AI帮你理解科学

AI 生成解读视频

AI抽取解析论文重点内容自动生成视频


pub
生成解读视频

AI 溯源

AI解析本论文相关学术脉络


Master Reading Tree
生成 溯源树

AI 精读

AI抽取本论文的概要总结


微博一下
Our work disproves two pieces of conventional wisdom: that Return Oriented Programming attacks only consist of short gadgets, and that Return Oriented Programming attacks cannot be effectively mounted in call-preceded manner

ROP is still dangerous: breaking modern defenses

USENIX Security, pp.385-399, (2014)

被引用369|浏览124
EI
下载 PDF 全文
引用
微博一下

摘要

Return Oriented Programming (ROP) has become the exploitation technique of choice for modern memory-safety vulnerability attacks. Recently, there have been multiple attempts at defenses to prevent ROP attacks. In this paper, we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and...更多

代码

数据

0
简介
  • The widespread adoption of DEP, which ensures that all writable pages in memory are non-executable, has largely killed classic code injection attacks.
  • Return Oriented Programming (ROP) [27] is a generalization of return-into-libc [24] attacks where an attacker causes the program to return to arbitrary points in the program’s code.
  • This allows one to perform malicious computation without injecting any new malicious code by only controlling the program’s execution flow.
  • In a ROP attack, the attacker finds gadgets within the original program text and causes them to be executed in sequence to perform a task other than what was intended
重点内容
  • The widespread adoption of DEP, which ensures that all writable pages in memory are non-executable, has largely killed classic code injection attacks
  • We have identified three building blocks that are useful in attacking Return Oriented Programming defenses:
  • We find that it is possible to mount Return Oriented Programming attacks in a fully call-preceded manner, where all gadgets start at a call-preceded address
  • We focus on the case where the program contains at least one library whose executable region has not been randomized with Address Space Layout Randomization, or where all modules have Address Space Layout Randomization enabled but there exists a memory disclosure vulnerability, as this is the situation that modern Return Oriented Programming attacks typically exploit
  • We have presented three building blocks for Return Oriented Programming attacks that allow us to break two state-of-theart Return Oriented Programming defenses
  • Our work disproves two pieces of conventional wisdom: that Return Oriented Programming attacks only consist of short gadgets, and that Return Oriented Programming attacks cannot be effectively mounted in call-preceded manner
结果
  • The attacks discussed in the previous sections are practical. The authors evaluate these attacks by modify real-world exploits, as well as by demonstrating that only 70KB of code is needed to mount purely call-preceded attacks. 8.1 The authors' Tool

    The authors built a tool to assist the efforts in finding attacks on real-world exploits.
  • The attacks discussed in the previous sections are practical
  • The authors evaluate these attacks by modify real-world exploits, as well as by demonstrating that only 70KB of code is needed to mount purely call-preceded attacks.
  • The authors implemented a simple symbolic execution framework to determine the effects of each of these potential gadgets
  • This system is not complete, but it models some of the effects of many common instructions.5.
  • It outputs the list of modified memory locations, accessed memory locations, and the new values of updated registers at the end of execution
结论
  • The authors have presented three building blocks for ROP attacks that allow them to break two state-of-theart ROP defenses.
  • Future defenses must take care to guard against attacks similar to ours.
  • The authors suggest two particular requirements for future defenses.
  • Defenses should argue either that they can inspect all relevant past history or, if they have a limited history, that their limited view of history cannot be effectively cleared out by an attacker.
  • Defenses that defend against one specific aspect of ROP must argue that is a necessary component of one
总结
  • Introduction:

    The widespread adoption of DEP, which ensures that all writable pages in memory are non-executable, has largely killed classic code injection attacks.
  • Return Oriented Programming (ROP) [27] is a generalization of return-into-libc [24] attacks where an attacker causes the program to return to arbitrary points in the program’s code.
  • This allows one to perform malicious computation without injecting any new malicious code by only controlling the program’s execution flow.
  • In a ROP attack, the attacker finds gadgets within the original program text and causes them to be executed in sequence to perform a task other than what was intended
  • Results:

