25th USENIX Security Symposium has ended
Back To Schedule
Wednesday, August 10 • 2:00pm - 2:30pm
Undermining Information Hiding (and What to Do about It)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

In the absence of hardware-supported segmentation, many state-of-the-art defenses resort to “hiding” sensitive information at a random location in a very large address space. This paper argues that information hiding is a weak isolation model and shows that attackers can find hidden information, such as CPI’s SafeStacks, in seconds—by means of thread spraying. Thread spraying is a novel attack technique which forces the victim program to allocate many hidden areas. As a result, the attacker has a much better chance to locate these areas and compromise the defense. We demonstrate the technique by means of attacks on Firefox, Chrome, and MySQL. In addition, we found that it is hard to remove all sensitive information (such as pointers to the hidden region) from a program and show how residual sensitive information allows attackers to bypass defenses completely.

We also show how we can harden information hiding techniques by means of an Authenticating Page Mapper (APM) which builds on a user-level page-fault handler to authenticate arbitrary memory reads/writes in the virtual address space. APM bootstraps protected applications with a minimum-sized safe area. Every time the program accesses this area, APM authenticates the access operation, and, if legitimate, expands the area on demand. We demonstrate that APM hardens information hiding significantly while increasing the overhead, on average, 0.3% on baseline SPEC CPU 2006, 0.0% on SPEC with SafeStack and 1.4% on SPEC with CPI.

avatar for Herbert Bos

Herbert Bos

Full professor, Vrije Universiteit Amsterdam
Herbert Bos is a full professor at VUSec, the systems security group at Vrije Universiteit Amsterdam in the Netherlands. He obtained his Ph.D. from Cambridge University Computer Laboratory (UK). Coming from a systems background, he drifted into security a few years ago and never left... Read More →

Robert Gawlik

Ruhr-Universität Bochum

Enes Goktas

Stevens Institute of Technology

Benjamin Kollenda

Ruhr-University Bochum

Wednesday August 10, 2016 2:00pm - 2:30pm PDT
Zilker Ballroom 2

Attendees (5)