Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks

Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

Volumn , Issue , 2016, Pages 969-986

  Hu, Hong ^a   Shinde, Shweta ^a   Adrian, Sendroiu ^a   Chua, Zheng Leong ^a   Saxena, Prateek ^a   Liang, Zhenkai ^a  

^a NATIONAL UNIVERSITY OF SINGAPORE   (Singapore)

Author keywords

[No Author keywords available]

Indexed keywords

BUILDING BLOCKES; EXPERIMENTAL EVALUATION; EXPRESSIVE POWER; INFORMATION LEAKAGE; NON-CONTROL DATA ATTACKS; PROGRAM MEMORY; REAL WORLD PROJECTS; TURING-COMPLETE;

EID: 84987597669     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2016.62     Document Type: Conference Paper

References (65)

1. H. Shacham, "The Geometry of Innocent Flesh on the Bone: Returninto-libc Without Function Calls (on the x86)," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007
2. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, "Jump-Oriented Programming: A New Class of Code-reuse Attack," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011
3. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, "Return-Oriented Programming Without Returns," in Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010
4. E. Bosman and H. Bos, "Framing Signals-A Return to Portable Shellcode," in Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014
5. A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh, "Hacking Blind," in Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014
6. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-Flow Integrity," in Proceedings of the 12th ACM Conference on Computer and Communications Security, 2005
7. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U. Erlingsson, L. Lozano, and G. Pike, "Enforcing Forward-Edge Control-Flow Integrity in GCC &LLVM," in Proceedings of the 23rd USENIX Security Symposium, 2014
8. M. Zhang and R. Sekar, "Control Flow Integrity for COTS Binaries," in Proceedings of the 22nd USENIX Security Symposium, 2013
9. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, "Practical Control Flow Integrity and Randomization for Binary Executables," in Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013
10. B. Niu and G. Tan, "Per-Input Control-Flow Integrity," in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015
11. V. Veen, D. Andriesse, E. Goktas, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida, "Practical Context-Sensitive CFI," in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015
12. A. J. Mashtizadeh, A. Bittau, D. Boneh, and D. Mazieres, "CCFI: Cryptographically Enforced Control Flow Integrity," in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015
13. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, "Code-pointer Integrity," in Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, 2014
14. D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi, "Timely Rerandomization for Mitigating Memory Disclosures," in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015
15. PaX Team, "PaX Address Space Layout Randomization (ASLR)," http: //pax.grsecurity.net/docs/aslr.txt, 2003
16. Microsoft, "Data Execution Prevention (DEP)," 2006, http://support. microsoft.com/kb/875352/EN-US
17. B. Niu and G. Tan, "Modular Control-flow Integrity," in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2014
18. J. Criswell, N. Dautenhahn, and V. Adve, "KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels," in Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014
19. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer, "Non-Control-Data Attacks Are Realistic Threats," in Proceedings of the 14th USENIX Security Symposium, 2005
20. "The Heartbleed Bug," http://heartbleed.com
21. Yu Yang, "ROPs are for the 99%, CanSecWest 2014," https://cansecwest. com/slides/2014/ROPs are for the 99 CanSecWest 2014.pdf, 2014
22. H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang, "Automatic Generation of Data-Oriented Exploits," in Proceedings of the 24th USENIX Security Symposium, 2015
23. A. Homescu, M. Stewart, P. Larsen, S. Brunthaler, and M. Franz, "Microgadgets: Size Does Matter in Turing-complete Return-oriented Programming," in Proceedings of the 6th USENIX Conference on Offensive Technologies, 2012
24. "SOP Bypass Demos," https://goo.gl/4PfXEg
25. N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross, "Control-Flow Bending: On the Effectiveness of Control-Flow Integrity," in Proceedings of the 24th USENIX Security Symposium, 2015
26. C. Planet, "A Eulogy for Format Strings," http://phrack.org/issues/67/9. html
27. Microsoft, " set printf count output," https://msdn.microsoft.com/enus/ library/ms175782.aspx
28. "ProFTPD-Highly configurable GPL-licensed FTP server software," http://www.proftpd.org
29. "WU-FTPD Server," http://www.wu-ftpd.org
