Missing the point(er): On the effectiveness of code pointer integrity

Proceedings - IEEE Symposium on Security and Privacy

Volumn 2015-July, Issue , 2015, Pages 781-796

  Evans, Isaac ^a   Fingeret, Sam ^b   González, Julián ^b   Otgonbaatar, Ulziibayar ^b   Tang, Tiffany ^b   Shrobe, Howard ^b   Sidiroglou Douskos, Stelios ^b   Rinard, Martin ^b   Okhravi, Hamed ^a  

^a MASSACHUSETTS INSTITUTE OF TECHNOLOGY   (United States)

^b MIT LINCOLN LABORATORY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); CRIME;

CONTROL HIJACKINGS; INFORMATION HIDING; INSTRUCTION-LEVEL; MEMORY CORRUPTION ATTACKS; PRACTICAL CONTROLS; PROOF OF CONCEPT; SECURITY AND PERFORMANCE; SECURITY MECHANISM;

C++ (PROGRAMMING LANGUAGE);

EID: 84945192930     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2015.53     Document Type: Conference Paper

References (62)

1. Vulnerability summary for cve-2013-2028, 2013.
2. Linux cross reference, 2014.
3. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security, pages 340-353. ACM, 2005.
4. P. Akritidis. Cling: A memory allocator to mitigate dangling pointers. In USENIX Security Symposium, pages 177-192, 2010.
5. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with wit. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 263-277. IEEE, 2008.
6. J. P. Anderson. Computer security technology planning study. volume 2. Technical report, DTIC Document, 1972.
7. M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1342-1353. ACM, 2014.
8. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Ste-fanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS '03, pages 281-289, New York, NY, USA, 2003. ACM.
9. A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014.
10. T. Bletsch, X. Jiang, V. Freeh, and Z. Liang. Jump-oriented programming: A new class of code-reuse attack. In Proc. of the 6th ACM Symposium on Info., Computer and Comm. Security, pages 30-40, 2011.
11. N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In USENIX Security Symposium, 2014.
12. S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proc. of the 17th ACM CCS, pages 559-572, 2010.
13. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Usenix Security, volume 5, 2005.
14. X. Chen, D. Caselden, and M. Scott. New zero-day exploit targeting internet explorer versions 9 through 11 identified in targeted attacks, 2014.
15. S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In IEEE Symposium on Security and Privacy, 2015.
16. S. A. Crosby, D. S. Wallach, and R. H. Riedi. Opportunities and limits of remote timing attacks. ACM Transactions on Information and System Security (TISSEC), 12(3):17, 2009.
17. L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarsegrained control-flow integrity protection. In USENIX Security Symposium, 2014.
18. U. Drepper. Elf handling for thread-local storage, 2013.
19. F. Durvaux, M. Renauld, F.-X. Standaert, L. v. O. tot Oldenzeel, and N. Veyrat-Charvillon. Efficient removal of random delays from embedded software implementations using hidden markov models. Springer, 2013.
20. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In USENIX Security Symposium, pages 475-490, 2012.
21. E. Göktas, E. Athanasopoulos, H. Bos, and G. Portoka-lidis. Out of control: Overcoming control-flow integrity. In IEEE S&P, 2014.
22. J. L. Henning. Spec cpu2006 benchmark descriptions. SIGARCH Comput. Archit. News, 34(4):1-17, Sept. 2006.
23. J. Hiser, A. Nguyen, M. Co, M. Hall, and J. Davidson. Ilr: Where'd my gadgets go. In IEEE Symposium on Security and Privacy, 2012.
24. G. Hunt, J. Larus, M. Abadi, M. Aiken, P. Barham, M. Fähndrich, C. Hawblitzel, O. Hodson, S. Levi, N. Murphy, et al. An overview of the singularity project. 2005.
25. intel. Introduction to intel memory protection extensions, 2013.
26. T. Jackson, A. Homescu, S. Crane, P. Larsen, S. Brun-thaler, and M. Franz. Diversifying the software stack using randomized nop insertion. In Moving Target Defense, pages 151-173. 2013.
27. T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz. Compiler-generated software diversity. Moving Target Defense, pages 77-98, 2011.
28. T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of c. In USENIX Annual Technical Conference, General Track, pages 275-288, 2002.
