Skip to main content
eScholarship
Open Access Publications from the University of California

UC Irvine

UC Irvine Electronic Theses and Dissertations bannerUC Irvine

Securing Statically and Dynamically Compiled Programs using Software Diversity

Abstract

Code-reuse attacks are notoriously hard to defeat, and many current solutions to the problem focus on automated software diversity. This is a promising area of research, as diversity attacks one cause of code reuse attacks—the software monoculture. Software diversity raises the costs of an attack by providing users with different variations of the same program. However, modern software diversity implementations are still vulnerable to certain threats: code disclosure attacks and attacks targeted at JIT (just-in-time) compilers for dynamically compiled languages.

In this dissertation, we address the pressing problem of building secure systems out of programs written in unsafe languages. Specifically, we use software diversity to present attackers with an unpredictable attack surface. This dissertation contributes new techniques that improve the security, efficiency, and coverage of software diversity. We discuss three practical aspects of software diversity deployment: (i) performance optimization using profile guided code randomization, (ii) transparent code randomization for JIT compilers, and (iii) code hiding support for JIT compilers. We make the following contributions: we show a generic technique to reduce the runtime cost of software diversity, describe the first technique that diversifies the output of JIT compilers and requires no source code changes to the JIT engine, and contribute new techniques to prevent disclosure of diversified code. Specifically, we demonstrate how to switch between execute-only and read-write page permissions to efficiently and comprehensively prevent JIT-oriented exploits.

Our in-depth performance and security evaluation shows that software diversity can be efficiently implemented with low overhead (as low as 1% for profile-guided NOP insertion and 7.8% for JIT code hiding) and is an effective defense against a large class of code reuse and code disclosure attacks.

Main Content
For improved accessibility of PDF content, download the file to your device.
Current View