Q: Exploit hardening made easy

Proceedings of the 20th USENIX Security Symposium

Volumn , Issue , 2011, Pages 379-394

  Schwartz, Edward J ^a   Avgerinos, Thanassis ^a   Brumley, David ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

HARDENING; LINUX; SEMANTICS;

CODE FRAGMENTS; END-TO-END SYSTEMS; EXECUTABLE CODES; PROGRAM VERIFICATION; REAL-WORLD; RETURN-ORIENTED PROGRAMMING; SHELLCODE; SOFTWARE DEFENSE;

PROGRAM COMPILERS;

EID: 84968558644     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (44)

1. A. Appel. Modern Compiler Implementation in ML. Cambridge University Press, 1998.
2. T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic exploit generation. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2011.
3. Binary Analysis Platform (BAP). http://bap.ece. cmu.edu.
4. D. Blazakis. Interpreter exploitation. In Proceedings of the USENIX Workshop on Offensive Technologies, 2010.
5. D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Proceedings of the IEEE Symposium on Security and Privacy, May 2008.
6. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing returnoriented programming to RISC. In Proceedings of the ACM Conference on Computer and Communications Security, pages 27-38, 2008.
7. C. Cadar, D. Dunbar, and D. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the USENIX Symposium on Operating System Design and Implementation, 2008.
8. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the ACM Conference on Computer and Communications Security, 2010.
9. S. Checkoway, J. A. Halderman, U. Michigan, A. J. Feldman, E.W. Felten, B. Kantor, and H. Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of the Electronic Voting Technology Workshop/Workshop on Trustworthy Elections, Aug. 2009.
10. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In Proceedings of the Information Systems Security Conference, 2009.
11. J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In International Symposium on Software Testing and Analysis, pages 196-206, New York, NY, USA, 2007. ACM.
12. L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the ACM workshop on Scalable Trusted Computing, 2009.
13. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the ACM Symposium on Information, Computer, and Communication Security, 2011.
14. Debian Developers. Debian hardening. http: //wiki.debian.org/Hardening?action= recall&rev=34. Accessed: August 8th, 2010.
15. E. Dijkstra. A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ, 1976.
16. T. Dullien and T. Kornau. A framework for automated architecture-independent gadget search. In Proceedings of the USENIX Workshop on Offensive Technologies, Aug. 2010.
17. C. Flanagan and J. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Proceedings of the Symposium on Principles of Programming Languages, 2001.
18. V. Ganapathy, S. A. Seshia, S. Jha, T. W. Reps, and R. E. Bryant. Automatic discovery of api-level exploits. In Proceedings of the International Conference on Software Engineering (ICSE), May 2005.
19. V. Ganesh and D. L. Dill. A decision procedure for bitvectors and arrays. In Proceedings of the Conference on Computer Aided Verification, pages 524-536, July 2007.
20. S. Heelan. Automatic generation of control flow hijacking exploits for software vulnerabilities. Master's thesis, University of Oxford, 2009.
21. R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the USENIX Security Symposium, 2009.
22. Intel Corporation. Intel 64 and IA-32 architectures software developer's manual - volume 3A: System programming guide, part 1. Document number 253668, 2010.
23. I. Jager and D. Brumley. Efficient directionless weakest preconditions. Technical Report CMU-CyLab-10-002, Carnegie Mellon University, CyLab, Feb. 2010.
24. T. Kornau. Return oriented programming for the arm architecture. Master's thesis, Ruhr-Universität Bochum, 2009.
25. S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http: //www.suse.de/-krahmer/no-nx.pdf, 2005.
26. Z. Lin, X. Zhang, and D. Xu. Convicting exploitable software vulnerabilities: An efficient input provenance based approach. In International Conference on Dependable Systems and Networks, 2008.
27. L. D. Long. Payload already inside: Data re-use for ROP exploits. Technical report, Blackhat, 2010.
28. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM Conference on Programming Language Design and Implementation, June 2005.
29. Microsoft Software Developer Network. Windows vista ISV security. http://msdn.microsoft.com/ en-us/library/bb430720.aspx.
30. Microsoft Support. A detailed description of the data execution prevention (dep) feature in windows xp service pack 2, windows xp tablet pc edition 2005, and windows server 2003. http://support.microsoft.com/ kb/875352/EN-US/.
31. I. Molnar. exec-shield linux patch. http://people. redhat.com/mingo/exec-shield/.
32. T. Müller. ASLR smack & laugh reference. Technical report, RWTH-Aachen University, 2008. http://www-users.rwth-aachen.de/Tilo. Mueller/ASLRpaper.pdf.
33. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2005.
34. PaX Team. Pax address space layout randomization (aslr). http://pax.grsecurity.net/docs/ aslr.txt.
35. PaX Team. Pax non-executable stack (nx). http:// pax.grsecurity.net/docs/noexec.txt.
36. A. R. Pop. DEP/ASLR implementation progress in popular third-party windows applications. http://secunia. com/gfx/pdf/DEP_ASLR_2010_paper.pdf, 2010. Secunia.
37. M. Prasad and T. cker Chiueh. A binary rewriting defense again stack-based buffer overflow attacks. In Proceedings of the USENIX Annual Technical Conference, 2003.
38. R. G. Roemer. Finding the bad in good code: Automated return-oriented programming exploit discovery. Master's thesis, University of California, San Diego, 2009.
39. G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the Annual Computer Security Applications Conference, pages 60-69, 2009.
40. E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the IEEE Symposium on Security and Privacy, pages 317-331, May 2010.
41. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the ACM Conference on Computer and Communications Security, 2007.
42. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security, pages 298-307, 2004.
43. A. Sotirov and M. Dowd. Bypassing browser memory protections. Technical report, Blackhat, 2008. http://taossa.com/archive/ bh08sotirovdowd.pdf.
44. Ubuntu Developers. Ubuntu security/features. https://wiki.ubuntu.com/Security/ Features?action=recall&rev=52. Accessed: August 8th, 2010.