Combining reactive approaches optimizes the defense against attacks
Over the last few years, adversaries incrementally evolve their attacking capabilities by taking advantage of memory corruption vulnerabilities in software and compromise devices and systems in a highly sophisticated manner. Memory corruption attacks may count on information leakage exploitation or code reuse. In both cases they result in a typical violation of software integrity. Therefore, to shield the modern interconnected systems from software running flaws exploitation, researchers have developed defenses based on either software integrity measures or information hiding techniques.
Software integrity measures are employed with integrity checks to the overall application. Information leakage defenses may add pervasive spatial, temporal or type checks on memory access; moreover, they conduct Control Flow Integrity (CFI) checks to ensure that application behavior remains within the program’s intended control flow. Those types of defenses may thwart relevant attacks (e.g. impede code reuse attacks through the enforcement of forward-edge CFI, and prevent data corruption attacks by restricting memory reads and writes in the application through Software Fault Isolation). Nevertheless, they provide security guarantees but they incur a high overhead with significant cost performance.
Another approach to preserve software integrity is to make it difficult to locate code and data. Representative solutions reflecting this approach are the Address Space Layout Randomization (ASLR) security techniques serving as a first line against code reuse attacks. ASLR solutions alone are not adequate to provide entire protection as currently information disclosure vulnerabilities are increasing, enabling adversaries to leak pointers and thus break the randomization. In addition, there are more advanced defenses that hide sensitive information at random locations in a large address space. These defenses decrease the size that remains hidden as they segregate applications into sensitive and non-sensitive regions and perform ASLR probabilistic methods to remain the sensitive regions hidden. Nonetheless, according to relevant research, there is a rising number of derandomization primitives using various and sophisticated methods to break randomization and reveal sensitive information defeating the most advanced information hiding solutions. Koustubha Bhat, Erik van der Kouwe, Herbert Bos and Cristiano Giuffrida in their paper “ProbeGuard: Mitigating Probing Attacks Through Reactive Program Transformations” present the ProbeGuard that balances performance and security by firstly deploying an existing information hiding based baseline defense and then moving gradually to more powerful integrity-based defenses by hotpatching when probing attacks occur. ProbeGuard is considered efficient along with strong security capabilities as it can locate the origin of a probe attempt in an automatic manner and patch only the offending code snippets at runtime applying expensive integrity-based defenses selectively and thereby providing low overheads. The authors have evaluated their work on an Intel i7-6700K machine with 4 CPU cores at 4.00 GHz and 16 GB of DDR4 memory, running the 64-bit Ubuntu 16.04 LTS Linux distribution. The evaluation proved that applying ProbeGuard in generic Linux programs can sufficiently harmonize performance and security. They provide a new point in the design space of code reuse based defenses that is capable of protecting systems using fast information hiding and implement integrity-based payoffs wherever required using anomaly detection to trigger selective security hardening. In addition, they’ve shown how that low-overhead control-flow tracing capabilities can successfully detect code fragments affected by probe attempts in modern processors (i.e. Intel PT).