Exploiting and Protecting Dynamic Code Generation

22nd Annual Network and Distributed System Security Symposium, NDSS 2015

Volumn , Issue , 2015, Pages

  Song, Chengyu ^a   Zhang, Chao ^b   Wang, Tielei ^a   Lee, Wenke ^a   Melski, David ^c  

^a GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

^c GRAMMATECH INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

JUST IN TIME PRODUCTION; MEMORY ARCHITECTURE; PROGRAM COMPILERS;

CODE GENERATORS; DYNAMIC BINARY TRANSLATION; DYNAMIC CODE GENERATION; EXECUTABLES; INJECTION TECHNIQUES; JUST-IN-TIME COMPILATION; MEMORY PAGES; PERFORMANCE; SHELLCODE; SOFTWARE VULNERABILITIES;

CODES (SYMBOLS);

EID: 84945230261     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2015.23233     Document Type: Conference Paper

References (64)

1. “Yet another new approach to seccomp, ” http://lwn.net/Articles/475043/, 2012.
2. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity, ” in Proceedings of the 12th ACM conference on Computer and Communications Security (CCS), 2005.
3. Adobe Product Security Incident Response Team, “Inside Adobe Reader Protected Mode, ” http://blogs.adobe.com/security/2010/11/inside-adobe-reader-protected-mode-part-3broker-process-policies-and-inter-process-communication.html, 2010.
4. S. Andersen and V. Abella, “Data Execution Prevention: Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, ” http://technet.microsoft.com/en-us/library/bb457155.aspx, 2004.
5. J. Ansel, P. Marchenko, Ú. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee, “Language-independent sandboxing of just-in-time compilation and self-modifying code, ” in Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2011.
6. T. M. Austin, S. E. Breach, and G. S. Sohi, “Efficient detection of all pointer and array access errors, ” in Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (PLDI), 1994.
7. J. Aycock, “A brief history of just-in-time, ” ACM Computing Surveys (CSUR), vol. 35, no. 2, pp. 97-113, 2003.
8. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi, “Randomized instruction set emulation to disrupt binary code injection attacks, ” in Proceedings of the 10th ACM conference on Computer and Communications Security (CCS), 2003.
9. F. Bellard, “Qemu, a fast and portable dynamic translator, ” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, 2005.
10. M. Castro, M. Costa, J.-P. Martin, M. Peinado, P. Akritidis, A. Donnelly, P. Barham, and R. Black, “Fast byte-granularity software fault isolation, ” in Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles (SOSP), 2009.
11. X. Chen, “ASLR Bypass Apocalypse in Recent Zero-Day Exploits, ” http://www.fireeye.com/blog/technical/cyberexploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-dayexploits.html, 2013.
12. W. Cheng, Q. Zhao, B. Yu, and S. Hiroshige, “Tainttrace: Efficient flow tracing with dynamic binary rewriting, ” in Proceedings of the 11th IEEE Symposium on Computers and Communications (ISCC), 2006.
13. Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng, “Ropecker: A generic and practical approach for defending against rop attacks, ” in Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2014.
14. Common Weakness Enumeration, “Cwe-416: use after free.”
15. Common Weakness Enumeration, “Cwe-680: Integer overflow to buffer overflow.”
16. M. Conover, “w00w00 on heap overflows, ” 1999.
17. CVE, “CVE vulnerabilities found in browsers, ” http://web.nvd.nist.gov/view/vuln/search-results?query=browser&search_type=all&cves=on.
18. M. Daniel, J. Honoroff, and C. Miller, “Engineering heap overflow exploits with javascript, ” in Proceedings of the 2Nd Conference on USENIX Workshop on Offensive Technologies (WOOT), 2008.
19. D. Dhurjati and V. Adve, “Backwards-compatible array bounds checking for c with very low overhead, ” in Proceedings of the 28th International Conference on Software Engineering (ICSE), 2006.
20. B. Ford and R. Cox, “Vx32: Lightweight user-level sandboxing on the x86, ” in USENIX 2008 Annual Technical Conference on Annual Technical Conference, 2008.
21. T. Garfinkel, B. Pfaff, and M. Rosenblum, “Ostia: A delegating architecture for secure system call interposition, ” in Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2004.
22. Google, “Seccompsandbox, ” https://code.google.com/p/seccompsandbox/wiki/overview.
23. Google, “The sandbox design principles in Chrome, ” http://dev.chromium.org/developers/design-documents/sandbox.
24. Google, “Design of chrome v8, ” https://developers.google.com/v8/design, 2008.
25. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson, “ILR: Where'd My Gadgets Go?” in Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), 2012.
26. W. Hu, J. Hiser, D. Williams, A. Filipi, J. W. Davidson, D. Evans, J. C. Knight, A. Nguyen-Tuong, and J. Rowanhill, “Secure and practical defense against code-injection attacks using software dynamic translation, ” in Proceedings of the 2nd international conference on Virtual Execution Environments (VEE), 2006.
27. C. Kil, J. Jim, C. Bookholt, J. Xu, and P. Ning, “Address space layout permutation (aslp): Towards fine-grained randomization of commodity software, ” in Proceedings of the 22Nd Annual Computer Security Applications Conference (ACSAC), 2006.
28. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, “Pin: building customized program analysis tools with dynamic instrumentation, ” in Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2005.
