12th USENIX Security Symposium Abstract
Pp. 105-120 of the Proceedings
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits
Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar, Stony Brook University
Attacks which exploit memory programming errors (such as buffer overflows)
are one of today's most serious security threats. These attacks require an
attacker to have an in-depth understanding of the internal details of a
victim program, including the locations of critical data and/or code. Program obfuscation is a general technique for securing programs by
making it difficult for attackers to acquire such a detailed
understanding. This paper develops a systematic study of a particular kind
of obfuscation called address obfuscation that randomizes the
location of victim program data and code. We discuss different
implementation strategies to randomize the absolute locations of data and
code, as well as relative distances between data locations. We then
present our implementation that transforms object files and executables at
link-time and load-time. It requires no changes to the OS kernel or
compilers, and can be applied to individual applications without affecting
the rest of the system. It can be implemented with low runtime overheads.
Address obfuscation can reduce the probability of successful attacks to be
as low as a small fraction of a percent for most memory-error related
attacks. Moreover, the randomization ensures that an attack that succeeds
against one victim will likely not succeed against another victim, or even
for a second time against the same victim. Each failed attempt will
typically crash the victim program, thereby making it easy to detect
attack attempts. These aspects make it particularly effective against
large-scale attacks such as Code Red, since each infection attempt
requires significantly more resources, thereby slowing down the
propagation rate of such attacks.
- View the full text of this paper in HTML and
Until August 2004, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2003 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.