[Seminar] Abusing Performance Optimization Weaknesses to Bypass ASLR

이병영(Byoungyoung Lee)
Ph.D student
Georgia Institute of Technology
Wednesday, November 19th 2014, 11:00am
Bldg. 302, Room 106

◾호스트: 전병곤 교수(x1928, 02-880-1928)


The primary goal of ASLR is to effectively randomize a program's memory layout so that adversaries cannot easily infer such information. As ASLR is a critical defense against exploitation, there have been tremendous efforts to evaluate the mechanism's security. To date, previous attacks that bypass ASLR have focused mostly on exploiting memory leak vulnerabilities, or abusing non-randomized data structures. In this presentation, we leverage vulnerabilities introduced by performance-oriented software design to reveal new ways in which ASLR can be bypassed. In addition to describing how vulnerabilities originate from such designs, we will present real attacks that exploit them.

First, we analyze general hash table designs for various programming languages (JavaScript, Python, Ruby). To optimize object tracking for such languages, their interpreters may leak address information. Some hash table implementations directly store the address information in the table, while others permit inference of address information through repeated table scanning. We exhaustively examined several popular languages to see whether each of them has one or both of these problems, and present how they can be leveraged. Next, we present an analysis of the Zygote process creation model, which is an Android operating system design for speeding up application launches. The results of our examination show that Zygote weakens ASLR because all applications are created with largely identical memory layouts.

This talk is based on my recent work published in IEEE S&P (Oakland) 2014 and Blackhat 2014.

Speaker Bio

Byoungyoung Lee is a PhD student at Georgia Tech, and he is largely working on system and software security. He is one of the contributors of the DarunGrim project, a popular binary diffing tool that uncovered many different Microsoft patched vulnerabilities. He has spoken at BlackHat and Infosec Southwest before, and he also has actively participated in wargames including DEFCON CTF. He also loves to write fuzzers targeting various software products for bug bounties.