Skip to main content
SpringerLink
Log in
Book cover

ICISC 2015

ICISC 2015: Information Security and Cryptology - ICISC 2015 pp 229–245Cite as

Stack Layout Randomization with Minimal Rewriting of Android Binaries

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9558))

Abstract

Stack-based attacks typically require that attackers have a good understanding of the stack layout of the victim program. In this paper, we leverage specific features on ARM architecture and propose a practical technique that introduces randomness to the stack layout when an Android application executes. We employ minimal binary rewriting on the Android app that produces randomized executable of the same size which can be executed on an unmodified Android operating system. Our experiments on applying this randomization on the most popular 20 free Android apps on Google Play show that the randomization coverage of functions increases from 65 % (by a state-of-the-art randomization approach) to 97.6 % with, on average, 4 and 7 bits of randomness applied to each 16-bit and 32-bit function, respectively. We also show that it is effective in defending against stack-based memory vulnerabilities and real-world ROP attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Hopper Disassembler: http://www.hopperapp.com.

  2. 2.

    We utilized one fewer bit as we chose not to include r0 for simplicity since it usually carries the return value; however, it could be included if the function does not return anything.

References

  1. One, A.: Smashing the stack for fun and profit. Phrack Magazine (1996)

    Google Scholar 

  2. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the ACM CCS (2007)

    Google Scholar 

  3. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the ACM CCS (2010)

    Google Scholar 

  4. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the ACM ASIACCS (2011)

    Google Scholar 

  5. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the IEEE Symposium on Security and Privacy (2013)

    Google Scholar 

  6. Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the USENIX Security (2014)

    Google Scholar 

  7. Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: Proceedings of the USENIX Security (2014)

    Google Scholar 

  8. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the ACM CCS (2008)

    Google Scholar 

  9. Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the ACM CCS (2008)

    Google Scholar 

  10. Team, P.: Pax address space layout randomization(ASLR) (2003). https://pax.grsecurity.net/docs/aslr.txt

  11. Apple: iOS securityguide (2014).https://www.apple.com/business/docs/iOS_Security_Guide.pdf

  12. Google: security enhancements in android 1.5through 4.1. https://source.android.com/devices/tech/security/enhancements/enhancements41.html

  13. Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the ACM CCS (2004)

    Google Scholar 

  14. Durden, T.: Bypassing pax ALSR protection. Phrack Magazine (2002)

    Google Scholar 

  15. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the USENIX Security (2003)

    Google Scholar 

  16. Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: Proceedings of the ISOC NDSS (2015)

    Google Scholar 

  17. Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the USENIX Security (2005)

    Google Scholar 

  18. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the ACM CCS (2012)

    Google Scholar 

  19. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the IEEE Symposium on Security and Privacy (2013)

    Google Scholar 

  20. O’Sullivan, P., Anand, K., Kotha, A., Smithson, M., Barua, R., Keromytis, A.D.: Retrofitting security in COTS software with binary rewriting. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 154–172. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  22. Horn, J.: CVE-2014-7911 (2014). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7911

  23. Horn, J.: CVE-2014-7911: Android \(<\) 5.0 Privilege Escalation using ObjectInputStream (2014). http://seclists.org/fulldisclosure/2014/Nov/51

  24. Lavi, Y., Markus, N.: CVE-2014-7911: A deep dive analysis of android system service vulnerability and exploitation (2015). http://goo.gl/XMCM2J

  25. retme7: Local root exploit for Nexus5 Android 4.4.4 (KTU84p) (2015).https://github.com/retme7/CVE-2014-7911_poc

  26. Li, X.: Emerging stack pivoting exploits bypass common security (2013). https://goo.gl/4FbVlF

  27. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: Ilr: where’d my gadgets go?. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  28. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the ACM CCS (2003)

    Google Scholar 

  29. Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM CCS (2003)

    Google Scholar 

  30. Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Proceedings of the ISOC NDSS (2015)

    Google Scholar 

  31. Microsoft: /GS (buffer security check). https://msdn.microsoft.com/en-us/library/8dbf701c.aspx

  32. Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguard tm: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the USENIX Security (2003)

    Google Scholar 

  33. Vendicator: stack shield (2000). http://www.angelfire.com/sk/stackshield/

Download references

Acknowledgments

We would like to thank the anonymous reviewers for providing valuable feedback on our work. This research was partially supported by the National Science Foundation of China (Grant No. 61202387, 61332019, and 61373168) and the National Key Basic Research Program of China (Grant No. 2014CB340600).

Author information

Authors and Affiliations

  1. Wuhan University, Wuhan, China

    Yu Liang, Guojun Peng & Huanguo Zhang

  2. Nankai University, Tianjin, China

    Xinjie Ma & Chunfu Jia

  3. Singapore Management University, Singapore, Singapore

    Daoyuan Wu, Xiaoxiao Tang & Debin Gao

Authors
  1. Yu Liang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xinjie Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daoyuan Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiaoxiao Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Debin Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Guojun Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Chunfu Jia
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Huanguo Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guojun Peng .

Editor information

Editors and Affiliations

  1. Sungkyunkwan University, Suwon, Gyeonggi, Korea (Republic of)

    Soonhak Kwon

  2. UNIST, Ulsan, Korea (Republic of)

    Aaram Yun

Appendices

Appendix

A Missing Functions in Static Analysis

figure f

In this example, jump target sub_7a35e8 is an exception handler that does not return as a normal function would do, and Hopper fails in recognizing the bl-proceeded function at 0x7c89a0.

B Complexities in Identifying Push/Pop Instructions

figure g
figure h

In Listing 2, instructions at 0x28804, 0x28810, and 0x2881c are epilogue instructions corresponding to the prologue instruction at 0x287bc.

Listing 3 shows an example in which there is another push instruction before the prologue instruction that pushes register lr. Correspondingly, the last three instructions first pop out whatever was pushed at 0x45f62a, adjust sp to offload whatever was pushed at 0x45f628, and, in the end, use a direct branch instruction bx lr to return back to its caller.

figure i
figure j

Listing 4 shows an example where the same number of registers are pushed and popped, but they are of different registers. Listing 5 shows another example where different numbers of registers are pushed and popped.

Figure 7 presents examples of correct and incorrect randomization results for the original function which is similar with the function shown in Listing 5.

Fig. 7.
figure 7

Correct and incorrect randomization examples for unmatched push and pop

Full size image
Fig. 8.
figure 8

Data on stack with new offsets

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Liang, Y. et al. (2016). Stack Layout Randomization with Minimal Rewriting of Android Binaries. In: Kwon, S., Yun, A. (eds) Information Security and Cryptology - ICISC 2015. ICISC 2015. Lecture Notes in Computer Science(), vol 9558. Springer, Cham. https://doi.org/10.1007/978-3-319-30840-1_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30840-1_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30839-5

  • Online ISBN: 978-3-319-30840-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation