We believe that address obfuscation has significant potential
to constrain the increasing threat of widely spread buffer
overflow-type of attacks. By randomly re-arranging the memory space that
holds a computer program and its data during execution,
the core vulnerability that buffer overflow attacks have been
exploiting is addressed --- namely,
the predictable location of control information and
Unlike many existing techniques, which deploy
attack-specific mechanisms to overcome known attack scenarios, address
obfuscation is a generic mechanism that has a broad range of application to
many memory error-related attacks.
Since each system is obfuscated differently, even if an attacker
successfully subverts one system
on a network, the attack will have to essentially start over from scratch
and make many attempts before a second system can be subverted. In the
context of self-replicating attacks, this factor will greatly slow down
the spread of worms and viruses. Thus, address obfuscation provides a simple and
effective solution to combat the spread of viruses and worms which
replicate by exploiting memory errors.
Our main goal for the future is to improve the quality of randomization
that can be done at the binary level.
In particular, we are interested in randomizing the relative
distances between objects in all regions of a program, instead of just
the stack and heap, as is the case with our current implementation.
There are basically two avenues for this work.
The first is a tool that works with existing binary files.
Such a tool will
be restricted in the types of obfuscations which can be applied, but will
have a wide potential impact. Addressing relative-distance issues requires
both inserting padding between and permuting the order of data and code,
which requires the relocation of affected addresses.
Performing these sorts of relocations on binaries is not
always feasible due to the difficulty of distinguishing pointers from
non-pointers, sizes of data objects, and code from data.
We plan on developing better analysis tools,
and combining this with a flexible transformation strategy that applies as
many obfuscations as possible within the limits of the analysis.
The second avenue is to augment binaries with an extra section that contains
the information required to safely perform relocations. This approach requires
a relatively minor change to the compiler infrastructure, as the information
required is similar to the information already being generated to support the
linking of object modules. Given the extra information, a program can be
obfuscated at link- or load-time in a more thorough manner which will
change all relative and absolute addresses in every program region.