Making Code Re-randomization Practical with MARDU

Abstract: Defense techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) were the early role models preventing primitive code injection and return-oriented programming (ROP) attacks. Notably, these techniques did so in an elegant and utilitarian manner, keeping performance and scalability in the forefront, making them one of the few widely-adopted defense techniques. As code re-use has evolved in complexity from JIT-ROP, to BROP and data-only attacks, defense techniques seem to have tunneled on defending at all costs, losing-their-way in pragmatic defense design. Some fail to provide comprehensive coverage, being too narrow in scope, while others provide unrealistic overheads leaving users willing to take their chances to maintain performance expectations. We present Mardu, an on-demand system-wide re-randomization technique that improves re-randomization and refocuses efforts to simultaneously embrace key characteristics of defense techniques: security, performance, and scalability. Our code sharing with diversification is achieved by implementing reactive and scalable, rather than continuous or one-time diversification while the use of hardware supported eXecute-only Memory (XoM) and shadow stack prevent memory disclosure; entwining and enabling code sharing further minimizes needed tracking, patching costs, and memory overhead. Mardu's evaluation shows performance and scalability to have low average overhead in both compute-intensive (5.5% on SPEC) and real-world applications (4.4% on NGINX). With this design, Mardu demonstrates that strong and scalable security guarantees are possible to achieve at a practical cost to encourage deployment.