Kevin Z. Snow

Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization

Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this paper, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, that undermines the benefits of fine-grained ASLR. Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an applications memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets -- all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks

In this work, we unveil new privacy threats against Voice-over-IP (VoIP) communications. Although prior work has shown that the interaction of variable bit-rate codecs and length-preserving stream ciphers leaks information, we show that the threat is more serious than previously thought. In particular, we derive approximate transcripts of encrypted VoIP conversations by segmenting an observed packet stream into subsequences representing individual phonemes and classifying those subsequences by the phonemes they encode. Drawing on insights from the computational linguistics and speech recognition communities, we apply novel techniques for unmasking parts of the conversation. We believe our ability to do so underscores the importance of designing secure (yet efficient) ways to protect the confidentiality of VoIP conversations.

Trail of bytes: efficient support for forensic analysis

For the most part, forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades, it is all too often the case that we tend to lack detailed information just when we need it the most. Simply put, the current state of computer forensics leaves much to be desired. In this paper, we attempt to improve on the state of the art by providing a forensic platform that transparently monitors and records data access events within a virtualized environment using only the abstractions exposed by the hypervisor. Our approach monitors accesses to objects on disk and follows the causal chain of these accesses across processes, even after the objects are copied into memory. Our forensic layer records these transactions in a version-based audit log that allows for faithful, and efficient, reconstruction of the recorded events and the changes they induced. To demonstrate the utility of our approach, we provide an extensive empirical evaluation, including a real-world case study demonstrating how our platform can be used to reconstruct valuable information about the what, when, and how, after a compromised has been detected.

No-Execute-After-Read: Preventing Code Disclosure in Commodity Software

Memory disclosure vulnerabilities enable an adversary to successfully mount arbitrary code execution attacks against applications via so-called just-in-time code reuse attacks, even when those applications are fortified with fine-grained address space layout randomization. This attack paradigm requires the adversary to first read the contents of randomized application code, then construct a code reuse payload using that knowledge. In this paper, we show that the recently proposed Execute-no-Read (XnR) technique fails to prevent just-in-time code reuse attacks. Next, we introduce the design and implementation of a novel memory permission primitive, dubbed No-Execute-After-Read (near), that foregoes the problems of XnR and provides strong security guarantees against just-in-time attacks in commodity binaries. Specifically, near allows all code to be disclosed, but prevents any disclosed code from subsequently being executed, thus thwarting just-in-time code reuse. At the same time, commodity binaries with mixed code and data regions still operate correctly, as legitimate data is still readable. To demonstrate the practicality and portability of our approach we implemented prototypes for both Linux and Android on the ARMv8 architecture, as well as a prototype that protects unmodified Microsoft Windows executables and dynamically linked libraries. In addition, our evaluation on the SPEC2006 benchmark demonstrates that our prototype has negligible runtime overhead, making it suitable for practical deployment.

Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets

Return-oriented programming ROP offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that do not require any modification to end-user platforms. Specifically, we propose a novel framework that efficiently analyzes documents PDF, Office, or HTML files and detects whether they contain a returnoriented programming payload. To do so, we provide advanced techniques for taking memory snapshots of a target application, efficiently transferring the snapshots to a host system, as well as novel static analysis and filtering techniques to identify and profile chains of code pointers referencing ROP gadgets that may even reside in randomized libraries. Our evaluation of over 7,662 benign and 57 malicious documents demonstrate that we can perform such analysis accurately and expeditiously -- with the vast majority of documents analyzed in about 3 seconds.

