DynaGuard: Armoring Canary-based Protections against Brute-force Attacks

Over the past decade many exploit mitigation techniques have been introduced to defend against memory corruption attacks. W^X, ASLR, and canary-based protections are nowadays widely deployed and considered standard practice. However, despite the fact that these techniques have evolved over time, they still suffer from limitations that enable skilled adversaries to bypass them. In this work, we focus on countermeasures against the byte-by-byte discovery of stack canaries in forking programs. This limitation, although known for years, has yet to be addressed effectively, and was recently abused by a series of exploits that allowed for the remote compromise of the popular Nginx web server and a full ASLR bypass in x86-64 Linux. We present DynaGuard, an extension to canary-based protections that further armors hardened applications against brute-force canary attacks. We have implemented DynaGuard in two flavors: a compiler-based version, which incurs an average runtime overhead of 1.2%, and a version based on dynamic binary instrumentation, which can protect binary-only applications without requiring access to source code. We have evaluated both implementations using a set of popular server applications and benchmark suites, and examined how the proposed design overcomes the limitations of previous proposals, ensuring application correctness and seamless integration with third-party software.