On the Weaknesses of Function Table Randomization

Moritz Contag, Robert Gawlik, Andre Pawlowski, Thorsten Holz

Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Paris, France, June 2018


Latest defenses against code-reuse attacks focus on information hiding and randomization as important building blocks. The main idea is that an attacker is not able to find the position of the code she wants to reuse, hence thwarting successful attacks. Current state-of-theart defenses achieve this by employing concepts such as execute-only memory combined with booby traps.

In this paper, we show that an attacker is able to abuse symbol metadata to gain valuable information about the address space. In particular, an attacker can mimic dynamic loading and manually resolve symbol addresses. We show that this is a powerful attack vector inherent to many applications using symbol resolving at runtime, an ubiquitous concept in today's systems. More importantly, we utilize this approach to resolve and reuse functions otherwise unavailable to an attacker due to function table randomization. To confirm the practical impact of this attack vector, we demonstrate how dynamic loading can be exploited to bypass Readactor++, the state-of-the-art defense against code-reuse attacks, despite its use of booby traps and virtual function table (vtable) randomization. Furthermore, we present a novel approach to protect symbol metadata to defend against such attacks. Our defense, called Symtegrity, is able to safeguard symbols from an attacker, whilst preserving functionality provided by the loader. It is both orthogonal to existing defenses and applicable to arbitrary binary executables. Empirical evaluation results show that our approach has an overhead of roughly 8% during application startup. At runtime, however, no noticeable performance impact is measured, as evident from both browser and SPEC benchmarks.


Tags: attacks, Code-reuse