G-free: Defeating return-oriented programming through gadget-less binaries

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2010, Pages 49-58

  Onarlioglu, Kaan ^a   Bilge, Leyla ^b   Lanzi, Andrea ^b   Balzarotti, Davide ^b   Kirda, Engin ^b  

^a BILKENT UNIVERSITY   (Turkey)

^b EURECOM   (France)

Author keywords

return oriented programming; return to libc; ROP

Indexed keywords

COMPUTER PROGRAMMING; SOFTWARE PROTOTYPING;

BRANCH INSTRUCTIONS; EXPLOITATION TECHNIQUES; MEMORY CORRUPTION; PRACTICAL SOLUTIONS; PROTECTION MECHANISMS; RETURN-ORIENTED PROGRAMMING; RETURN-TO-LIBC; SOFTWARE NETWORK; SOFTWARE-SYSTEMS;

OPEN SOURCE SOFTWARE;

EID: 78751484536     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1920261.1920269     Document Type: Conference Paper

References (36)

1. Phoronix test suite. http://www.phoronix-test-suite.com/.
2. Rop attack against data execution prevention technology, 2009. http://www.h-online.com/security/news/item/Exploit-s-new-technology-trick-% dodges-memory-protection-959253.html.
3. Symantec: Internet Security Threat Report. http://www4.symantec.com/Vrt/ wl?tu-id=jLac123913792490340803, 2009.
4. Intel 64 and IA-32 Architectures Software Developer's Manuals. http://www.intel.com/products/processor/manuals/, 2010.
5. Aleph One. Smashing the stack for fun and profit. In Phrack Magazine n.49, 1996.
6. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), 2008.
7. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage. In Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS, 2009.
8. S. Checkoway and H. Shacham. Escape from return-oriented programming: Return-oriented programming without returns (on the x86). Technical report, 2010.
9. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. Drop: Detecting return-oriented programming malicious code. In Lecture Notes in Computer Science, 2009.
10. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities. In Proceedings of the 12th Usenix Security Symposium,, 2003.
11. th USENIX Security Symposium, USA, 1998.
12. C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and Defenses for the Vulnerability of the Decade. In Proceedings of the DARPA Information Survivability Conference and Exposition,, 2000.
13. L. Davi, A. R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings ACM workshop on Scalable trusted computing, 2009.
14. Felix Lidner. Confidence 2.0,. Developments in Cisco IOS forensics.
15. A. Francillon and C. Castelluccia. Code injection attacks on harvard-architecture devices. In Proceedings of CCS, 2008.
16. A. Francillon, D. Perito, and C. Castelluccia. Defending embedded systems against control flow attacks. In Proceedings of the first ACM workshop on Secure execution of untrusted code, 2008.
17. M. Frantsen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Proceedings of USENIX security, 2001.
18. Hiroaki Etoh. GCC Extension for Protecting Applications from Stack-Smashing Attacks (ProPolice). In http://www.trl.ibm.com/projects/security/ ssp/, 2003.
19. R. Hund, T. Holz, and F. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In Proceedings of the 18th USENIX Security Symposium, USA, 2009.
20. V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191-206, Berkeley, CA, USA, 2002. USENIX Association.
21. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating Return-Oriented Rootkits with Return-less Kernels. In Proceedings of the 5th ACM SIGOPS EuroSys Conference, 2010.
22. M. W. Lucas Davi, Ahmad-Reza Sadeghi. Ropdefender: A detection tool to defend against return-oriented programming attacks. Technical report, Technical Report HGI-TR-2010-001.
23. Nergal. The advanced return-into-lib(c) exploits. In Phrack Magazine n.58, 2001.
24. R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pages 1-20, Berlin, Heidelberg, 2008. Springer-Verlag.
25. th Annual Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA., pages 60-69. IEEE Computer Society, Dec. 2009.
26. Scut, Team Teso. Exploiting format string vulnerabilities. 2001.
27. Sebastian Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, 2005. http://www.suse.de/~krahmer/no-nx.pdf.
28. A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Proceedings of Operating System Symposium SOSP, 2007.
29. H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007.
30. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CSS), 2004.
31. Solar Designer. return-to-libc attack. Technical report, bugtraq, 1997.
32. The PaX Team. Pax address space layout randomization. Technical report, http://pax.grsecurity.net/docs/aslr.txt.
33. The PaX Team. Pax non-executable pages. Technical report, http://pax.grsecurity.net/docs/noexec.txt.
34. Tim Kornau. Return oriented programming for the arm architecture. Technical report, Master's thesis, Ruhr-Universität Bochum, 2010.
35. Vendicator. Stackshield: A "stack smashing" technique protection tool for linux. Technical report, http://www.angelfire.com/sk/ stackshield/.
36. Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS, 2009.