Recent year, we have seen increased attention being given to Address Space Layout Randomization, or ASLR, in diversity research. The continuing improvements in ASLR on Linux have led to decreasing the probability of attacking vulnerable machines. Windows system also adopts ASLR technique in the operating system on Windows Vista and Windows Server 2008. We investigate the behavior of the ASLR implementation on Windows Vista. Windows Vista randomizes the base addresses of executable and DLLs (Dynamic Link Libraries) from a range of 256 (8-bit) values once per reboot. This entropy is much less than the PaX ASLR. However, the possible of breaking ASLR on Linux has generated wide interest in our research that Windows Vista ASLR technique can be broken by brute-force attack. They broke the PaX ASLR by a novel return-into-libc attack on an Apache HTTP Server. This novel attack only guesses 16-bit offset instead of knowing the address of both the library segment and the stack. Therefore, the aim of this paper attempts to avoid attackers breaking the ASLR technique on Windows Vista by using a novel return-into-dlls attack similar to this novel return-into-libc attack. To that end, we present a comprehensive system that provides: (1) 13-bit randomness at preprocessing phase, and (2) an additional re-randomizing phase to relocate the entrance of each Win32 API after called. Experiments show that our system imposes no significant overhead on the whole program. Moreover, we explore how our system defeats the classes of attacks that previous ASLR approaches cannot defense. To conclude, our security mechanism increases the effectiveness of randomization.

近年來，許多位址空間佈局隨機化的技術已受到廣泛的重視。位址空間佈局隨機化可以使得攻擊者不能藉由相同的攻擊程式達到像蠕蟲一樣廣泛攻擊的目的。現今，這項技術已經被廣泛的應用於Unix-like的系統上，Windows也將位址空間佈局隨機化的技術整合進新推出的作業系統Vista上。然而，Windows Vista上位址空間佈局隨機化的技術只提供8-bit的值，遠比PaX位址空間佈局隨機化(16-bit)的機制少很多。此外，Windows Vista只有在每次重新開機時，作業系統才會重新佈局DLL在記憶體中的位址空間。近年來已有研究利用return-into-libc attack破解PaX位址空間佈局隨機化的機制，我們也將利用相同的方式(return-into-dlls attack)來破解Windows Vista上位址空間佈局隨機化的機制。在本篇論文中，我們將設計一種應用於Windows Vista上之加強動態鏈結程式庫隨機化的機制並且能夠防止攻擊者透過retrun-into-dlls attack來達到攻擊的目的。我們不但提供了13-bit隨機化的值，而且在每次呼叫完Win32 API後，隨機改變Win32 API的入口位址，達到每次呼叫隨機化的目的。實驗結果顯示我們的系統可以抵擋傳統位址空間佈局隨機化的機制所不能抵擋的攻擊，例如：資訊揭露攻擊(information leakage attack)。此外，我們的系統對整體效能影響不大，平均只有增加大約8%的時間。

Table of Contents ........................................ I
List of Figures......................................... III
List of Tables ........................................... V
Chapter 1 Introduction ................................... 1
Chapter 2 Background ..................................... 3
2.1 ASLR on Vista ........................................ 3
2.2 Attack on PaX ASLR.................................... 6
2.3 Dangerous Win32 API List ............................. 7
2.4 API Hooking Methodology............................... 8
2.4.1 Proxy DLL........................................... 9
2.4.2 Import Address Table (IAT) Patching................ 10
2.4.3 Overwriting API Code .............................. 13
2.4.4 DLL (Dynamic Link Library) Injection .............. 19
Chapter 3 Approach Description........................... 21
3.1 Preprocessing Phase ................................. 23
3.2 Re-randomizing Phase................................. 27
3.2.1 The Flow Chart .................................... 28
Chapter 4 Experiment and Effectiveness................... 32
4.1 Performance ......................................... 32
4.1.1 The Runtime Overhead............................... 32
4.2 Effectiveness on Attacks Targeting ASLR.............. 35
4.2.1 Information Leakage Attack......................... 35
4.2.2 Brute-force or Guessing Attack..................... 36
4.2.3 Partial Pointer Corruption Attack.................. 37
Chapter 5 Discussion..................................... 38
Chapter 6 Related Work .................................. 40
6.1 Instruction Set Randomization (ISR).................. 40
6.2 Address Space Layout Randomization (ASLR)............ 42
6.2.1 Implementing on Linux.............................. 43
6.2.2 Implementing on Windows ........................... 45
Chapter 7 Conclusion..................................... 48
Bibliography ............................................ 49