29. A. D. Keromytis, S. J. Stolfo, J. Yang, A. Stavrou, A. Ghosh, D. Engler, M. Dacier, M. Elder, and D. Kien-zle. The minestrone architecture combining static and dynamic analysis techniques for software security. In SysSec Workshop (SysSec), 2011 First, pages 53-56. IEEE, 2011.
30. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In Proc. of ACSAC'06, pages 339-348. Ieee, 2006.
31. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. 2014.
32. A. Kwon, U. Dhawan, J. Smith, T. Knight, and A. Dehon. Low-fat pointers: compact encoding and efficient gatelevel implementation of fat pointers for spatial safety and capability-based security. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 721-732. ACM, 2013.
33. W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 1(4):323-337, 1992.
34. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. ACM Sigplan Notices, 40(6):190-200, 2005.
35. A. J. Mashtizadeh, A. Bittau, D. Mazieres, and D. Boneh. Cryptographically enforced control flow integrity. arXiv preprint arXiv:1408.1451, 2014.
36. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. Cets: compiler enforced temporal safety for c. In ACM Sigplan Notices, volume 45, pages 31-40. ACM, 2010.
37. G. C. Necula, S. McPeak, and W. Weimer. Ccured: Typesafe retrofitting of legacy code. ACM SIGPLAN Notices, 37(1):128-139, 2002.
38. N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In ACM Sigplan Notices, volume 42, pages 89-100. ACM, 2007.
39. H. Okhravi, T. Hobson, D. Bigelow, and W. Streilein. Finding focus in the blur of moving-target techniques. IEEE Security & Privacy, 12(2):16-26, Mar 2014.
40. A. One. Smashing the stack for fun and profit. Phrack magazine, 7(49):14-16, 1996.
41. OpenBSD. Openbsd 3.3, 2003.
42. V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In IEEE Symposium on Security and Privacy, 2012.
43. PaX. Pax address space layout randomization, 2003.
44. C. Percival. How to zero a buffer, Sept. 2014.
45. W. Reese. Nginx: the high-performance web server and reverse proxy. Linux Journal, 2008(173):2, 2008.
46. K. Scott, N. Kumar, S. Velusamy, B. Childers, J. W. Davidson, and M. L. Soffa. Retargetable and reconfigurable software dynamic translation. In Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization, pages 36-47. IEEE Computer Society, 2003.
47. J. Seibert, H. Okhravi, and E. Soderstrom. Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Nov 2014.
48. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX Annual Technical Conference, pages 309-318, 2012.
49. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552-561. ACM, 2007.
50. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proc. of ACM CCS, pages 552-561, 2007.
51. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proc. of ACM CCS, pages 298-307, 2004.
52. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574-588. IEEE, 2013.
53. R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In Proc. of EuroSec'09, pages 1-8, 2009.
54. R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In Proceedings of EuroSec '09, 2009.
55. L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal war in memory. In Proc. of IEEE Symposium on Security and Privacy, 2013.
56. M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In Proc. of RAID'11, pages 121-141, 2011.
57. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 157-168. ACM, 2012.
58. R. N. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, M. Vadera, and K. Gudka. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In IEEE Symposium on Security and Privacy, 2015.
59. Y. Weiss and E. G. Barrantes. Known/chosen key attacks against software instruction set randomization. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual, pages 349-360. IEEE, 2006.
60. D. Williams, W. Hu, J. W. Davidson, J. D. Hiser, J. C. Knight, and A. Nguyen-Tuong. Security through diversity: Leveraging virtual machine technology. Security & Privacy, IEEE, 7(1):26-33, 2009.
61. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 559-573. IEEE, 2013.
62. M. Zhang and R. Sekar. Control flow integrity for cots binaries. In USENIX Security, pages 337-352, 2013.