Automatic construction of jump-oriented programming shellcode (on the x86)

Proceedings of the 6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011

Volumn , Issue , 2011, Pages 20-29

  Chen, Ping ^a   Xing, Xiao ^a   Mao, Bing ^a   Xie, Li ^a   Shen, Xiaobin ^b   Yin, Xinchun ^b  

^a NANJING UNIVERSITY   (China)

^b YANGZHOU UNIVERSITY   (China)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATIC CONSTRUCTION; DEFENCE MECHANISMS; EXECUTABLES; MALICIOUS CODES; PROGRAMMING TECHNIQUE; REAL-WORLD; RETURN-ORIENTED PROGRAMMING; SHELLCODE; TURING-COMPLETE;

EID: 79956058308     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1966913.1966918     Document Type: Conference Paper

References (33)

1. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha, "Towards automatic generation of vulnerability-based signatures, " in Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006, pp. 2-16. (Pubitemid 44753708)
2. M. Roesch, "Snort - lightweight intrusion detection for networks, " in Proceedings of the 13th USENIX Conference on System Administration. Berkeley, CA, USA: USENIX Association, 1999, pp. 229-238.
3. H.-A. Kim and B. Karp, "Autograph: toward automated, distributed worm signature detection, " in Proceedings of the 13th Conference on USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, 2004, pp. 271-286.
4. "The pax project, " 2004. [Online]. Available: http://pax.grsecurity.net/.
5. J. McDonald, "Defeating solaris/sparc non-executable stack protection, " Bugtraq, 1999.
6. Nergal, "The advanced return-into-lib(c) exploits (pax case study), " Phrack Magazine, 2001. [Online]. Available: http://www.phrack.com/issues. html?issue=58&id=4.
7. S. Krahmer, "X86-64 buffer overow exploits and the borrowed code chunks exploitation technique, " Phrack Magazine, 2005. [Online]. Available: http://www.suse.de/krahmer/no-nx.pdf.
8. H. Shacham, "The geometry of innocent esh on the bone: return-into-libc without function calls (on the x86), " in Proceedings of the 14th ACM Conference on Computer and Communications Security(CCS). New York, NY, USA: ACM, 2007, pp. 552-561.
9. A. Francillon and C. Castelluccia, "Code injection attacks on harvard-architecture devices, " in Proceedings of the 15th ACM conference on Computer and communications security. New York, NY, USA: ACM, 2008, pp. 15-26.
10. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham, "Can dres provide long-lasting security?the case of return-oriented programming and the avc advantage, " in Proceedings of EVT/WOTE 2009.USENIX/ACCURATE/IAVoSS, 2009.
11. R. Hund, T. Holz, and F. C. Freiling, "Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms, " in Proceedings of 18th USENIX Security Symposium, San Jose, CA, USA, 2009, pp. 383-398.
12. E. Buchanan, R. Roemer, H. Shacham, and S. Savage, "When good instructions go bad: generalizing return-oriented programming to risc, " in Proceedings of the 15th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM, 2008, pp. 27-38.
13. "Felix "fx" lidner.developments in cisco ios forensics, " CONFidence 2.0., http://www.recurity-labs.com/content/pub/ FXRouterExploitation.pdf.
14. T. Kornau, "Return oriented programming for the arm architecture, " Master's thesis, Ruhr-Universitat Bochum, 2010.
15. A. Francillon, D. Perito, and C. Castelluccia, "Defending embedded systems against control flow attacks, " in SecuCode '09: Proceedings of the first ACM workshop on Secure execution of untrusted code. New York, NY, USA: ACM, 2009, pp. 19-26.
16. L. David, A.-R. Ssadeghi, and M. Winandy, "Ropdefender:a detection tool to defend against return-oriented programming attacks, " Technical Report TR-2010-001, 2010.
17. L. Davi, A.-R. Sadeghi, and M. Winandy, "Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks, " in Proceedings of the 2009 ACM workshop on Scalable trusted computing, 2009, pp. 49-54.
18. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, "Drop: Detecting return-oriented programming malicious code." in ICISS, ser. Lecture Notes in Computer Science, A. Prakash and I. Gupta, Eds., vol. 5905. Springer, 2009, pp. 163-177.
19. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating return-oriented rootkits with "return-less" kernels, " in EuroSys '10: Proceedings of the 5th European conference on Computer systems. New York, NY, USA: ACM, 2010, pp. 195-208.
20. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns, " in Proceedings of CCS 2010, A. Keromytis and V. Shmatikov, Eds. ACM Press, Oct. 2010, pp. 559-72.
21. S. Checkwway and H. Shacham, "Escape from return-oriented programming: Return-oriented programming without returns(on the x86), " Technical Report, 2010.
22. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, "Return-oriented programming without returns on arm, " Technical Report HGI-TR-2010-002, Ruhr-University Bochum, 2010.
23. A. M. Turing, "On computable numbers, with an application to the entscheidungs problem, " Proc. London Math. Soc., pp. 230-265, 1936.
24. milw0rm. [Online]. Available: http://www.milw0rm.com/shellcode/linux/x86.
25. "Implementing linux system calls, " Linux Journal, 1999. [Online]. Available: http://www.linuxjournal.com/article/3326.
26. D. Mazzocchio, "Writing shellcode for linux and *bsd, " 2005. [Online]. Available: http://www.shell-storm.org/papers/-les/442.pdf.
27. ""linux/x86 setreuid(geteuid(), geteuid()), execve("/bin/sh", 0, 0)", " milw0rm, 2009, http://www.milw0rm.com/shellcode/8972.
28. ""linux/x86/ho detector", " milw0rm, 2008. [Online]. Available: http://www.milw0rm.com/shellcode/7154.
29. V. F. Tyler Bletsch, Xuxian Jiang, "Jump-oriented programming: A new class of code-reuse attack, " Technical Report TR-2010-8, 2010.
30. J. Caballero, N. M. Johnson, S. McCamant, and D. Song, "Binary code extraction and interface identification for security applications, " Proceedings of the 17th Annual Network and Distributed System Security Symposium, 2010.
31. C. K. C. Kolbitsch, T. Holz and E. Kirda, "Inspector gadget: Automated extraction of proprietary gadgets from malware binaries, " Proceedings of the 30th IEEE Symposium on Security and Privacy, 2010.
32. Z. Lin, X. Zhang, and D. Xu, "Reuse-oriented camouaging trojan: Vulnerability detection and attack construction, " in Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010), Chicago, IL, USA, June 2010.
33. D. Blazakis, "interpreter exploitation: pointer inference and jit spraying, " BHDC, 2010, http://www.semantiscope.com/research/BHDC2010/BHDC- 2010-Paper.pdf.