SkillAgentSearch skills...

CCR

Compiler-assisted Code Randomization (CCR) Toolchain

GenerateConvertImprove

Install / Use

/learn @kevinkoo001/CCR
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Compiler-assisted Code Randomization (CCR)

Update News

10/07/19 CCR supports LLVM 9

09/23/19 CCR handles IFUNC cases (R_X86_64_IRELATIVE) in a rela.plt section

04/27/19 CCR supports LLVM 6

04/25/19 CCR supports handwritten (standalone) assembly files. Because LLVM does not generate any internal MBB/MF structure, we silently skip fixup updates. Technically, it is difficult to obtain basic block boundaries from the compiler thus CCR excludes randomization for an object file generated from standalone assembly. Note that LTO also ignores optimization for such object files.

10/08/18 A randomizer (prander) partially supports updates for a .debug_info section. It is just experimental. A .debug_line section has to be updated as well.

07/08/18 CCR internally checks if an object file is compiled from the source code that includes assembly (none/inline/standalone). This information will help randomization at the function level in case of standalone assembly later.

Overview

CCR is a hybrid method for enabling practical and generic code randomization based on compiler-rewriter cooperation. CCR currently supports rapid cliend-side fine-grained code randomization (at both function level and basic block level) at installation time. The main concept behind CCR is to augment final executables with a minimal (pre-defined) set of transformation-assisting metadata. The following table briefly shows the essential information that is collected/adjusted at compilation/linking time.

| Metadata | Collected Information | Collection time | | --- | --- | --- | | Layout | Section offset to first object | Linking | | | Section offset to main() function if any | Linking | | | Total code size for randomization | Linking | | Basic Block (BBL) | BBL size (in bytes) | Linking | | | BBL boundary type (BBL, FUN, OBJ) | Compilation | | | Fall-through or not | Compilation | | | Section name that BBL belongs to | Compilation | | Fixup | Offset from section base | Linking | | | Dereference size | Compilation | | | Absolute or relative | Compilation | | | Type (c2c, c2d, d2c, d2d) | Linking | | | Section name that fixup belongs to | Compilation | | Jump Table | Size of each jump table entry | Compilation | | | Number of jump table entries | Compilation |

For more details, plese refer to our IEEE S&P 2018 paper.

How to build CCR

We provide a handy build script (build.sh) to automate the entire toolchain installation, which includes:

  • modified LLVM 3.9.0 and clang compiler compilation
  • binutils 2.27 and modified gold linker (ld-new) compilation
  • Google's protocol buffers 3.1.0 compiler (protoc) compilation for metadata serialization/deserialization
  • shared object (shuffleInfo.so) generation with the shuffleInfo.proto definition
  • required packages installation
  • python packages (protobuf and pyelftools) installation
  • symbolic link creation to the modified compiler (dubbed as ccr and ccr++), the gold linker and the randomizer

Once the build script runs successfully, check out the following components.

  • CCR C Compiler : /usr/local/bin/ccr symbolically links to ./llvm-3.9.0/build/bin/clang
  • CCR C++ Compiler: /usr/local/bin/ccr++ symbolically links to ./llvm-3.9.0/build/bin/clang++
  • CCR Gold Linker : /usr/bin/ld symbolically links to ./binutils-2.27/gold/ld-new by default
  • Randomizer : ./randomizer/prander.py (prander is dubbed as a practical randomizer)

Finally, make sure that CCR can properly load shuffleInfo.so, located in both /usr/lib and /usr/local/lib. If not, sudo ldconfig may help.

$ ldd $(readlink -e `which ccr`) | grep shuffleInfo
        shuffleInfo.so => /usr/lib/shuffleInfo.so (0x00007f42b4db9000)
$ ldd $(readlink -e `which ld`) | grep shuffleInfo
        libshuffleInfo.so => /usr/local/lib/libshuffleInfo.so (0x00007f3185af9000)

Notes for CCR build

The build script:

  • Requires at least 8GB memory and 30GB HDD space
  • Installs protoc, shuffleInfo.so, and other necessary packages on your system
  • Does not install the compiler and linker, but creates symbolic links instead
  • Changes the default linker to ld.gold at build time, and to ld-new at the end

Note that the script has been tested on Ubuntu 16.04 only (using the default gcc 5.4 and gold 1.11). If you have failed to build everything at the first attempt, you may want to change the linker to the system's default linker (i.e., ld.bfd) before runing the build script again. We recommend not to use ld.gold for LLVM compilation.

Build with Docker

A Docker script is available for easily testing CCR within a Docker container. The following commands show how to install Docker and how to generate the CCR container.

