Defeating Memory Corruption Attacks by Replication and Diversification

Memory error exploits have been around for quite some time now, but despite all the efforts to prevent these attacks, they are still one of the most commonly exploited vulnerabilities to get arbitrary code execution - sometimes even with system privileges - on a target machine. Most of the protections currently deployed are probabilistic, meaning that they can make the exploitation of memory errors harder and more time consuming, but they cannot prevent them deterministically. It turned out that ASLR can be bypassed with techniques such as heap spraying, and that stack canaries can be left untouched by simply overwriting pointers other than the return address. Furthermore, these security mechanisms rely on keeping the seed secret, which cannot always be assured.

We propose a technique that provides deterministic protection against all memory corruption attacks that perform full pointer overwrites to redirect the execution flow. The key ideas are address space partitioning, process replication and I/O synchronization. Deterministic protection can be achieved by making sure that any virtual memory address is only valid in one of the processes. Any memory corruption attack that attempts to redirect the execution flow by a pointer overwrite, cannot be successful in both processes. Since both processes are fed with the same input, it will result in a segmentation fault in one of the processes. By monitoring the processes at system call ganularity, it can be assured that malicious code cannot do any damage to the system.

A PoC was developed in the course of the research, which is published under the terms of the LGPL.

auteur: 
Marc Nimmerrichter
bio: 
After receiving a BSc degree in Computing, Marc continued his studies on an MSc degree in Information Security at Royal Holloway, University of London. He currently works at Deloitte Luxembourg, providing Information Security consulting services to clients in the public and private sector. Marc has mainly been working on penetration tests, source code reviews and mobile security assessments.
ordre: 
8
heure: 
17h15