Article

Profile-guided automated software diversity

Authors:

Andrei Homescu,

Steven Neisius,

Stefan Brunthaler,

Michael FranzAuthors Info & Claims

CGO '13: Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)

Pages 1 - 11

https://doi.org/10.1109/CGO.2013.6494997

Published: 23 February 2013 Publication History

Abstract

Code-reuse attacks are notoriously hard to defeat, and most current solutions to the problem focus on automated software diversity. This is a promising area of research, as diversity attacks the common denominator enabling code-reuse attacksthe software monoculture. Recent research in this area provides security, but at an unfortunate price: performance overhead. Leveraging previously collected profiling information, compilers can substantially improve subsequent code generation. Traditionally, profile-guided optimization focuses on hot program code, where a program spends most of its execution time. Optimizing rarely executed code does not significantly impact performance, so few optimizations focus on this code. We use profile-guided optimization to reduce the performance overhead of software diversity. The primary insight is that we are free to diversify cold code, but restrict our diversification efforts in hot code. Our work investigates the impact of profiling on an expensive diversification technique: NOP insertion. By differentiating between hot cold and cold code, we optimize NOP insertion overheads from a maximum of 25% down to a negligible 1%, while preserving the security properties of the original defense. Consequently, using our profile-guided diversification technique, even randomization techniques having a high performance overhead become practical.

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Controlflow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS '05, pages 340-353, 2005.

Digital Library

[2]

E. Berger and B. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation, PLDI '06, pages 158-168, 2006.

Digital Library

[3]

T. Bletsch, X. Jiang, V. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 30-40, 2011.

Digital Library

[4]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS '08, pages 27-38, 2008.

Digital Library

[5]

P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In A. Prakash and I. Sen Gupta, editors, Information Systems Security, volume 5905 of Lecture Notes in Computer Science, pages 163-177. Springer Berlin / Heidelberg, 2009.

Digital Library

[6]

F. Cohen. Operating system protection through program evolution. Computers and Security, 12(6):565-584, Oct. 1993.

Digital Library

[7]

L. Davi, A. Dmitrienko, A. Sadeghi, and M. Winandy. Returnoriented programming without returns on ARM. Technical report, System Security Lab, Ruhr University Bochum, Germany, 2010.

[8]

S. Debray and W. Evans. Profile-guided code compression. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, PLDI '02, pages 95-105. ACM, 2002.

Digital Library

[9]

S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems, HotOS '97, pages 67-72, 1997.

Digital Library

[10]

Free Software Foundation, Inc. GCC compiler internals, 2012. URL http://gcc.gnu.org/onlinedocs/gccint/.

[11]

B. Fulgham. The computer language benchmarks game. http://shootout.alioth.debian.org/, 2012.

[12]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In Proceedings of the 21st USENIX Security Symposium, pages 475-490, 2012.

Digital Library

[13]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In Proceedings of the 33rd IEEE Symposium on Security and Privacy, S&P '12, pages 571-585, 2012.

Digital Library

[14]

A. Homescu, M. Stewart, P. Larsen, S. Brunthaler, and M. Franz. Microgadgets: Size does matter in Turing-complete return-oriented programming. In Proceedings of the 6th USENIX Workshop on Offensive Technologies, WOOT '12, 2012.

Digital Library

[15]

R. Hundt, E. Raman, M. Thuresson, and N. Vachharajani. Mao - an extensible micro-architectural optimizer. In Proceedings of the 9th IEEE/ACM International Symposium on Code Generation and Optimization, CGO '11, pages 1-10, 2011.

Digital Library

[16]

Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual, August 2012.

[17]

V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. kGuard: Lightweight kernel protection against return-to-user attacks. In Proceedings of the 21st USENIX Security Symposium, pages 459-474, 2012.

Digital Library

[18]

D. S. Khudia, G. Wright, and S. Mahlke. Efficient soft error protection for commodity embedded microprocessors using profile information. In Proceedings of the 13th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, Tools and Theory for Embedded Systems, LCTES '12, pages 99-108, 2012.

Digital Library

[19]

T. Kornau. Return-oriented programming for the ARM architecture. Master's thesis, Ruhr University Bochum, Germany, 2009.

[20]

S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation techniques, 2005. URL http: //www.suse.de/~krahmer/no-nx.pdf.

[21]

C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the 2nd IEEE/ACM International Symposium on Code Generation and Optimization, CGO '04, pages 75-87, 2004.

Digital Library

[22]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European Conference on Computer Systems, EuroSys '10, pages 195-208, 2010.

Digital Library

[23]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Proceedings of the 15th USENIX Security Symposium, pages 209-224, 2006.

Digital Library

[24]

Nergal. The advanced return-into-lib(c) exploits: Pax case study. Phrack Magazine, 11(58), 2001. http://www. phrack.org/issues.html?issue=58\&id=4.

[25]

A. Neustifter. Efficient profiling in the LLVM compiler infrastructure. Master's thesis, Faculty of Informatics, Vienna University of Technology, 2011.

[26]

K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: Defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 49-58, 2010.

Digital Library

[27]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using inplace code randomization. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, S&P '12, pages 601- 615, 2012.

Digital Library

[28]

Homepage of The PaX Team. PaX, 2009. http://pax. grsecurity.net.

