Smashing the gadgets: Hindering return-oriented programming using in-place code randomization

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 601-615

  Pappas, Vasilis ^a   Polychronakis, Michalis ^a   Keromytis, Angelos D ^a  

^a Och Spine at New York Presbyterian Hospitals   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); COSINE TRANSFORMS; PROGRAM DEBUGGING;

CODE EXECUTION; CODE RANDOMIZATION; DEBUGGING INFORMATION; EXECUTABLES; MITIGATION TECHNIQUES; RETURN-ORIENTED PROGRAMMING; RUNTIME OVERHEADS; SOURCE CODES; THIRD PARTY APPLICATION (APPS); THIRD PARTY SOFTWARE;

RANDOM PROCESSES;

EID: 84878363772     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.41     Document Type: Conference Paper

References (69)

1. M. Miller, T. Burrell, and M. Howard, "Mitigating software vulnerabilities," Jul. 2011, http://www.microsoft.com/download/en/details. aspx?displaylang=en&id=26788.
2. H. Shacham, "The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)," in Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), 2007.
3. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham, "Can DREs provide long-lasting security? the case of return-oriented programming and the AVC advantage," in Proceedings of the 2009 conference on Electronic Voting Technology/Workshop on Trustworthy Elections (EVT/WOTE), 2009.
4. R. Hund, T. Holz, and F. C. Freiling, "Return-oriented rootkits: bypassing kernel code integrity protection mechanisms," in Proceedings of the 18th USENIX Security Symposium, 2009.
5. T. Dullien, T. Kornau, and R.-P. Weinmann, "A framework for automated architecture-independent gadget search," in Proceedings of the 4th USENIX Workshop on Offensive Technologies (WOOT), 2010.
6. D. A. D. Zovi, "Practical return-oriented programming." SOURCE Boston, 2010.
7. P. Solé, "Hanging on a ROPe," http://www.immunitysec. com/downloads/DEPLIB20-ekoparty.pdf.
8. D. A. D. Zovi, "Mac OS X return-oriented exploitation." RECON, 2010.
9. P. Vreugdenhil, "Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit," http://vreugdenhilresearch.nl/Pwn2Ownl2010-Windows7- InternetExplorer8.pdf.
10. K. Baumgartner, "The ROP pack," in Proceedings of the 20th Virus Bulletin International Conference (VB), 2010.
11. M. Parkour, "An overview of exploit packs (update 9) April 5 2011," http://contagiodump.blogspot.com/2010/06/overview-of-exploit- packsupdate.html.
12. G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi, "Surgically returning to randomized lib(c)," in Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), 2009.
13. H. Li, "Understanding and exploiting Flash ActionScript vulnerabilities." CanSecWest, 2011.
14. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, "On the effectiveness of address-space randomization," in Proceedings of the 11th ACM conference on Computer and Communications Security (CCS), 2004.
15. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating return-oriented rootkits with "return-less" kernels," in Proceedings of the 5th European conference on Computer Systems (EuroSys), 2010.
16. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda, "G-Free: defeating return-oriented programming through gadget-less binaries," in Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010.
17. S. Forrest, A. Somayaji, and D. Ackley, "Building diverse computer systems," in Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), 1997.
18. S. Bhatkar, R. Sekar, and D. C. DuVarney, "Efficient techniques for comprehensive protection from memory error exploits," in Proceedings of the 14th USENIX Security Symposium, August 2005.
19. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning, "Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software," in Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), 2006.
20. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-flow integrity," in Proceedings of the 12th ACM conference on Computer and Communications Security (CCS), 2005.
21. L. Davi, A.-R. Sadeghi, and M. Winandy, "ROPdefender: A practical protection tool to protect against return-oriented programming," in Proceedings of the 6th Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
22. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, "DROP: Detecting return-oriented programming malicious code," in Proceedings of the 5th International Conference on Information Systems Security (ICISS), 2009.
23. L. Davi, A.-R. Sadeghi, and M. Winandy, "Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks," in Proceedings of the 2009 ACM workshop on Scalable Trusted Computing (STC), 2009.
24. G. S. Kc, A. D. Keromytis, and V. Prevelakis, "Countering code-injection attacks with instruction-set randomization," in Proceedings of the 10th ACM conference on Computer and Communications Security (CCS), 2003.
25. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi, "Randomized instruction set emulation to disrupt binary code injection attacks," in Proceedings of the 10th ACM conference on Computer and Communications Security (CCS), 2003.
26. E. J. Schwartz, T. Avgerinos, and D. Brumley, "Q: Exploit hardening made easy," in Proceedings of the 20th USENIX Security Symposium, 2011.
27. Corelan Team, "Mona," http://redmine.corelan.be/projects/mona.
28. S. Designer, "Getting around non-executable stack (and fix)," http://seclists.org/bugtraq/1997/Aug/63.
29. T. Newsham, "Non-exec stack," 2000, http://seclists.org/ bugtraq/2000/May/90.
