ILR: Where'd my gadgets go?

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 571-585

  Hiser, Jason ^a   Nguyen Tuong, Anh ^a   Co, Michele ^a   Hall, Matthew ^a   Davidson, Jack W ^a  

^a University of Virginia   (United States)

Author keywords

arc injection; ASLR; Diversity; Exploit prevention; Randomization; Return oriented programming

Indexed keywords

BENCHMARKING; COMPUTER OPERATING SYSTEMS; COST EFFECTIVENESS; NETWORK SECURITY; PROGRAM COMPILERS; RANDOM PROCESSES; SECURITY SYSTEMS;

ARC-INJECTION; ASLR; DATA PAGES; DIVERSITY; EXECUTABLES; EXPLOIT PREVENTIONS; MEMORY SPACE; RANDOMISATION; RETURN-ORIENTED PROGRAMMING; RUNTIMES;

LOCATION;

EID: 84869381037     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.39     Document Type: Conference Paper

References (44)

1. J. Pincus and B. Baker, "Beyond stack smashing: Recent advances in exploiting buffer overruns," IEEE Security & Privacy, vol. 2, no. 4, pp. 20-27, Jul/Aug 2004.
2. H. Shacham, "The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)," in Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, 2007, pp. 552-561.
3. E. Buchanan, R. Roemer, H. Shacham, and S. Savage, "When good instructions go bad: Generalizing return-oriented programming to RISC," in Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, 2008, pp. 27-38.
4. D. Dai Zovi, "Practical return-oriented programming," SOURCE Boston, 2010.
5. The PAX Team, http://pax.grsecurity.net.
6. M. Howard and M. Thomlinson, "Windows vista ISV security," Microsoft Corporation, April, vol. 6, 2007.
7. H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh, "On the effectiveness of address-space randomization," in Proceedings of the 11th ACM Conference on Computer and Communications Security. ACM, 2004, pp. 298-307.
8. G. Roglia, L. Martignoni, R. Paleari, and D. Bruschi, "Surgically returning to randomized lib (c)," in 2009 Annual Computer Security Applications Conference. IEEE, 2009, pp. 60-69.
9. S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns," in Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 2010, pp. 559-572.
10. T. Durden, "Bypassing PaX ASLR protection," Phrack Magazine, vol. 0x0b, no. 0x3b, 2002. [Online]. Available: http://www.phrack.org/issues. html?issue=59&id=9
11. K. Scott, N. Kumar, S. Velusamy, B. R. Childers, J. W. Davidson, and M. L. Soffa, "Retargetable and reconfigurable software dynamic translation," in International Symposium on Code Generation and Optimization. San Francisco, CA: IEEE Computer Society, Mar. 2003, pp. 36-47.
12. V. Bala, E. Duesterwald, and S. Banerjia, "Dynamo: A transparent dynamic optimization system," in SIGPLAN '00 Conference on Programming Language Design and Implementation, 2000, pp. 1-12.
13. M. Payer and T. Gross, "Fine-grained user-space security through virtualization," in Proceedings of the 7th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. ACM, 2011, pp. 157-168.
14. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, "DROP: Detecting return-oriented programming malicious code," Information Systems Security, pp. 163-177, 2009.
15. L. Davi, A. Sadeghi, and M. Winandy, "ROPdefender: A detection tool to defend against return-oriented programming attacks," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, 2011, pp. 40-51.
16. Standard Performance Evaluation Corporation, "SPEC CPU2006 Benchmarks," http://www.spec.org/osg/cpu2006.
17. (2011, November) Hex-rays website. [Online]. Available: http://www.hex-rays.com/products/ida/index.shtml
18. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, "Pin: Building customized program analysis tools with dynamic instrumentation," in PLDI '05: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York, NY, USA: ACM Press, 2005, pp. 190-200.
19. M. Voss and R. Eigenmann, "A framework for remote dynamic program optimization," in Proceedings of the ACM Workshop on Dynamic Optimization Dynamo '00, 2000.
20. "Shell storm website," http://www.shell-sorm.org/project/ ROPgadget/.
21. (2008) Libtiff tifffetchshortpair remote buffer overflow vulnerability. [Online]. Available: http://www.securityfocus.com/bid/19283