[29]

M. Payer. Too much PIE is bad for performance. Technical report, ETH Zurich, 2012. URL http://nebelwelt. net/research/publications/tr-pie12/.

[30]

K. Pettis and R. C. Hansen. Profile guided code positioning. In Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation, PLDI '90, pages 16-27, 1990.

Digital Library

[31]

G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC '09, pages 60-69, 2009.

Digital Library

[32]

J. Salwan. ROPgadget tool, 2012. URL http://shell-storm.org/project/ROPgadget/.

[33]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS '07, pages 552-561, 2007.

Digital Library

[34]

H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, pages 298- 307, 2004.

Digital Library

[35]

L. Tang, J. Mars, and M. L. Soffa. Compiling for niceness: mitigating contention for QoS in warehouse scale computers. In Proceedings of the 10th IEEE/ACM International Symposium on Code Generation and Optimization, CGO '12, pages 1-12, 2012.

Digital Library

[36]

M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. W. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection, RAID '11, pages 121-141, 2011.

Digital Library

[37]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy, S&P '09, pages 79-93, 2009.

Digital Library

Cited By

Sachidananda VSivaraman A(2024)Erlang: Application-Aware Autoscaling for Cloud MicroservicesProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650084(888-923)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650084
Tsoupidi RTroubitsyna EPapadimitratos P(2023)Thwarting code-reuse and side-channel attacks in embedded systemsComputers and Security10.1016/j.cose.2023.103405133:COnline publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103405
Tsoupidi RCastañeda Lozano RBaudry B(2022)Constraint-based Diversification of JOP GadgetsJournal of Artificial Intelligence Research10.1613/jair.1.1284872(1471-1505)Online publication date: 4-Jan-2022
https://dl.acm.org/doi/10.1613/jair.1.12848
Show More Cited By

Index Terms

Profile-guided automated software diversity
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Software management
        Software maintenance
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
  2. Software notations and tools
    1. Compilers

Recommendations

Diversity Guided Evolutionary Programming: A novel approach for continuous optimization

Avoiding premature convergence to local optima and rapid convergence towards global optima has been the major concern with evolutionary systems research. In order to avoid premature convergence, sufficient amount of genetic diversity within the evolving ...
Software Profiling Options and Their Effects on Security Based Diversification
MTD '14: Proceedings of the First ACM Workshop on Moving Target Defense

Imparting diversity to binaries by inserting garbage instructions is an effective defense against code-reuse attacks. Relocating and breaking up code gadgets removes an attacker's ability to craft attacks by merely studying the existing code on their ...
Accurate and practical profile-driven compilation using the profile buffer
MICRO 29: Proceedings of the 29th annual ACM/IEEE international symposium on Microarchitecture

Profiling is a technique of gathering program statistics in order to aid program optimization. In particular, it is an essential component of compiler optimization for the extraction of instruction-level parallelism. Code instrumentation has been the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CGO '13: Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)

February 2013

366 pages

ISBN:9781467355247

Sponsors

Publisher

IEEE Computer Society

United States

Publication History

Published: 23 February 2013

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

43
Total Citations
View Citations
215
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sachidananda VSivaraman A(2024)Erlang: Application-Aware Autoscaling for Cloud MicroservicesProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650084(888-923)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650084
Tsoupidi RTroubitsyna EPapadimitratos P(2023)Thwarting code-reuse and side-channel attacks in embedded systemsComputers and Security10.1016/j.cose.2023.103405133:COnline publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103405
Tsoupidi RCastañeda Lozano RBaudry B(2022)Constraint-based Diversification of JOP GadgetsJournal of Artificial Intelligence Research10.1613/jair.1.1284872(1471-1505)Online publication date: 4-Jan-2022
https://dl.acm.org/doi/10.1613/jair.1.12848
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Distler T(2021)Byzantine Fault-tolerant State-machine Replication from a Systems PerspectiveACM Computing Surveys10.1145/343672854:1(1-38)Online publication date: 11-Feb-2021
https://dl.acm.org/doi/10.1145/3436728
Welton BMiller BAyguadé EHwu WBadia RHofstee H(2020)Identifying and (automatically) remedying performance problems in CPU/GPU applicationsProceedings of the 34th ACM International Conference on Supercomputing10.1145/3392717.3392759(1-13)Online publication date: 29-Jun-2020
https://dl.acm.org/doi/10.1145/3392717.3392759
Wade AKulkarni PJantz M(2020)Exploring Impact of Profile Data on Code Quality in the HotSpot JVMACM Transactions on Embedded Computing Systems10.1145/339189419:6(1-26)Online publication date: 3-Oct-2020
https://dl.acm.org/doi/10.1145/3391894
Ahmed SXiao YSnow KTan GMonrose FYao DLigatti JOu XKatz JVigna G(2020)Methodologies for Quantifying (Re-)randomization Security and Timing under JIT-ROPProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417248(1803-1820)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417248
Coffman JChakravarty ARusso JGearhart AAlbanese MHuang D(2018)Quantifying the Effectiveness of Software Diversity using Near-Duplicate Detection AlgorithmsProceedings of the 5th ACM Workshop on Moving Target Defense10.1145/3268966.3268974(1-10)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3268966.3268974
Sharif HAbubakar MGehani AZaffar FHuchard MKästner CFraser G(2018)TRIMMER: application specialization for code debloatingProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238160(329-339)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238160
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents