Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications

Proceedings - IEEE Symposium on Security and Privacy

Volumn 2015-July, Issue , 2015, Pages 745-762

  Schuster, Felix ^a   Tendyck, Thomas ^a   Liebchen, Christopher ^b   Davi, Lucas ^b   Sadeghi, Ahmad Reza ^b   Holz, Thorsten ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

^b DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

Author keywords

C++; CFI; code reuse attacks; ROP

Indexed keywords

C++ (PROGRAMMING LANGUAGE); CESIUM; COMPUTER OPERATING SYSTEMS; COMPUTER SOFTWARE REUSABILITY; CRIME; SEMANTICS;

CODE REUSE; DESIGN AND IMPLEMENTATIONS; INTERNET EXPLORERS; MEMORY CORRUPTION; RETURN-ORIENTED PROGRAMMING; SOFTWARE PROGRAM; SYSTEMATIC ASSESSMENT; VIRTUAL FUNCTIONS;

OBJECT ORIENTED PROGRAMMING;

EID: 84945184526     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2015.51     Document Type: Conference Paper

References (60)

1. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. A theory of secure control-flow. In International Conference on Formal Engineering Methods (ICFEM), pages 111-124, 2005.
2. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1), 2009.
3. M. Abadi, M. Budiu, lfar Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of ACM Conference on Computer and Communications Security (CCS), 2005.
4. P. Akritidis. Cling: A memory allocator to mitigate dangling pointers. In USENIX Security Symposium, 2010.
5. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symposium on Security and Privacy, 2008.
6. P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In USENIX Security Symposium, 2009.
7. M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you cant read: Preventing disclosure exploits in executable code. In Proceedings of ACM Conference on Computer and Communications Security (CCS), 2014.
8. A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking blind. In IEEE Symposium on Security and Privacy, 2014.
9. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: A new class of code-reuse attack. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
10. E. Bosman and H. Bos. Framing signals-a return to portable shellcode. In IEEE Symposium on Security and Privacy, 2014.
11. N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security Symposium, 2014.
12. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of ACM Conference on Computer and Communications Security (CCS), 2010.
13. X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida. StackArmor: Comprehensive protection from stack-based memory error vulnerabilities for binaries. In Symposium on Network and Distributed System Security (NDSS), 2015.
14. Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.
15. L. Davi, P. Koeberl, and A.-R. Sadeghi. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation. In DAC, 2014.
16. L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security Symposium, 2014.
17. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
18. L. De Moura and N. Bjørner. Z3: An efficient SMT solver. In Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2008.
19. L. De Moura and N. Bjørner. Generalized, efficient array decision procedures. In Formal Methods in Computer Aided Design (FMCAD), 2009.
20. D. Dewey and J. T. Giffin. Static detection of C++ vtable escape vulnerabilities in binary code. In Symposium on Network and Distributed System Security (NDSS), 2012.
21. A. Fokin, E. Derevenetc, A. Chernov, and K. Troshina. SmartDec: Approaching C++ decompilation. In Working Conference on Reverse Engineering (WCRE), 2011.
22. M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In USENIX Security Symposium, 2001.
23. I. Fratric. Runtime Prevention of Return-Oriented Programming Attacks. http://ropguard.googlecode.com/svn-history/r2/trunk/doc/ropguard.pdf.
24. R. Gawlik and T. Holz. Towards automated integrity protection of C++ virtual function tables in binary programs. In Anual Computer Security Applications Conference (ACSAC), 2014.
25. E. Göktaş, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy, 2014.
26. E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Por-tokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX Security Symposium, 2014.
27. Y. Guillot and A. Gazet. Automatic binary deobfuscation. Journal in Comp. Virology, 2010.
28. R. Hund, C. Willems, and T. Holz. Practical timing side channel attacks against kernel space ASLR. In IEEE Symposium on Security and Privacy, 2013.
29. D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.
30. N. Joly. Advanced exploitation of Internet Explorer 10/Windows 8 overflow (Pwn2Own 2013). http://www.vupen.com/blog/20130522.Advanced Exploitation of IE10 Windows8 Pwn2Own 2013.php, 2013.
31. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.
32. M. Matz, J. Hubicka, A. Jaeger, and M. Mitchell. System V Application Binary Interface: AMD64 architecture processor supplement. http://x86-64.org/documentation/abi.pdf, 2013.
33. Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.
34. Microsoft Corp. Enhanced mitigation experience toolkit (EMET) 5.1. http://technet.microsoft.com/en-us/security/jj653751, November 2014.
35. Microsoft Developer Network. Argument passing and naming conventions. http://msdn.microsoft.com/en-us/library/984x0h58.aspx.
36. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. CETS: Compiler enforced temporal safety for C. In International Symposium on Memory Management, 2010.
37. Nergal. The advanced return-into-lib(c) exploits: PaX case study. http://phrack.org/issues/58/4.html, 2001.
38. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: Defeating return-oriented programming through gadget-less binaries. In Anual Computer Security Applications Conference (ACSAC), 2010.
39. V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In IEEE Symposium on Security and Privacy, 2012.
40. V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX Security Symposium, 2013.
41. A. Prakash, X. Hu, and H. Yin. vfGuard: Strict protection for virtual function calls in COTS C++ binaries. In Symposium on Network and Distributed System Security (NDSS), 2015.
42. M. Russinovich, D. A. Solomon, and A. Ionescu. Windows Internals, Part 1. Microsoft Press, 6th edition, 2012.
43. F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the effectiveness of current anti-ROP defenses. In Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2014.
44. J. Seibert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proceedings of ACM Conference on Computer and Communications Security (CCS), 2014.
45. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Address-Sanitizer: A fast address sanity checker. In USENIX Annual Technical Conference, 2012.
46. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of ACM Conference on Computer and Communications Security (CCS), 2007.
47. R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein. Systematic analysis of defenses against return-oriented programming. In Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2013.
48. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy, 2013.
49. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy, 2013.
50. B. Stroustrup. The C++ Programming Language, 4th Edition. Addison-Wesley, 4th edition, 2013.
51. L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal war in memory. In IEEE Symposium on Security and Privacy, 2013.
52. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in GCC & LLVM. In USENIX Security Symposium, 2014.
53. M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2011.
54. M. Vishwath, P. Larsen, S. Brunthaler, K. W. Hamlen, and M. Franz. Opaque control-flow integrity. In Symposium on Network and Distributed System Security (NDSS), 2015.
55. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of ACM Conference on Computer and Communications Security (CCS), pages 157-168, 2012.
56. Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In IEEE/IFIP Conference on Dependable Systems and Networks (DSN), 2012.
57. C. Zhang, C. Song, K. Z. Chen, Z. Chen, and D. Song. VTint: Defending virtual function tables integrity. In Symposium on Network and Distributed System Security (NDSS), 2015.
58. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In IEEE Symposium on Security and Privacy, 2013.
59. M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security Symposium, 2013.
60. H. Zhou, X. Wu, W. Shi, J. Yuan, and B. Liang. HDROP: Detecting ROP attacks using performance monitoring counters. In Information Security Practice and Experience. Springer International Publishing, 2014.