Hacking blind

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 227-242

  Bittau, Andrea ^a   Belay, Adam ^a   Mashtizadeh, Ali ^a   Mazières, David ^a   Boneh, Dan ^a  

^a STANFORD UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER OPERATING SYSTEMS; PERSONAL COMPUTING;

ADDRESS SPACE LAYOUT RANDOMIZATIONS; FULLY AUTOMATED; INPUT STRING; RETURN-ORIENTED PROGRAMMING; SOURCE CODES; STACK BUFFER OVERFLOWS; SYSTEM CALLS; TRADITIONAL TECHNIQUES;

OPEN SOURCE SOFTWARE;

EID: 84914132233     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.22     Document Type: Conference Paper

References (35)

1. R. Roemer, E. Buchanan, H. Shacham, and S. Savage, "Return-oriented programming: Systems, languages, and applications," ACM Trans. Inf. Syst. Secur., vol. 15, no. 1, pp. 2:1-2:34, Mar. 2012. [Online]. Available: http://doi.acm.org/10.1145/2133375.2133377
2. mitre. Cve-2013-2028. [Online]. Available: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028
3. -. Cve-2008-0226. [Online]. Available: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226
4. A. One, "Smashing The Stack For Fun And Profit," Phrack, vol. 7, no. 49, Nov. 1996. [Online]. Available: http://phrack.com/issues.html?issue=49&id=14#article
5. M. Kaempf. Vudo malloc tricks by maxx. [Online]. Available: http://www.phrack.org/issues.html?issue=57&id=8&mode=txt
6. S. Designer. Getting around non-executable stack (and fix). [Online]. Available: http://seclists.org/bugtraq/1997/Aug/63
7. P. Team. Pax address space layout randomization (aslr). [Online]. Available: http://pax.grsecurity.net/docs/aslr.txt
8. S. Bhatkar, D. C. DuVarney, and R. Sekar, "Address obfuscation: an efficient approach to combat a board range of memory error exploits," in Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, ser. SSYM'03. Berkeley, CA, USA: USENIX Association, 2003, pp. 8-8. [Online]. Available: http://dl.acm.org/citation.cfm?id=1251353.1251361
9. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, "On the effectiveness of address-space randomization," in Proceedings of the 11th ACM conference on Computer and communications security, ser. CCS '04. New York, NY, USA: ACM, 2004, pp. 298-307. [Online]. Available: http://doi.acm.org/10.1145/1030083.1030124
10. gera and riq. Advances in format string exploitation. [Online]. Available: http://www.phrack.org/archives/59/p59 0x07 Advances% 20in%20format%20string%20exploitation by riq%20&%20gera.txt
11. C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks," in Proceedings of the 7th conference on USENIX Security Symposium - Volume 7, ser. SSYM'98. Berkeley, CA, USA: USENIX Association, 1998, pp. 5-5. [Online]. Available: http://dl.acm.org/citation.cfm?id=1267549.1267554
12. H. Etoh, "GCC extension for protecting applications from stacksmashing attacks (ProPolice)," 2003, http://www.trl.ibm.com/projects/security/ssp/. [Online]. Available: http://www.trl.ibm.com/projects/security/ssp/
13. Bulba and Kil3r, "Bypassing stackguard and stackshield," Phrack Magazine, May 2000. [Online]. Available: http://phrack.org/issues.html?issue=56&id=5#article
14. Kingcope. About a generic way to exploit linux targets. [Online]. Available: http://www.exploit-db.com/wp-content/themes/exploit/docs/27074.pdf
15. G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi, "Surgically returning to randomized lib(c)," in Proceedings of the 2009 Annual Computer Security Applications Conference, ser. ACSAC '09. Washington, DC, USA: IEEE Computer Society, 2009, pp. 60-69. [Online]. Available: http://dx.doi.org/10.1109/ACSAC.2009.16
16. Ubuntu security features. [Online]. Available: https://wiki.ubuntu.com/Security/Features
17. Peach fuzzer. [Online]. Available: http://peachfuzzer.com/
18. mitre. Cve-2002-0392. [Online]. Available: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392
19. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum, "Enhanced operating system security through efficient and fine-grained address space randomization," in Proceedings of the 21st USENIX conference on Security symposium, ser. Security'12. Berkeley, CA, USA: USENIX Association, 2012, pp. 40-40. [Online]. Available: http://dl.acm.org/citation.cfm?id=2362793.2362833
20. -elad/recent/man/security.8.html
21. grsecurity. Deter exploit bruteforcing. [Online]. Available: http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity and PaX Configuration Options#Deter exploit bruteforcing
22. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Controlflow integrity," in Proceedings of the 12th ACM Conference on Computer and Communications Security, ser. CCS '05. New York, NY, USA: ACM, 2005, pp. 340-353. [Online]. Available: http://doi.acm.org/10.1145/1102120.1102165
23. V. Pappas, M. Polychronakis, and A. D. Keromytis, "Transparent ROP exploit mitigation using indirect branch tracing," in Proceedings of the 22nd USENIX conference on Security, ser. SEC'13. Berkeley, CA, USA: USENIX Association, 2013, pp. 447-462. [Online]. Available: http://dl.acm.org/citation.cfm?id=2534766.2534805
24. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, "Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code," in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS '12. New York, NY, USA: ACM, 2012, pp. 157-168. [Online]. Available: http://doi.acm.org/10.1145/2382196.2382216
25. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson, "Ilr: Where'd my gadgets go?" in Proceedings of the 2012 IEEE Symposium on Security and Privacy, ser. SP '12. Washington, DC, USA: IEEE Computer Society, 2012, pp. 571-585. [Online]. Available: http://dx.doi.org/10.1109/SP.2012.39
26. V. Pappas, M. Polychronakis, and A. D. Keromytis, "Smashing the gadgets: Hindering return-oriented programming using in-place code randomization," in Proceedings of the 2012 IEEE Symposium on Security and Privacy, ser. SP '12. Washington, DC, USA: IEEE Computer Society, 2012, pp. 601-615. [Online]. Available: http://dx.doi.org/10.1109/SP.2012.41
27. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda, "G-free: defeating return-oriented programming through gadget-less binaries," in Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 2010, pp. 49-58.
28. T. C. Team. Addresssanitizer - clang 3.4 documentation. [Online]. Available: http://clang.llvm.org/docs/AddressSanitizer.html
29. D. Dhurjati, S. Kowshik, and V. Adve, "SAFECode: Enforcing alias analysis for weakly typed languages," in Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI '06. New York, NY, USA: ACM, 2006, pp. 144-157. [Online]. Available: http://doi.acm.org/10.1145/1133981. 1133999
30. Intel. Introduction to intel memory protection extensions. [Online]. Available: http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions
31. T. Goodspeed and A. Francillon, "Half-Blind Attacks: Mask ROM Bootloaders are Dangerous," in WOOT, 2009.
32. A. N. Sovarel, D. Evans, and N. Paul, "Where's the feeb?: The effectiveness of instruction set randomization," in Usenix Security, 2005.
33. A. Zabrocki. Scraps of notes on remote stack overflow exploitation. [Online]. Available: http://www.phrack.org/issues.html?issue=67&id= 13#article
34. Kingcope. nginx 1.3.9/1.4.0 x86 brute force remote exploit. [Online]. Available: http://www.exploit-db.com/exploits/26737/
35. M. Labes. Mwr labs pwn2own 2013 write-up - webkit exploit. [Online]. Available: https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up-webkit-exploit/