Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Thu 9 Jul 2020 00:00 - 00:12 at Baekje - P13-Security Chair(s): Joshua Garcia

Return-oriented programming (ROP) is an effective code-reuse attack in which short code sequences (i.e., gadgets) ending in a ret instruction are found within existing binaries and then executed by taking control of the call stack. The shadow stack, control flow integrity (CFI) and code (re)randomization are three popular techniques for protecting programs against return address overwrites. However, existing runtime rerandomization techniques operate on concrete return addresses, requiring expensive pointer tracking.

By adding one level of indirection, we introduce BarRA, the first shadow stack mechanism that applies continuous runtime rerandomization to abstract return addresses for protecting their corresponding concrete return addresses (protected also by CFI), thus avoiding expensive pointer tracking. As a nice side-effect, BarRA naturally combines the shadow stack, CFI and runtime rerandomization in the same framework. The key novelty of BarRA, however, is that once some abstract return addresses are leaked, BarRA will enforce the burn-after-reading property by rerandomizing the mapping from the abstract to the concrete return address space in the order of microseconds instead of seconds required for rerandomizing a concrete return address space. As a result, BarRA can be used as a superior replacement for the shadow stack, as demonstrated by comparing both using the 19 C/C++ benchmarks in SPEC CPU2006 (totalling 2,047,447 LOC) and analyzing a proof-of-concept attack, provided that we can tolerate some slight binary code size increases (by an average of 29.44%) and are willing to use 8MB of dedicated memory for holding up to $2^{20}$ return addresses (on a 64-bit platform). Under an information leakage attack (for some return addresses), the shadow stack is always vulnerable but BarRA is significantly more resilient (by reducing an attacker’s success rate to $\frac{1}{2^{20}}$ on average). In terms of the average performance overhead introduced, both are comparable: 6.09% (BarRA) vs. 5.38% (the shadow stack).

Thu 9 Jul
Times are displayed in time zone: (UTC) Coordinated Universal Time change

00:00 - 01:00: Paper Presentations - P13-Security at Baekje
Chair(s): Joshua GarciaUniversity of California, Irvine
icse-2020-papers00:00 - 00:12
Changwei ZouUNSW Sydney, Jingling XueUNSW Sydney
icse-2020-Software-Engineering-in-Practice00:12 - 00:24
Chen YangVeracode, Inc., Andrew SantosaVeracode, Inc., Asankhaya SharmaVeracode, Inc., David LoSingapore Management University
Pre-print Media Attached
icse-2020-papers00:24 - 00:36
Yude BaiTianjin University, Zhenchang XingAustralia National University, Li XiaohongTianJin University, Zhiyong FengTianjin University, Duoyuan MaTianjin University
icse-2020-papers00:36 - 00:48
Shengjian GuoBaidu X-Lab, Yueqi ChenThe Pennsylvania State University, Peng LiBaidu X-Lab, Yueqiang ChengBaidu Security, Huibo WangBaidu X-Lab, Meng WuAnt Financial, Zhiqiang ZuoNanjing University, China
icse-2020-Software-Engineering-in-Practice00:48 - 01:00
Pei WangBaidu X-Lab, Yu DingBaidu X-Lab, Mingshen SunBaidu X-Lab, Huibo WangBaidu X-Lab, Tongxin LiBaidu X-Lab, Rundong ZhouBaidu X-Lab, Zhaofeng Chen, Yiming JingBaidu X-Lab