    The attacks discussed in the previous sections are practical. The authors evaluate these attacks by modify real-world exploits, as well as by demonstrating that only 70KB of code is needed to mount purely call-preceded attacks. 8.1 The authors' Tool

    The authors built a tool to assist the efforts in finding attacks on real-world exploits.
  • The attacks discussed in the previous sections are practical
  • The authors evaluate these attacks by modify real-world exploits, as well as by demonstrating that only 70KB of code is needed to mount purely call-preceded attacks.
  • The authors implemented a simple symbolic execution framework to determine the effects of each of these potential gadgets
  • This system is not complete, but it models some of the effects of many common instructions.5.
  • It outputs the list of modified memory locations, accessed memory locations, and the new values of updated registers at the end of execution
  • Conclusion:

    The authors have presented three building blocks for ROP attacks that allow them to break two state-of-theart ROP defenses.
  • Future defenses must take care to guard against attacks similar to ours.
  • The authors suggest two particular requirements for future defenses.
  • Defenses should argue either that they can inspect all relevant past history or, if they have a limited history, that their limited view of history cannot be effectively cleared out by an attacker.
  • Defenses that defend against one specific aspect of ROP must argue that is a necessary component of one
表格
  • Table1: The number of gadgets for the three steps in our kBouncer attack for binaries from /usr/bin/. Entries marked with an asterisk have success probability of ≥ 99.99%, the rest with 100%
Download tables as Excel
相关工作
  • Randomization-based approaches. Address Space Layout Randomization (ASLR) and Address Obfuscation [5] were first introduced to make it more difficult to inject shellcode, and were later applied to the text segment to prevent ROP attacks. Shacham et al demonstrated a de-randomization attack [28] on PaX ASLR.