29. W. S. McPhee, “Operating system integrity in os/vs2, ” IBM Systems Journal, vol. 13, no. 3, pp. 230-252, 1974.
30. Microsoft, “App capability declarations (Windows Runtime apps), ” http://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx, 2012.
31. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic, “Softbound: Highly compatible and complete spatial memory safety for c, ” in Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2009.
32. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic, “Cets: compiler enforced temporal safety for c, ” in Proceedings of the 2010 International Symposium on Memory Management (ISMM), 2010.
33. N. Nethercote and J. Seward, “Valgrind: a framework for heavyweight dynamic binary instrumentation, ” in Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2007.
34. R. H. Netzer and B. P. Miller, “What are race conditions?: Some issues and formalizations, ” ACM Letters on Programming Languages and Systems (LOPLAS), vol. 1, no. 1, pp. 74-88, 1992.
35. T. Newsham, “Format string attacks, ” 2000.
36. J. Newsome and D. Song, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software, ” 2005.
37. B. Niu and G. Tan, “Modular control-flow integrity, ” in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2014.
38. B. Niu and G. Tan, “Rockjit: Securing just-in-time compilation using modular control-flow integrity, ” 2014.
39. V. Pappas, M. Polychronakis, and A. D. Keromytis, “Smashing the gadgets: Hindering return-oriented programming using in-place code randomization, ” in Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), 2012.
40. V. Pappas, M. Polychronakis, and A. D. Keromytis, “Transparent rop exploit mitigation using indirect branch tracing, ” in Proceedings of the 22Nd USENIX Conference on Security, 2013.
41. H. PATIL and C. FISCHER, “Low-cost, concurrent checking of pointer and array accesses in c programs, ” Software: Practice and Experience, vol. 27, no. 1, pp. 87-110, 1997.
42. PaX-Team, “PaX Address Space Layout Randomization, ” http://pax.grsecurity.net/docs/aslr.txt, 2003.
43. P. Pie, “Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup, ” 2013.
44. T. V. project authors, http://v8.googlecode.com/svn/data/benchmarks/v7/run.html.
45. F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu, “Lift: A low-overhead practical information flow tracking system for detecting security attacks, ” in Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, 2006.
46. G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi, “Surgically returning to randomized lib (c), ” in Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC), 2009.
47. K. Scott, N. Kumar, S. Velusamy, B. Childers, J. W. Davidson, and M. L. Soffa, “Retargetable and reconfigurable software dynamic translation, ” in Proceedings of the International Symposium on Code Generation and Optimization (CGO), 2003.
48. K. Scott and J. Davidson, “Strata: A software dynamic translation infrastructure, ” Tech. Rep., 2001.
49. D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen, “Adapting software fault isolation to contemporary cpu architectures, ” in Proceedings of the 19th USENIX Conference on Security, 2010.
50. F. J. Serna, “The info leak era on software exploitation, ” Black Hat USA, 2012.
51. J. Seward and N. Nethercote, “Using valgrind to detect undefined value errors with bit-precision, ” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, 2005.
52. H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), ” in Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), 2007.
53. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, “On the effectiveness of address-space randomization, ” in Proceedings of the 11th ACM conference on Computer and Communications Security (CCS), 2004.
54. A. Sintsov, “Writing jit-spray shellcode for fun and profit, ” 2010.
55. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, “Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization, ” in Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP), 2013.
56. Standard Performance Evaluation Corporation, “SPEC CINT2006 Benchmarks, ” http://www.spec.org/cpu2006/CINT2006/.
57. W3C, http://www.w3.org/TR/workers/, 2012.
58. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, “Efficient software-based fault isolation, ” in Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles (SOSP), 1994.
59. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, “Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code, ” in Proceedings of the 2012 ACM conference on Computer and Communications Security (CCS), 2012.
60. T. Wei, T. Wang, L. Duan, and J. Luo, “Secure dynamic code generation against spraying, ” in Proceedings of the 17th ACM conference on Computer and Communications Security (CCS), 2010.
61. W. Xu, D. C. DuVarney, and R. Sekar, “An efficient and backwards-compatible transformation to ensure memory safety of c programs, ” in Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2004.
62. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, “Native client: A sandbox for portable, untrusted x86 native code, ” in Proceedings of the 2009 IEEE Symposium on Security and Privacy (SP), 2009.
63. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, “Practical control flow integrity and randomization for binary executables, ” in Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP), 2013.
64. M. Zhang and R. Sekar, “Control flow integrity for cots binaries, ” in Proceedings of the 22Nd USENIX Conference on Security, 2013.