Advancing Memory-corruption Attacks and Defenses

Adversaries exploit software vulnerabilities in modern software to compromise computer systems. While the amount and sophistication of such attacks is constantly increasing, most of them are based on memory-corruption vulnerabilities---a problem that has been persisting over the last four decades. The research community has taken on the challenge of providing mitigations against memory-corruption-based attack techniques such as code-injection, code-reuse, and data-only attacks. In a constant arms race, researchers from academia and industry developed new attack techniques to reveal weaknesses in existing defense techniques, and based on these findings propose new mitigation techniques with the goal to provide efficient and effective defenses in the presence of memory-corruption vulnerabilities. Along this line of research, this dissertation contributes significantly to this goal by providing attacks on the recently proposed mitigations and more enhanced defenses against memory-corruption-based attacks. Specifically, we present sophisticated attacks against the CFI implementation of two premier open-source compilers, and demonstrate conceptual limitations of coarse- and fine-grained CFI. Our first attack exploits a compiler-introduced race-condition vulnerability, which temporarily spills read-only CFI-critical variables to writable memory, and hence, enables the attacker to bypass the CFI check. Our second attack is a data-only attack that modifies the intermediate representation of the JIT compiler in browsers to generate attacker-controlled code. We then turn our attention to attacking randomization-based defenses. We demonstrate conceptual limitations of randomization with two advanced memory-disclosure attack techniques. In particular, we demonstrate that the attacker can bypass any code-randomization either by reading the code directly, or indirectly by combining static code analysis with a sufficient number of disclosed code pointers. Based on the insights we gain through our attack techniques, we design and implement a leakage-resilient code randomization scheme to defeat code-reuse attacks by using execute-only memory to mitigate memory-disclosure attacks. Since x86 does not natively support execute-only memory, we leverage memory virtualization to enable it for server and desktop systems. Moreover, since most embedded systems do not offer memory virtualization, we demonstrate how to overcome this limitation by implementing a compiler extension that enables software-based execute-only memory for ARM-based systems. Lastly, we demonstrate how leakage-resilient randomization can also be deployed to mitigate data-only attacks against the page table.