30. Nergal, "The advanced return-into-lib(c) exploits: PaX case study," Phrack, vol. 11, no. 58, Dec. 2001.
31. S. Krahmer, "x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique," http://www.suse.de/~krahmer/no-nx.pdf.
32. Ú. Erlingsson, "Low-level software security: Attack and defenses," Microsoft Research, Tech. Rep. MSR-TR-07-153, 2007, http://research.microsoft.com/pubs/64363/tr-2007-153.pdf.
33. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns," in Proceedings of the 17th ACM conference on Computer and Communications Security (CCS), 2010.
34. F. B. Cohen, "Operating system protection through program evolution," Computers and Security, vol. 12, pp. 565-584, Oct. 1993.
35. P. Ször, The Art of Computer Virus Research and Defense. Addison-Wesley Professional, February 2005.
36. E. Bhatkar, D. C. Duvarney, and R. Sekar, "Address obfuscation: an efficient approach to combat a broad range of memory error exploits," in In Proceedings of the 12th USENIX Security Symposium, 2003.
37. "/ORDER (put functions in order)," http://msdn.microsoft.com/ en-us/library/00kh39zz.aspx.
38. "Syzygy - profile guided, post-link executable reordering," http://code.google.com/p/sawbuck/wiki/SyzygyDesign.
39. "Profile-guided optimizations," http://msdn.microsoft.com/en- us/library/e7k32f4k.aspx.
40. C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, "Static disassembly of obfuscated binaries," in Proceedings of the 13th USENIX Security Symposium, 2004.
41. M. Smithson, K. Anand, A. Kotha, K. Elwazeer, N. Giles, and R. Barua, "Binary rewriting without relocation information," University of Maryland, Tech. Rep., 2010, http://www.ece.umd.edu/~barua/without-relocation- technical-report10.pdf.
42. P. Saxena, R. Sekar, and V. Puranik, "Efficient fine-grained binary instrumentation with applications to taint-tracking," in Proceedings of the 6th annual IEEE/ACM international symposium on Code Generation and Optimization (CGO), 2008.
43. Skape, "Locreate: An anagram for relocate," Uninformed, vol. 6, 2007.
44. M. Pietrek, "An in-depth look into the Win32 portable executable file format, part 2," http://msdn.microsoft.com/en-us/magazine/cc301808. aspx.
45. I. Guilfanov, "Jump tables," http://www.hexblog.com/?p=68.
46. -, "Decompilers and beyond." Black Hat USA, 2008.
47. Hex-Rays, "IDA Pro Disassembler," http://www.hex-rays.com/ idapro/.
48. X. Hu, T.-c. Chiueh, and K. G. Shin, "Large-scale malware indexing using function-call graphs," in Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), 2009.
49. S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh, "Bird: Binary interpretation using runtime disassembly," in Proceedings of the International Symposium on Code Generation and Optimization (CGO), 2006.
50. L. C. Harris and B. P. Miller, "Practical analysis of stripped binary code," SIGARCH Comput. Archit. News, vol. 33, pp. 63-68, December 2005.
51. Microsoft, "Enhanced Mitigation Experience Toolkit v2.1," http://www.microsoft.com/download/en/details.aspx?id=1677.
52. A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman, Compilers: Principles, Techniques, and Tools (2nd Edition). Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 2006.
53. "Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow," http://www.exploit-db.com/exploits/16619/.
54. R. El-Khalil and A. D. Keromytis, "Hydan: Hiding information in program binaries," in Proceedings of the International Conference on Information and Communications Security, (ICICS), 2004.
55. Intel 64 and IA-32 Architectures Software Developer's Manual, ser. Volume 2 (2A & 2B): Instruction Set Reference, A-Z, 2011, http://www.intel.com/ Assets/PDF/manual/325383.pdf.
56. S. S. Muchnick, Advanced compiler design and implementation. San Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 1997.
57. Y. L. Varol and D. Rotem, "An algorithm to generate all topological sorting arrangements," Comput. J., vol. 24, no. 1, pp. 83-84, 1981. (Pubitemid 11505179)
58. A. Fog, "Calling conventions for different C++ compilers and operating systems," http://agner.org/optimize/calling-conventions.pdf.
59. Skape and Skywing, "Bypassing Windows hardware-enforced DEP," Uninformed, vol. 2, Sep. 2005.
60. F. Bouchez, "A study of spilling and coalescing in register allocation as two separate phases," Ph.D. dissertation, École normale supérieure de Lyon, April 2009.
61. "Wine," http://www.winehq.org.
62. "Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module)," http://www.exploit-db.com/exploits/15016/.
63. "MPlayer (r33064 Lite) Buffer Overflow + ROP exploit," http://www.exploit-db.com/exploits/17124/.
64. "White Phosphorus Exploit Pack," http://www.whitephosphorus. org/.
65. Corelan Team, "Corelan ROPdb," https://www.corelan.be/index. php/security/corelan-ropdb/.
66. "Immunity Debugger," http://www.immunityinc.com/products- immdbg.shtml.
67. E. Buchanan, R. Roemer, H. Shacham, and S. Savage, "When good instructions go bad: generalizing return-oriented programming to RISC," in Proceedings of the 15th ACM conference on Computer and Communications Security (CCS), 2008.
68. T. Bletsch, X. Jiang, V. Freeh, and Z. Liang, "Jump-oriented programming: A new class of code-reuse attack," in Proceedings of the 6th Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
69. P. Solé, "Defeating DEP, the Immunitiy Debugger way," http://www.immunitysec.com/downloads/DEPLIB.pdf.