DynaGuard: Armoring Canary-based Protections against Brute-force Attacks

Presentation pdf 1.3MB

Over the past decade many exploit mitigation techniques have been introduced to defend against memory corruption attacks. WˆX, ASLR, and canary-based protections are nowadays widely deployed and considered standard practice. However, despite the fact that these techniques have evolved over time, they still suffer from limitations that en- able skilled adversaries to bypass them.
In this work, we focus on countermeasures against the byte-by-byte discovery of stack canaries in forking programs. This limitation, although known for years, has yet to be ad- dressed effectively, and was recently abused by a series of exploits that allowed for the remote compromise of the popular Nginx web server and a full ASLR bypass in x86-64 Linux. We present DynaGuard, an extension to canary- based protections that further armors hardened applications against brute-force canary attacks. We have implemented DynaGuard in two flavors: a compiler-based version, which incurs an average runtime overhead of 1.2%, and a version based on dynamic binary instrumentation, which can protect binary-only applications without requiring access to source code. We have evaluated both implementations using a set of popular server applications and benchmark suites, and examined how the proposed design overcomes the limitations of previous proposals, ensuring application correctness and seamless integration with third-party software.

Author(s):

Theofilos Petsios    
Columbia University
United States

Vasileios P. Kemerlis    
Brown University
United States

Michalis Polychronakis    
Stony Brook University
United States

Angelos D. Keromytis    
Columbia University
United States