Moving Targets vs. Moving Adversaries: On the Effectiveness of System Randomization.

Memory-corruption vulnerabilities pose a severe threat on modern systems security. Although this problem is known for almost three decades it is unlikely to be solved in the near future because a large amount of modern software is still programmed in unsafe, legacy languages such as C/C++. With new vulnerabilities in popular software discovered almost every day, and with high third party demand for (purchasing) the corresponding exploits, runtime attacks are more prevalent than ever. Even perfect cryptography can easily be undermined by exploiting software vulnerabilities. Typically, one vulnerability in wide-spread software (e.g., Tor Browser) is sufficient for the adversary to compromise all users. Moving target approaches such as software diversity [2] and system randomization techniques [7] are considered to be effective and practical means to strongly reduce the scale of such attacks because ideally, the adversary would require to craft a unique exploit per user. However, recently it was shown that existing software-randomization schemes can be circumvented by practical exploitation techniques such as Just-In-Time Return Oriented Programming (JIT-ROP) that takes advantage of information leakage [1]. The attack demonstrated that even a single disclosed code pointer can be exploited to defeat any (fine-grained) code randomization scheme. Later, it was shown that there are various sources of information leakage that can be exploited such as virtual function pointers [4]. JIT-ROP motivated a number of subsequent works to prevent the adversary from reading code such as Readactor [3,5], or ASLR Guard [8]. For instance, Readactor and its successor Readactor++ [3,5] use various techniques to prevent direct and indirect code disclosure, which seems to be non-trivial in general [6]. The arms race will continue.