MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones

19th Annual Network and Distributed System Security Symposium, NDSS 2012

Volumn , Issue , 2012, Pages

  Davi, Lucas ^a   Dmitrienko, Alexandra ^b   Egele, Manuel ^c   Fischer, Thomas ^d   Holz, Thorsten ^d   Hund, Ralf ^d   Nürnberger, Stefan ^a   Sadeghi, Ahmad Reza ^a,b  

^a DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

^b FRAUNHOFER INSTITUTE FOR SECURE INFORMATION TECHNOLOGY SIT   (Germany)

^c UNIVERSITY OF CALIFORNIA   (United States)

^d RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

ARM PROCESSORS;

CODE INJECTION; CONTROL-FLOW; CONTROL-FLOW INTEGRITIES; MOBILE CONTROLS; RETURN-ORIENTED PROGRAMMING; RUNTIMES; SMART PHONES; SMART-PHONE APPLICATIONS; SOFTWARE PROJECT; SOURCE CODES;

SMARTPHONES;

EID: 85180792449     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (48)

1. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-Flow Integrity: Principles, Implementations, and Applications. In ACM Conference on Computer and Communications Security (CCS), 2005.
2. M. Abadi, M. Budiu, U. Erlingsson, G. C. Necula, and M. Vrable. XFI: Software Guards for System Address Spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2006.
3. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing Memory Error Exploits with WIT. IEEE Symposium on Security and Privacy, 2008.
4. Aleph One. Smashing the Stack for Fun and Profit. Phrack Magazine, 49(14), 1996.
5. Anonymous. Once upon a free. Phrack Magazine, 57(9), 2001.
6. Apple Inc. Manual Page of dyld - the dynamic link editor. http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/dyld.1.html, 2011.
7. Apple Inc. Manual Page of mmap - allocate memory, or map files or devices into memory. http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man2/mmap.2.html, 2011.
8. ARM Limited. Procedure Call Standard for the ARM Architecture. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0042d/IHI0042D-aapcs.pdf, 2009.
9. blexim. Basic Integer Overflows. Phrack Magazine, 60(10), 2002.
10. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS), 2008.
11. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented Programming Without Returns. In ACM Conference on Computer and Communications Security (CCS), 2010.
12. T. Chiueh and F.-H. Hsu. RAD: A Compile-Time Solution to Buffer Overflow Attacks. In International Conference on Distributed Computing Systems (ICDCS), 2001.
13. comex. http://www.jailbreakme.com//#.
14. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointguardTM: Protecting Pointers From Buffer Overflow Vulnerabilities. In USENIX Security Symposium, 2003.
15. C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium, 1998.
16. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
17. J. Duart. Objective-C helper script. https://github. com/zynamics/objc-helper-plugin-ida, 2010.
18. A. Edwards, A. Srivastava, and H. Vo. Vulcan Binary Transformation in a Distributed Environment. Technical Report MSR-TR-2001-50, Microsoft Research, 2001.
19. M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Symposium on Network and Distributed System Security (NDSS), 2011.
20. A. Francillon and C. Castelluccia. Code Injection Attacks on Harvard-Architecture Devices. In ACM Conference on Computer and Communications Security (CCS), 2008.
21. M. Frantzen and M. Shuey. StackGhost: Hardware Facilitated Stack Protection. In USENIX Security Symposium, 2001.
22. G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically Returning to Randomized lib(c). In Annual Computer Security Applications Conference (ACSAC), 2009.
23. gera. Advances in Format String Exploitation. Phrack Magazine, 59(12), 2002.
24. R. Hund, T. Holz, and F. C. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In USENIX Security Symposium, 2009.
25. V. Iozzo and C. Miller. Fun and Games with Mac OS X and iPhone Payloads. In Black Hat Europe, 2009.
26. V. Iozzo and R.-P. Weinmann. PWN2OWN contest. http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/, 2010.
27. M. Keith. Android 2.0-2.1 Reverse Shell Exploit, 2010. http://www.exploit-db.com/exploits/15423/.
28. I. King. Will Intel finally crack smartphones? http://www.businessweek.com/magazine/content/11-25/b4233041946230.htm, 2011.
29. V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure Execution via Program Shepherding. In USENIX Security Symposium, 2002.
30. T. Kornau. Return Oriented Programming for the ARM Architecture. Master's thesis, Ruhr-University Bochum, 2009.
31. Microsoft. The/SAFESEH compiler flag. http://msdn.microsoft.com/en-us/library/9a89h429%28v=vs.80%29.aspx, 2011.
32. C. Miller and D. D. Zovi. The Mac Hacker's Handbook. Wiley Publishing, 2009.
33. C. Mulliner and C. Miller. Injecting SMS Messages Into Smart Phones for Security Analysis. In USENIX Workshop on Offensive Technologies (WOOT), 2009.
34. Nergal. The Advanced return-into-lib(c) Exploits: PaX Case Study. Phrack Magazine, 58(4), 2001.
35. B. Prince. Security Expert Evades Apple's Mobile Security Measures via iOS Vulnerability. http://s1.securityweek.com/apple-securityexpert-evades-apples-mobile-securitymeasures-ios-vulnerability, 2011.
36. D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting Software Fault Isolation to Contemporary CPU Architectures. In USENIX Security Symposium, 2010.
37. H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In ACM Conference on Computer and Communications Security (CCS), 2007.
38. H. Shacham, E. jin Goh, N. Modadugu, B. Pfaff, and D. Boneh. On the Effectiveness of Address-space Randomization. In ACM Conference on Computer and Communications Security (CCS), 2004.
39. Solar Designer. "return-to-libc" attack. Bugtraq, 1997.
40. A. Sotirov and M. Dowd. Bypassing Browser Memory Protections in Windows Vista - Setting back browser security by 10 years. http://www.phreedom.org/research/bypassing-browser-memory-protections/, 2008.
41. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-based Fault Isolation. ACM SIGOPS Operating Systems Review, 27(5), 1993.
42. Z. Wang and X. Jiang. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In IEEE Symposium on Security and Privacy, 2010.
43. R.-P. Weinmann. All Your Baseband Are Belong To Us. hack.lu, 2010. http://2010.hack.lu/archive/2010/Weinmann-All-Your-Baseband-Are-Belong-To-Us-slides.pdf.
44. S. Winwood and M. Chakravarty. Secure Untrusted Binaries - Provably! In 3rd international workshop on formal aspects in security and trust, 2006.
45. R. Wojtczuk. Defeating Solar Designer's Non-executable Stack Patch. http://insecure.org/sploits/non-executable.stack.problems.html, 1998.
46. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. IEEE Symposium on Security and Privacy, 2009.
47. B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In ACM Conference on Computer and Communications Security (CCS). ACM, 2011.
48. D. D. Zovi. Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption. In Black Hat USA, 2011.