Trail of Bytes: New Techniques for Supporting Data Provenance and Limiting Privacy Breaches

Forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades, it is all too often the case that we lack detailed information just when we need it the most. In this paper, we attempt to improve on the state of the art by providing a forensic platform that transparently monitors and records data access events within a virtualized environment using only the abstractions exposed by the hypervisor. Our approach monitors accesses to objects on disk and follows the causal chain of these accesses across processes, even after the objects are copied into memory. Our forensic layer records these transactions in a tamper evident version-based audit log that allows for faithful, and efficient, reconstruction of the recorded events and the changes they induced. To demonstrate the utility of our approach, we provide an extensive empirical evaluation, including a real-world case study demonstrating how our platform can be used to reconstruct valuable information about the what, when, and how, after a compromise has been detected. We also extend our earlier work by providing a tracking mechanism that can monitor data exfiltration attempts across multiple disks and also block attempts to copy data over the network.

Detecting Non-Discoverable Bluetooth Devices

Mobile communication technologies such as Bluetooth are becoming ubiquitous, but they must provide satisfactory levels of security and privacy. Concerns about Bluetooth device security have led the specification of the “non-discoverable” mode, which prevents devices from being listed during a Bluetooth device search process. However, a nondiscoverable Bluetooth device is visible to devices that know its address or can discover its address. This paper discusses the detection of non-discoverable Bluetooth devices using an enhanced brute force search attack. Our results indicate that the average time to attack a non-discoverable Bluetooth device using multiple search devices and condensed packet timing can be reduced to well under 24 hours.

Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses

The continuous discovery of exploitable vulnerabilitiesin popular applications (e.g., web browsers and documentviewers), along with their heightening protections againstcontrol flow hijacking, has opened the door to an oftenneglected attack strategy—namely, data-only attacks. In thispaper, we demonstrate the practicality of the threat posedby data-only attacks that harness the power of memorydisclosure vulnerabilities. To do so, we introduce memorycartography, a technique that simplifies the construction ofdata-only attacks in a reliable manner. Specifically, we showhow an adversary can use a provided memory mapping primitive to navigate through process memory at runtime, andsafely reach security-critical data that can then be modifiedat will. We demonstrate this capability by using our cross-platform memory cartography framework implementation toconstruct data-only exploits against Internet Explorer andChrome. The outcome of these exploits ranges from simpleHTTP cookie leakage, to the alteration of the same originpolicy for targeted domains, which enables the cross-originexecution of arbitrary script code. The ease with which we can undermine the security ofmodern browsers stems from the fact that although isolationpolicies (such as the same origin policy) are enforced atthe script level, these policies are not well reflected in theunderlying sandbox process models used for compartmentalization. This gap exists because the complex demands oftodays web functionality make the goal of enforcing thesame origin policy through process isolation a difficult oneto realize in practice, especially when backward compatibility is a priority (e.g., for support of cross-origin IFRAMEs). While fixing the underlying problems likely requires a majorrefactoring of the security architecture of modern browsers(in the long term), we explore several defenses, includingglobal variable randomization, that can limit the power ofthe attacks presented herein.

Defeating Zombie Gadgets by Re-randomizing Code upon Disclosure

Over the past few years, return-oriented programming (ROP) attacks have emerged as a prominent strategy for hijacking control of software. The full power and flexibility of ROP attacks was recently demonstrated using just-in-time ROP tactics (JIT-ROP), whereby an adversary repeatedly leverages a memory disclosure vulnerability to identify useful instruction sequences and compile them into a functional ROP payload at runtime. Since the advent of just-in-time code reuse attacks, numerous proposals have surfaced for mitigating them, the most practical of which involve the re-randomization of code at runtime or the destruction of gadgets upon their disclosure. Even so, several avenues exist for performing code inference, which allows JIT-ROP attacks to infer values at specific code locations without directly reading the memory contents of those bytes. This is done by reloading code of interest or implicitly determining the state of randomized code. These so-called “zombie gadgets” completely undermine defenses that rely on destroying code bytes once they are read. To mitigate these attacks, we present a low-overhead, binary-compatible defense which ensures an attacker is unable to execute gadgets that were identified through code reloading or code inference. We have implemented a prototype of the proposed defense for closed-source Windows binaries, and demonstrate that our approach effectively prevents zombie gadget attacks with negligible runtime overhead.