Nowhere to Hide

Bypassing Information Hiding

We have shown information hiding-based defenses using ASLR to hide a sensitive region in a huge address space are less secure than previously assumed using two new attack vectors: thread spraying and allocation oracles.

Information Hiding

Information hiding refers to hiding sensitive (meta)data in the address space by means of randomization (i.e., ASLR). This is to ensure attackers cannot disclose and/or tamper with the “hidden region” storing sensitive (meta)data. This strategy is used by many modern security defenses (e.g., SafeStack). An ideal information hiding implementation should ensure that the hidden region:

  • has no pointers referring to it stored in memory,
  • is hidden in a huge (64-bit) address space,
  • is small (resulting in high entropy against memory probing).

Thread Spraying

We have shown that (even ideal) defense implementations that keep per-thread hidden regions (e.g., SafeStack) are vulnerable to thread spraying attacks, where an attacker forces the victim process to spawn many threads and thereby spray the address space with many hidden regions. Without adequate thread limiting policies in place, an attacker can dramatically lower the entropy and mount a practical memory probing (or guessing) attack to locate a hidden region.

Our research induced Firefox to strictly limit the number of JavaScript worker threads: https://bugzilla.mozilla.org/show_bug.cgi?id=1286895

Allocation Oracles

We have shown that (even ideal) defense implementations can be bypassed quickly in practice on systems with memory overcommit enabled. An attacker can craft allocation oracle primitives and force the victim process to repeatedly allocate huge chunks of attacker-controlled sizes until she finds the size of the largest hole in the address space (using binary search). This basic strategy (with additional complications depending on the number of holes, hidden regions, etc.) is sufficient to completely exhaust the entropy and quickly locate the hidden region. We have shown that allocation oracles primitives are pervasive in real-world (server) programs and that end-to-end attacks can be mounted quickly and typically with no crashes at all.

To reproduce the demo below, you can find the code at https://github.com/vusec/poking-holes

Allocation Oracles Demo

MemSentry

A better alternative to information hiding is to rely on deterministic isolation techniques. MemSentry is a framework that leverages commodity (x86) hardware features to harden information hiding-based defenses with deterministic isolation techniques.

Check out the code at https://github.com/vusec/memsentry

Papers

Slides

Slides of the USENIX Security 2016 talk on allocation oracles