30. "Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow," http://mailman.nginx.org/pipermail/nginxannounce/ 2013/000112.html
31. "Bitcoin-Open source P2P money," https://bitcoin.org
32. "SSH Communications Security," www.ssh.com
33. "Wireshark Go Deep." https://www.wireshark.org
34. "Glibc-Gnu," https://www.gnu.org/s/libc
35. "BusyBox," www.busybox.net
36. "musl libc," http://www.musl-libc.org
37. "MCrypt," mcrypt.sourceforge.net
38. "Sudo Main Page," http://www.sudo.ws
39. "Buffer Overflow Vulnerability in UPnP library used by Bitcoin Core," https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6031
40. "musl libc inet pton.c Remote Stack Buffer Overflow Vulnerability," https://security-tracker.debian.org/tracker/CVE-2015-1817
41. "Stack-Based Buffer Overlfow in the MPEG parser in Wireshark," http: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299
42. " nginx: Stack-based Buffer Overflow," https://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2013-2028
43. "Stack-Based Buffer Overflow in Mcrypt," http://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2012-4409
44. "Sudo Format String Vulnerability," http://www.sudo.ws/sudo/alerts/ sudo debug.html, 2012
45. "Stack-Based Buffer Overlfow in the sreplace Function in Proftpd," http: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
46. "Integer Overflow Vulnerability in SSH CRC-32 Compensation Attack Detector," https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
47. "Wu-Ftpd Remote Format String Stack Overwrite Vulnerability," http: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0573
48. R. Shapiro, S. Bratus, and S. W. Smith, ""Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata," in Proceedings of the 7th USENIX Conference on Offensive Technologies, 2013
49. S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz, "Readactor: Practical Code Randomization Resilient to Memory Disclosure," in Proceedings of the 36th IEEE Symposium on Security and Privacy, 2015
50. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, "Efficient Software-based Fault Isolation," in Proceedings of the 14th ACM Symposium on Operating Systems Principles, 1993
51. T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang, "Cyclone: A Safe Dialect of C," in Proceedings of the USENIX Annual Technical Conference, 2002
52. G. C. Necula, S. McPeak, and W. Weimer, "CCured: Type-safe Retrofitting of Legacy Code," in Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2002
53. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic, "SoftBound: Highly Compatible and Complete Spatial Memory Safety for C," in Proceedings of the 30th ACM SIG-PLAN Conference on Programming Language Design and Implementation, 2009
54. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic, "CETS: Compiler Enforced Temporal Safety for C," in Proceedings of the 9th International Symposium on Memory Management, 2010
55. P. Akritidis, "Cling: A Memory Allocator to Mitigate Dangling Pointers," in Proceedings of the 19th USENIX Security Symposium, 2010
56. L. Szekeres, M. Payer, T. Wei, and D. Song, "SoK: Eternal War in Memory," in Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013
57. M. Castro, M. Costa, and T. Harris, "Securing Software by Enforcing Data-Flow Integrity," in Proceedings of the 7th Symposium on Operating Systems Design and Implementation, 2006
58. C. Song, B. Lee, K. Lu, W. R. Harris, T. Kim, and W. Lee, "Enforcing Kernel Security Invariants with Data Flow Integrity," in Proceedings of the 23th Annual Network and Distributed System Security Symposium, 2016
59. S. Bhatkar and R. Sekar, "Data Space Randomization," in Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008
60. P. Chen, J. Xu, Z. Lin, D. Xu, B. Mao, and P. Liu, "A Practical Approach for Adaptive Data Structure Layout Randomization," in Proceedings of the 20th European Symposium on Research in Computer Security, 2015
61. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, "Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization," in Proceedings of the 34th IEEE Symposium on Security and Privacy, ser. SP '13, 2013
62. F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz, "Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications," in Proceedings of the 36th IEEE Symposium on Security and Privacy, 2015
63. J. Oakley and S. Bratus, "Exploiting the Hard-working DWARF: Trojan and Exploit Techniques with No Native Executable Code," in Proceedings of the 5th USENIX Conference on Offensive Technologies, 2011
64. J. Bangert, S. Bratus, R. Shapiro, and S. W. Smith, "The Page-fault Weird Machine: Lessons in Instruction-less Computation," in Proceedings of the 7th USENIX Conference on Offensive Technologies, 2013
65. M. Rushanan and S. Checkoway, "Run-DMA," in Proceedings of the 9th USENIX Conference on Offensive Technologies, 2015