVE-2014-7911_poc
Li, X.: Emerging stack pivoting exploits bypass common security (2013). https://goo.gl/4FbVlF
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: Ilr: where’d my gadgets go?. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the ACM CCS (2003)
Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM CCS (2003)
Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Proceedings of the ISOC NDSS (2015)
Microsoft: /GS (buffer security check). https://msdn.microsoft.com/en-us/library/8dbf701c.aspx
Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguard tm: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the USENIX Security (2003)
Vendicator: stack shield (2000). http://www.angelfire.com/sk/stackshield/
Acknowledgments
We would like to thank the anonymous reviewers for providing valuable feedback on our work. This research was partially supported by the National Science Foundation of China (Grant No. 61202387, 61332019, and 61373168) and the National Key Basic Research Program of China (Grant No. 2014CB340600).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Missing Functions in Static Analysis
In this example, jump target sub_7a35e8 is an exception handler that does not return as a normal function would do, and Hopper fails in recognizing the bl-proceeded function at 0x7c89a0.
B Complexities in Identifying Push/Pop Instructions
In Listing 2, instructions at 0x28804, 0x28810, and 0x2881c are epilogue instructions corresponding to the prologue instruction at 0x287bc.
Listing 3 shows an example in which there is another push instruction before the prologue instruction that pushes register lr. Correspondingly, the last three instructions first pop out whatever was pushed at 0x45f62a, adjust sp to offload whatever was pushed at 0x45f628, and, in the end, use a direct branch instruction bx lr to return back to its caller.
Listing 4 shows an example where the same number of registers are pushed and popped, but they are of different registers. Listing 5 shows another example where different numbers of registers are pushed and popped.
Figure 7 presents examples of correct and incorrect randomization results for the original function which is similar with the function shown in Listing 5.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Liang, Y. et al. (2016). Stack Layout Randomization with Minimal Rewriting of Android Binaries. In: Kwon, S., Yun, A. (eds) Information Security and Cryptology - ICISC 2015. ICISC 2015. Lecture Notes in Computer Science(), vol 9558. Springer, Cham. https://doi.org/10.1007/978-3-319-30840-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-30840-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30839-5
Online ISBN: 978-3-319-30840-1
eBook Packages: Computer ScienceComputer Science (R0)