To date, a number of attacks which exploit memory errors have been developed. The earliest of these to achieve widespread popularity was the stack smashing attack [31, 27], in which a stack-allocated buffer is intentionally overflowed so that a return address stored on the stack is overwritten with the address of injected malicious code. (See Figure 1). To thwart such attacks, several approaches were developed, which, in one way or another, prevent undetected modifications to a function's return address. They include the StackGuard [11] approach of putting canary values around the return address, so that stack smashing can be detected when the canary value is clobbered; saving a second copy of return address elsewhere [9, 6]; and others [16].
--- Stack Growth --->
<--- Increasing Address ---
Figure 1: A buffer overflow in which the current function's return address is replaced with a pointer to injected code.
The current generation of compilers and application binary interfaces limit how much randomization is possible, and at what stage (compile-time, link-time, load-time or runtime) such randomization can be performed. Our implementation focuses on techniques that can be smoothly integrated into existing OS environments. The key contribution of this paper is to develop and analyze the range of address obfuscations that can be implemented effectively with low runtime overheads. The principal benefits of this approach are:
Attack Target Code Pointer Data Return Frame Function Dynamic Pointer Non-Pointer Technique Address Pointer Pointer Linker Stack Static/Heap Tables Stack Static/Heap Stack Static Heap StackGuard [11] X1 Libverify [6], RAD [9] X4 Etoh and Yoda [16] X1 X1 X1 X1 X1 PointGuard [13] X5 X X X X X X Address Obfuscation X5 X X X X X X X2 X3 X2
1. Only protected from buffer-overflow attacks; no protection from other attacks.
2. Limited protection provided.
3. Possible in principle but not currently implemented.
4. Susceptible to attacks that simultaneously corrupt return address and another location (second copy of return address)
5. Some susceptibility to attacks that corrupt return address and another stack-resident pointer.
Figure 2: Targets of memory error exploits, and effectiveness of defenses against them.