This month David Williams-King at Columbia U. and colleagues demonstrated something that I’ve dreamt of for many years: “Shuffler: Fast and Deployable Continuous Code Re-Randomization” .
That’s right, the operating system continuously shuffles its code around as it runs, making it much more difficult to hack. I imagined doing this long, long ago, back when I was building operating systems, but it was too mind-bendingly hard for my tiny little brain. How can I not be impressed with this work!
The basic idea is to defeat security threats that exploit bugs in code by overwriting memory to force the code to jump to the wrong address, where it executes the attacker’s code. Some systems use obfuscation or encryption to scramble the code, which makes it more difficult to understand the code in memory. But any static obfuscation is vulnerable to “cut and paste” attacks: if I know a particular chunk of code is vulnerable, I can use it even if I can’t read it clearly.
For better security, there should to be “dynamic” defenses as well, to try to assure that the code is unmodified as it is executed, and randomization so the code is never exactly the same twice. “Scrambler” is a pure form of the latter approach.
With scrambler, you never execute the same code twice.
The basic idea is to analyze the program to determine all the blocks of code, and create tables of addresses. A thread runs continuously, rewriting the code several times a second, “creating new copies of code, fixing up instruction displacements, updating pointers in the code table, etc” (If this sounds obsessive compulsive and fiddly, it surely is. But it is all automated, so the computer does all this crazy repeated rewriting.
The effect is that, even if an attacker finds a memory corruption bug, it is impossible to know what values to write into memory to suborn the code.
The researchers have implemented a demonstration (not yet available), and the paper provides data indicating that the performance is not too bad.
- David Williams-King, Graham Gobieski, Kent Williams-King, James P Blake, Xinhao Yuan, Patrick Colp, Vasileios P Kemerlis, Junfeng Yang, and William Aiello, Shuffler: Fast and Deployable Continuous Code Re-Randomization, in 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI). . 2016: Savannah. http://www.cs.columbia.edu/~junfeng/papers/shuffler-osdi16.pdf