You can run but you can't read: Preventing disclosure exploits in executable code

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2014, Pages 1342-1353

  Backes, Michael ^a   Holz, Thorsten ^b   Kollenda, Benjamin ^b   Koppe, Philipp ^b   Nürnberger, Stefan ^a   Pewny, Jannik ^b  

^a SAARLAND UNIVERSITY   (Germany)

^b RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

Buffer overflows; Code reuse attacks; Information leaks; Memory disclosure exploits; Return oriented programming

Indexed keywords

COMPUTER OPERATING SYSTEMS; COMPUTER SOFTWARE REUSABILITY; JUST IN TIME PRODUCTION;

BUFFER OVERFLOWS; CODE REUSE; EXECUTABLE CODES; HARDWARE SUPPORTS; INFORMATION LEAKS; JUST IN TIME; MALICIOUS BEHAVIOR; RETURN-ORIENTED PROGRAMMING; ON THE FLIES;

CODES (SYMBOLS);

EID: 84910680268     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2660267.2660378     Document Type: Conference Paper

References (51)

1. ARM1136JF-S and ARM1136J-S Technical Reference Manual Revision: r1p5, section 6.5.2. ARM Limited.
2. BusyBox: The Swiss Army Knife of Embedded Linux. http://www.busybox.net/.
3. Cygwin-Posix API and tool collection for Windows. https://www.cygwin.com/.
4. Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In ACM Conference on Computer and Communications Security (CCS) (2005), ACM, pp. 340-353.
5. Abadi, M., Budiu, M., Erlingsson, U., Necula, G. C., and Vrable, M. XFI: Software Guards for System Address Spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006).
6. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. Preventing Memory Error Exploits with WIT. IEEE Symposium on Security and Privacy (2008).
7. Aleph One. Smashing the Stack for Fun and Profit. Phrack Magazine 49, 14 (1996).
8. Bhatkar, S., Sekar, R., and DuVarney, D. C. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security Symposium (2005), USENIX Association.
9. Bittau, A., Belay, A., Mashtizadeh, A., Mazialres, D., and Boneh, D. Hacking Blind. In IEEE Symposium on Security and Privacy (2014).
10. Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented Programming: A New Class of Code-reuse Attack. In ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2011).
11. blexim. Basic Integer Overflows. Phrack Magazine 60, 10 (2002).
12. Buchanan, E., Roemer, R., Shacham, H., and Savage, S. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS) (2008).
13. Carlini, N., and Wagner, D. ROP is Still Dangerous: Breaking Modern Defenses. In USENIX Security Symposium (2014).
14. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. Return-oriented Programming Without Returns. In ACM Conference on Computer and Communications Security (CCS) (2010).
15. Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. ROPecker: A Generic and Practical Approach for Defending Against ROP Attacks. In Symposium on Network and Distributed System Security (NDSS) (2014).
16. Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., and Sadeghi, A.-R. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Symposium on Network and Distributed System Security (NDSS) (2012).
17. Davi, L., Lehmann, D., Sadeghi, A.-R., and Monrose, F. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In USENIX Security Symposium (2014).
18. Davi, L. V., Dmitrienko, A., Nürnberger, S., and Sadeghi, A.-R. Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and arm. In 8th ACM SIGSAC symposium on Information, computer and communications security (ACM ASIACCS 2013) (2013), ACM, pp. 299-310.
19. Fratric, I. Runtime Prevention of Return-Oriented Programming Attacks. http://ropguard.googlecode.com/svn-history/r2/trunk/doc/ropguard.pdf.
20. gera. Advances in Format String Exploitation. Phrack Magazine 59, 12 (2002).
21. Giuffrida, C., Kuijsten, A., and Tanenbaum, A. S. Enhanced operating system security through efficient and fine-grained address space randomization. In Proceedings of the 21st USENIX conference on Security symposium (2012), USENIX Association, pp. 40-40.
22. Goktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy (2014).
23. Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In USENIX Security Symposium (2014).
24. Hiser, J. D., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. ILR: Where'd My Gadgets Go? In IEEE Symposium on Security and Privacy (2012).
25. Jajodia, S., Ghosh, A. K., Subrahmanian, V. S., Swarup, V., Wang, C., and Wang, X. S., Eds. Moving Target Defense II-Application of Game Theory and Adversarial Modeling, vol. 100 of Advances in Information Security. Springer, 2013.
26. Kil, C., Jun, J., Bookholt, C., Xu, J., and Ning, P. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Annual Computer Security Applications Conference (ACSAC) (2006).
27. Krahmer, S. x86-64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique. http://users.suse.com/~krahmer/no-nx.pdf, 2005.
28. Microsoft. Kernel patch protection for x64-based operating systems. http://technet.microsoft.com/en-us/library/cc759759(v=ws.10).aspx.
29. Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.
30. MITRE. Common weakness enumeration. http://cwe.mitre.org/top25/, November 2012.
31. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference (Dec. 2010).
32. Pappas, V., Polychronakis, M., and Keromytis, A. D. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In IEEE Symposium on Security and Privacy (2012).
33. Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In USENIX Security Symposium (2013).
34. PaX Team. http://pax.grsecurity.net/.
35. PaX Team. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.
36. Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security 15, 1 (Mar. 2012).
37. Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B. Adapting Software Fault Isolation to Contemporary CPU Architectures. In USENIX Security Symposium (2010).
38. Shacham, H. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In ACM Conference on Computer and Communications Security (CCS) (2007).
39. Shacham, H., jin Goh, E., Modadugu, N., Pfaff, B., and Boneh, D. On the Effectiveness of Address-space Randomization. In ACM Conference on Computer and Communications Security (CCS) (2004).
40. Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (2013).
41. Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy (2013).
42. Solar Designer. "return-to-libc" attack. Bugtraq, 1997.
43. Sparks, S., and Butler, J. ShadowWalker: Raising the Bar for Rootkit detection. In Black Hat Japan (2005).
44. Sun, B. Kernel patch protection for x64-based operating systems. http://blogs.mcafee.com/mcafee-labs/windows-7-kernel-api-refactoring.
45. Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., and Ning, P. On the expressiveness of return-into-libc attacks. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (2011), Springer-Verlag.
46. Van der Veen, V., Cavallaro, L., Bos, H., et al. Memory errors: the past, the present, and the future. In Research in Attacks, Intrusions, and Defenses. Springer, 2012, pp. 86-106.
47. Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In ACM Conference on Computer and Communications Security (CCS) (2012).
48. Xu, H., and Chapin, S. Address-space layout randomization using code islands. In Journal of Computer Security (2009), IOS Press, pp. 331-362.
49. Yee, B., Sehr, D., Dardyk, G., Chen, J. B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. IEEE Symposium on Security and Privacy (2009).
50. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (2013).
51. Zhang, M., and Sekar, R. Control flow integrity for cots binaries. In USENIX Security Symposium (2013).