Constraint-based Diversification of JOP Gadgets

11/18/2021
by   Rodothea Myrsini Tsoupidi, et al.
0

Modern software deployment process produces software that is uniform and hence vulnerable to large-scale code-reuse attacks, such as Jump-Oriented Programming (JOP) attacks. Compiler-based diversification improves the resilience of software systems by automatically generating different assembly code versions of a given program. Existing techniques are efficient but do not have a precise control over the quality of the generated variants. This paper introduces Diversity by Construction (DivCon), a constraint-based approach to software diversification. Unlike previous approaches, DivCon allows users to control and adjust the conflicting goals of diversity and code quality. A key enabler is the use of Large Neighborhood Search (LNS) to generate highly diverse code efficiently. For larger problems, we propose a combination of LNS with a structural decomposition of the problem. To further improve the diversification efficiency of DivCon against JOP attacks, we propose an application-specific distance measure tailored to the characteristics of JOP attacks. We evaluate DivCon with 20 functions from a popular benchmark suite for embedded systems. These experiments show that the combination of LNS and our application-specific distance measure generates binary programs that are highly resilient against JOP attacks. Our results confirm that there is a trade-off between the quality of each assembly code version and the diversity of the entire pool of versions. In particular, the experiments show that DivCon generates near-optimal binary programs that share a small number of gadgets. For constraint programming researchers and practitioners, this paper demonstrates that LNS is a valuable technique for finding diverse solutions. For security researchers and software engineers, DivCon extends the scope of compiler-based diversification to performance-critical and resource-constrained applications.

READ FULL TEXT

Authors

page 1

page 2

page 3

page 4

07/17/2020

Constraint-Based Software Diversification for Efficient Mitigation of Code-Reuse Attacks

Modern software deployment process produces software that is uniform, an...
09/28/2021

Learning to Superoptimize Real-world Programs

Program optimization is the process of modifying software to execute mor...
05/17/2020

Not So Fast: Understanding and Mitigating Negative Impacts of Compiler Optimizations on Code Reuse Gadget Sets

Despite extensive testing and correctness certification of their functio...
03/15/2019

Get rid of inline assembly through trustable verification-oriented lifting

Formal methods for software development have made great strides in the l...
07/27/2020

SPAM: Stateless Permutation of Application Memory

In this paper, we propose the Stateless Permutation of Application Memor...
02/23/2017

Automatically Tuning the GCC Compiler to Optimize the Performance of Applications Running on Embedded Systems

This paper introduces a novel method for automatically tuning the select...
05/06/2020

A Collaborative Filtering Approach for the Automatic Tuning of Compiler Optimisations

Selecting the right compiler optimisations has a severe impact on progra...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.