$ curl -fsSL https://get.docker.com/ | sudo sh
$ sudo usermod -aG docker [user_id]

$ docker run ubuntu:16.04
Unable to find image 'ubuntu:16.04' locally
16.04: Pulling from library/ubuntu
Digest: sha256:e348fbbea0e0a0e73ab0370de151e7800684445c509d46195aef73e090a49bd6
Status: Downloaded newer image for ubuntu:16.04

$ docker build -t ccr .
... (omitted)
CCR C Compiler   : /usr/local/bin/ccr
CCR C++ Compiler : /usr/local/bin/ccr++
CCR Gold Linker  : /CCR/binutils-2.27/gold/ld-new
CCR Randomizer   : /CCR/randomizer/prander.py

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ccr                 latest              687322eff8f3        29 minutes ago      30.5GB
ubuntu              16.04               f975c5035748        10 days ago         112MB

Once the build has been successful, lunch the Docker image to test out CCR.

$ docker run --rm -it ccr:latest /bin/bash
root@c1aa9c064785:/CCR#

Or you can just download the images that everything is ready to use.

$ docker pull kevinkoo001/ccr:0.8
$ docker run --rm -it kevinkoo001/ccr:0.8 /bin/bash

For more information about Docker, visit here

Binary Instrumentation with the CCR Toolchain

Once CCR has been successfully deployed, you can test it using the included examples. By simply compiling the source code as shown below, you will obtain a ShuffleInfo (=metadata) message from the linker with the section .rand, meaning the metadata has been updated/generated within the final executable from all object files.

$ ccr -o ./examples/funcptr ./examples/funcptr.c
Successfully wrote the ShuffleInfo to the .rand section!

If you want to inspect the metadata (layout, jump table, and fixups) in detail, use the -mllvm -debug-only=ccr-metadata option.

$ ccr -o ./examples/funcptr -mllvm -debug-only=ccr-metadata ./examples/funcptr.c
<MF/MBB Layout Summary>
----------------------------------------------------------------------------------
 Layout MF_MBB_ID       MBBSize Align   Fixups  Offset          MFSize  Section
----------------------------------------------------------------------------------
 2      [DF 0_0]        64B     11B     3       0x00000040      64B     (.text)
----------------------------------------------------------------------------------
 4      [DF 1_0]        64B     11B     3       0x00000080      64B     (.text)
----------------------------------------------------------------------------------
 6      [DF 2_0]        64B     11B     3       0x000000c0      64B     (.text)
----------------------------------------------------------------------------------
 8      [DF 3_0]        64B     11B     3       0x00000100      64B     (.text)
----------------------------------------------------------------------------------
 10     [DF 4_0]        48B     14B     2       0x00000130      48B     (.text)
----------------------------------------------------------------------------------
 12     [DF 5_0]        48B     14B     2       0x00000160      48B     (.text)
----------------------------------------------------------------------------------
 14     [DF 6_0]        48B     14B     2       0x00000190      48B     (.text)
----------------------------------------------------------------------------------
 16     [DF 7_0]*       32B     0B      1       0x000001b0      32B     (.text)
 16     [DF 7_1]*       10B     0B      1       0x000001ba      42B     (.text)
 16     [DF 7_2]        39B     0B      3       0x000001e1      81B     (.text)
 16     [DF 7_3]*       28B     0B      2       0x000001fd      109B    (.text)
 16     [DF 7_4]*       10B     0B      1       0x00000207      119B    (.text)
 16     [DF 7_5]        22B     0B      2       0x0000021d      141B    (.text)
 16     [DF 7_6]*       10B     0B      1       0x00000227      151B    (.text)
 16     [DF 7_7]        13B     0B      2       0x00000234      164B    (.text)
 16     [DF 7_8]        32B     0B      3       0x00000254      196B    (.text)
 16     [DF 7_9]*       5B      0B      1       0x00000259      201B    (.text)
 16     [DF 7_10]*      7B      0B      0       0x00000260      208B    (.text)
 16     [DF 7_11]       16B     7B      0       0x00000270      224B    (.text)
----------------------------------------------------------------------------------
 18     [DF 8_0]*       31B     0B      1       0x0000028f      31B     (.text)
 18     [DF 8_12]       14B     0B      1       0x0000029d      45B     (.text)
 18     [DF 8_1]        10B     0B      2       0x000002a7      55B     (.text)
 18     [DF 8_2]        10B     0B      2       0x000002b1      65B     (.text)
 18     [DF 8_3]        10B     0B      2       0x000002bb      75B     (.text)
 18     [DF 8_4]        10B     0B      2       0x000002c5      85B     (.text)
 18     [DF 8_5]        10B     0B      2       0x000002cf      95B     (.text)
 18     [DF 8_6]        10B     0B      2       0x000002d9      105B    (.text)
 18     [DF 8_7]        10B     0B      2       0x000002e3      115B    (.text)
 18     [DF 8_8]

kevinkoo001

View profile

View on GitHub
GitHub Stars67
CategoryDevelopment
Updated7d ago
Forks12
kevinkoo001/CCR

Security Score

80/100

Audited on Mar 25, 2026

No findings