    Address Space Layout Permutation (ASLP) [16] is similar in many ways to ASLR but provides higher entropy by permuting the locations of functions. Other defenses extends this further by randomizing the addresses of individual instructions [15, 31]. Another technique replaces short sequences of instructions with alternate, functionally-identical, equal-length sequence, hindering an attacker’s ability to use unintended gadgets [22]. A recent just-in-time code reuse attack [29] compiles ROP on the fly to bypass ASLR.
基金
  • This research was supported by Intel through the ISTC for Secure Computing, by the AFOSR under MURI award FA9550-12-1-0040 and MURI award FA9550-09-1-0539, and by the National Science Foundation under grant CCF-0424422
引用论文
  • Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow. http://www.rapid7.com/db/modules/exploit/windows/browser/adobe_cooltype_sing.
    Findings
  • Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow. http://www.rapid7.com/db/modules/exploit/windows/browser/adobe_flash_otf_font.
    Findings
  • Microsoft Internet Explorer CButton Object Use-After-Free https://www.rapid7.com/db/modules/
    Findings
  • Martın Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security, pages 340–353. ACM, 2005.
    Google ScholarLocate open access versionFindings
  • Sandeep Bhatkar, Daniel C DuVarney, and Ron Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX security symposium, volume 120, 2003.
    Google ScholarLocate open access versionFindings
  • Tyler Bletsch, Xuxian Jiang, and Vince Freeh. Mitigating codereuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 353– 362. ACM, 2011.
    Google ScholarLocate open access versionFindings
  • Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM conference on Computer and communications security, pages 27–38. ACM, 2008.
    Google ScholarLocate open access versionFindings
  • Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, AhmadReza Sadeghi, Hovav Shacham, and Marcel Winandy. Returnoriented programming without returns. In Proceedings of the 17th ACM conference on Computer and communications security, pages 559–572. ACM, 2010.
    Google ScholarLocate open access versionFindings
  • Ping Chen, Hai Xiao, Xiaobin Shen, Xinchun Yin, Bing Mao, and Li Xie. DROP: Detecting return-oriented programming malicious code. In Information Systems Security, pages 163–177.
    Google ScholarLocate open access versionFindings
  • Shuo Chen, Jun Xu, Emre C Sezer, Prachi Gauriar, and Ravishankar K Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th conference on USENIX Security Symposium, volume 14, pages 12–12, 2005.
    Google ScholarLocate open access versionFindings
  • Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H Deng. ROPecker: A generic and practical approach for defending against rop attacks. NDSS14, 2014.
    Google ScholarFindings
  • Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 40–51. ACM, 2011.
    Google ScholarLocate open access versionFindings
  • Ivan Fratric and Elias Bachaalany. ROPGuard. http://code.google.com/p/ropguard/.
    Findings
  • Enes Goktas, Elias Athanasopoulos, Herbert Bos, and Gerogios Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE S&P, 2014.
    Google ScholarLocate open access versionFindings
  • Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W Davidson. ILR: Where’d my gadgets go? In Security and Privacy (SP), 2012 IEEE Symposium on, pages 571–585. IEEE, 2012.
    Google ScholarLocate open access versionFindings
  • Chongkyung Kil, Jinsuk Jim, Christopher Bookholt, Jun Xu, and Peng Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Computer Security Applications Conference, 2006. ACSAC’06. 22nd Annual, pages 339–348. IEEE, 2006.
    Google ScholarLocate open access versionFindings
  • Long Le. Payload already inside: Data re-use for ROP exploits. Black Hat USA, 2010.
    Google ScholarFindings
  • Jinku Li, Zhi Wang, Xuxian Jiang, Michael Grace, and Sina Bahram. Defeating return-oriented rootkits with return-less kernels. In Proceedings of the 5th European conference on Computer systems, pages 195–208. ACM, 2010.
    Google ScholarLocate open access versionFindings
  • Nate M. MPlayer (r33064 Lite) Buffer Overflow + ROP exploit. http://www.exploit-db.com/exploits/17124/.
    Findings
  • Brian Mariani. Structured exception handler exploitation. http://www.exploit-db.com/wp-content/themes/exploit/docs/17505.pdf.
    Findings
  • Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 49–58. ACM, 2010.
    Google ScholarLocate open access versionFindings
  • Vasilis Pappas, Michalis Polychronakis, and Angelos D Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 601–615. IEEE, 2012.
    Google ScholarLocate open access versionFindings
  • Vasilis Pappas, Michalis Polychronakis, and Angelos D Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Conference on Security, 2013.
    Google ScholarLocate open access versionFindings
  • Jonathan Pincus and Brandon Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. Security & Privacy, IEEE, 2(4):20–27, 2004.
    Google ScholarLocate open access versionFindings
  • Marco Prandini and Marco Ramilli. Return-oriented programming. Security & Privacy, IEEE, 10(6):84–87, 2012.
    Google ScholarLocate open access versionFindings
  • Edward J Schwartz, Thanassis Avgerinos, and David Brumley. Q: Exploit hardening made easy. In USENIX Security Symposium, 2011.
    Google ScholarLocate open access versionFindings
  • Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552–561. ACM, 2007.
    Google ScholarLocate open access versionFindings
  • Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of addressspace randomization. In Proceedings of the 11th ACM conference on Computer and communications security, pages 298–307. ACM, 2004.
    Google ScholarLocate open access versionFindings
  • Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574–588. IEEE, 2013.
    Google ScholarLocate open access versionFindings
  • Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning. On the expressiveness of return-into-libc attacks. In Recent Advances in Intrusion Detection, pages 121– 141.
    Google ScholarLocate open access versionFindings
  • Richard Wartell, Vishwath Mohan, Kevin W Hamlen, and Zhiqiang Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 157–168. ACM, 2012.
    Google ScholarLocate open access versionFindings
  • Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pages 1–12. IEEE, 2012.
    Google ScholarLocate open access versionFindings
  • ZadYree. HT Editor 2.0.20 Buffer Overflow (ROP PoC). http://www.exploit-db.com/exploits/22683/.
    Locate open access versionFindings
  • Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. Practical control flow integrity and randomization for binary executables. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 559–573. IEEE, 2013.
    Google ScholarLocate open access versionFindings
您的评分 :
0

 

标签
评论
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科