[1] Anonymous. Bypassing PaX ASLR protection. http://www.ouah.org/p59-0x09.txt, July 2002.
[2] E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized Instruction Set Emulation to Disrupt Binary Code
Injection Attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 281-289, New York, NY, USA, 2003. ACM.
[3] S. Bhatkar, D. C. DuVarney, and R. Sekar. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105-120, 2003.
[4] S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Proceedings of the 14th Conference on USENIX Security Symposium, pages 255-270, Berkeley, CA, USA,
2005. USENIX Association.
[5] CERT. Multiple Vulnerabilities in Oracle Servers.
http://www.cert.org/advisories/CA-2002-08.html, Mar 2002. CERT advisory CA-2002-08.
[6] H. Father. Hooking Windows API - Technics of Hooking API Functions on Windows. http://rootkit.host.sk, 2002.
[7] S. Forrest, A. Somayaji, and D. H. Ackley. Building Diverse Computer Systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems, page 67-72, Washington, DC, USA, 1997. IEEE Computer Society.
[8] M. Howard. Address Space Layout Randomization in Windows
Vista. http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx, May 2006.
[9] G. Hunt and D. Brubacher. Detours: Binary Interception of Win32 Functions. In Proceedings of the 3rd USENIX Windows NT Symposium, pages 135-143, 1998.
[10] X. Jiang, H. J. Wang, D. Xu, and Y.-M. Wang. RandSys: Thwarting Code Injection Attacks with System Service Interface Randomization. In Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems, pages 209-218, Washington, DC, USA, 2007. IEEE Computer Society.
[11] Y. Kaplan. API Spying Techniques for Windows 9x, NT and 2000. http://www.internals.com/articles/apispy/apispy.htm, 2000.
[12] G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks with Instruction-Set Randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 272-280, New
York, NY, USA, 2003. ACM.
[13] C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In Proceedings of the 22nd Conference on Annual Computer Security Applications, pages 339-348, Washington, DC, USA, 2006. IEEE Computer Society.
[14] Unix System Labs. Executable and Linkable File (ELF). Tool Interface Standard.
[15] L. Li, J. E. Just, and R. Sekar. Address-Space Randomization for Windows Systems. In Proceedings of the 22nd Conference on Annual Computer Security Applications, pages 329-338, Dec. 2006.
[16] D. Litchfield. Hackproofing Oracle Application Server.
http://www.nextgenss.com/papers/hpoas.pdf, Jan. 2002.
[17] Microsoft. Microsoft Security Bulletin MS04-040.
http://www.microsoft.com/technet/security/Bulletin/MS04-040.mspx, 2004.
[18] Microsoft. Microsoft Security Bulletin MS05-020.
http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx, 2005.
[19] Microsoft. Microsoft Portable Executable and Common Object File Format Specification. http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx, March 2008.
[20] M. Milenkovi'c, A. Milenkovi'c, and E. Jovanov. Using Instruction Block Signatures to Counter Code Injection Attacks. SIGARCH Comput. Archit. News, pages 108-117, 2005.
[21] Microsoft Developer Network. LIST ENTRY. http://msdn.microsoft.com/en-us/library/aa491571.aspx.
[22] Microsoft Developer Network. PEB Structure. http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx.
[23] M. Pietrek. Under the Hook. http://www.microsoft.com/msj/0997/hood0997.aspx, 1997.
[24] J. Richter. Load Your 32-bit DLL into Another Process's Address Space Using INJLIB. Microsoft Systems Journal, 1994.
[25] J. Seward, N. Nethercote, J. Weidendorfer, and the Valgrind Development Team. Valgrind 3.3 - Advanced Debugging and Profiling for GNU/Linux Applications. http://valgrind.org/.
[26] H. Shacham, M. Page, B. Pfa®, E.-J. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298-307,
New York, NY, USA, 2004. ACM.
[27] Skape. Understanding Windows Shellcode. http://www.hick.org/code/skape/papers/win32-shellcode.pdf, December 2003.
[28] A. N. Sovarel, D. Evans, and N. Paul. Where's the FEEB? The Effectiveness of Instruction Set Randomization. In Proceedings of the 14th Conference on USENIX Security Symposium, pages 145-160, Berkeley, CA, USA, 2005. USENIX Association.
[29] Metasploit Development Team. Metasploit. http://www.metasploit.com/, 2003.
[30] PaX Team. The PaX Address Space Layout Randomization project. http://pax.grsecurity.net/, 2002.
[31] PaX Team. WehnTrust. http://www.codeplex.com/wehntrust, 2006.
[32] E. Tsyrklevich. Ozone HIPS: Unbreakable Windows. http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-tsyrklevich.pdf.
[33] D. Wagner and P. Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security, November 2002.
[34] O. Whitehouse. An Analysis of Address
Space Layout Randomization on Windows Vista.
http://www.symantec.com/avcenter/reference/Address Space Layout Randomization.pdf, Feb. 2007.
[35] H. Xu and S. J. Chapin. Improving Address Space Randomization with a Dynamic Offset Randomization Technique. In Proceedings of the 2006 ACM Symposium on Applied Computing, pages 384-391, New York, NY, USA, 2006.
ACM.
[36] J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent Runtime Randomization for Security. In Proceedings of the 22th IEEE International Symposium on Reliable Distributed Systems, pages 260{269, Oct. 2003.