22. A. Kapoor, "An approach towards disassembly of malicious binary executables," Ph.D. dissertation, University of Louisiana, 2004.
23. C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, "Static disassembly of obfuscated binaries," in Proceedings of the 13th USENIX Security Symposium, 2004, pp. 255-270.
24. B. Schwarz, S. Debray, and G. Andrews, "Disassembly of executable code revisited," in Proceedings of the 9th Working Conference on Reverse Engineering. IEEE, 2002, pp. 45-54.
25. E. J. Schwartz, T. Avgerinos, and D. Brumley, "Q: Exploit hardening made easy," in Proceedings of the USENIX Security Symposium, 2011.
26. J. Hiser, D. Williams, W. Hu, J. Davidson, J. Mars, and B. Childers, "Evaluating indirect branch handling mechanisms in software dynamic translation systems," in Proceedings of the International Symposium on Code Generation and Optimization. IEEE Computer Society, 2007, pp. 61-73.
27. A. Guha, K. Hazelwood, and M. Soffa, "Reducing exit stub memory consumption in code caches," High Performance Embedded Architectures and Compilers, pp. 87-101, 2007.
28. W. Hu, J. Hiser, D. Williams, A. Filipi, J. Davidson, D. Evans, J. Knight, A. Nguyen-Tuong, and J. Rowanhill, "Secure and practical defense against code-injection attacks using software dynamic translation," in Proceedings of the 2nd International Conference on Virtual Execution Environments. ACM, 2006, pp. 2-12.
29. A. Nguyen-Tuong, A.Wang, J. Hiser, J. Knight, and J. Davidson, "On the effectiveness of the metamorphic shield," in Proceedings of the Fourth European Conference on Software Architecture: Companion Volume. ACM, 2010, pp. 170-174.
30. E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanovic, "Randomized instruction set emulation," ACM Transactions on Information System Security., vol. 8, no. 1, pp. 3-40, 2005.
31. G. S. Kc, A. D. Keromytis, and V. Prevelakis, "Countering code-injection attacks with instruction-set randomization," in CCS '03: Proceedings of the 10th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM Press, 2003, pp. 272-280.
32. S. Designer, ""return-to-libc" attack," Bugtraq, Aug, 1997.
33. Nergal, "The advanced return-into-lib(c) exploits (PaX case study)." Phrack Magazine, 58(4), December 2001.
34. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating return-oriented rootkits with "return-less" kernels," in Proceedings of the 5th European Conference on Computer Systems, ser. EuroSys '10. New York, NY, USA: ACM, 2010, pp. 195-208.
35. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda, "G-Free: defeating return-oriented programming through gadget-less binaries," in Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 2010, pp. 49-58.
36. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning, "Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software," in Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual. Ieee, 2006, pp. 339-348.
37. S. Sinnadurai, Q. Zhao, and W. fai Wong, "Transparent runtime shadow stack: Protection against malicious return address modifications," 2008.
38. T. Dullien and T. Kornau, "A framework for automated architecture-independent gadget search," in 4th USENIX Workshop on Offensive Technologies, 2010.
39. R. G. Roemer, "Finding the bad in good code: Automated return-oriented programming exploit discovery," 2009.
40. D. S. James Newsome, "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," in Proceedings of the Network and Distributed System Security Symposium, 2005.
41. A. van de Ven, "New security enhancements in red hat enterprise linux v.3, update 3." Red Hat, Inc., 2004.
42. S. Bhatkar, R. Sekar, and D. C. DuVarney, "Efficient techniques for comprehensive protection from memory exploits," in Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, 2005.
43. T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Warner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz, "Compiler-generated software diversity," 2011.
44. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti, "Control-flow integrity," in Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM, 2005, pp. 340-353.