Abstract
Unsafe programming systems are still very popular, despite the shortcomings due to several published memory-corruption vulnerabilities. Toward defending memory corruption, compilers have started to employ advanced software hardening such as Control-flow Integrity (CFI) and SafeStack. However, there is a broad interest for realizing compilers that impose memory safety with no heavy runtime support (e.g., garbage collection). Representative examples of this category are Rust and Go, which enforce memory safety primarily statically at compile time.
Software hardening and Rust/Go are promising directions for defending memory corruption, albeit combining the two is questionable. In this article, we consider hardened mixed binaries, i.e., machine code that has been produced from different compilers and, in particular, from hardened C/C++ and Rust/Go (e.g., Mozilla Firefox, Dropbox, npm, and Docker). Our analysis is focused on Mozilla Firefox, which outsources significant code to Rust and is open source with known public vulnerabilities (with assigned CVE). Furthermore, we extend our analysis in mixed binaries that leverage Go, and we derive similar results.
The attacks explored in this article do not exploit Rust or Go binaries that depend on some legacy (vulnerable) C/C++ code. In contrast, we explore how Rust/Go compiled code can stand as a vehicle for bypassing hardening in C/C++ code. In particular, we discuss CFI and SafeStack, which are available in the latest Clang. Our assessment concludes that CFI can be completely nullified through Rust or Go code by constructing much simpler attacks than state-of-the-art CFI bypasses.
- [n.d.]. American Fuzzy Lop. Retrieved November 2019 from http://lcamtuf.coredump.cx/afl.Google Scholar
- [n.d.]. Clang—Control flow integrity. Retrieved November 2019 from https://clang.llvm.org/docs/ControlFlowIntegrity.html.Google Scholar
- [n.d.]. Clang - safestack. Retrieved November 2019 from https://clang.llvm.org/docs/SafeStack.html.Google Scholar
- [n.d.]. Go Channels. Retrieved May 2020 from https://tour.golang.org/concurrency/2.Google Scholar
- [n.d.]. Go Closures. Retrieved May 2020 from https://tour.golang.org/moretypes/25.Google Scholar
- [n.d.]. Go Goroutines. Retrieved May 2020 from https://tour.golang.org/concurrency/1.Google Scholar
- [n.d.]. Go Interfaces. Retrieved May 2020 from https://tour.golang.org/methods/9.Google Scholar
- [n.d.]. Go-stats. Retrieved May 2020 from https://github.com/segmentio/go-stats.Google Scholar
- [n.d.]. Golang. Retrieved May 2020 from https://golang.org/.Google Scholar
- [n.d.]. Kernel Control Flow Integrity. Retrieved November 2019 from https://source.android.com/devices/tech/debug/kcfi.Google Scholar
- [n.d.]. Mozilla Research—Rust. Retrieved from https://research.mozilla.org/rust/.Google Scholar
- [n.d.]. Rust in Production. Retrieved January 2020 from https://www.rust-lang.org/production.Google Scholar
- [n.d.]. Stack Overflow: Developer Survey Results 2020. Retrieved August 2020 from https://insights.stackoverflow.com/survey/2020.Google Scholar
- 2010. Kraken JavaScript Benchmark. Retrieved November 2019 from https://krakenbenchmark.mozilla.org/kraken-1.1/driver.html.Google Scholar
- 2014. Memory exploit mitigations #15179. Retrieved from https://github.com/rust-lang/rust/issues/15179.Google Scholar
- 2014. RFC: Memory exploit mitigation #145. Retrieved from https://github.com/rust-lang/rfcs/pull/145.Google Scholar
- 2014. Sanitize memory and CPU registers for sensitive data #17046. Retrieved from https://github.com/rust-lang/rust/issues/17046.Google Scholar
- 2015. Strengths and weaknesses of LLVM’s safestack buffer overflow protection. Retrieved November 2019 from http://blog.includesecurity.com/2015/11/LLVM-SafeStack-buffer-overflowprotection.html.Google Scholar
- 2015. Update LLVM and add the safestack attribute to all generated functions. #26612. Retrieved from https://github.com/rust-lang/rust/issues/26612.Google Scholar
- 2017. Disarming control flow guard using advanced code reuse attacks. Retrieved March 2019 https://www.endgame.com/blog/technical-blog/disarming-control-flow-guard-using-advanced-code-reuse-attacks.Google Scholar
- 2017. Safe Rust code miscompilation due to a bug in LLVM’s Global Value Numbering #45839. Retrieved March 2019 from https://github.com/rust-lang/rust/issues/45839, last accessed in March 2019.Google Scholar
- 2018. CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia. Retrieved from https://bugzilla.mozilla.org/show_bug.cgi?id=1462682.Google Scholar
- 2018. Enabling Windows exploit mitigations by default in Rust programs? Retrieved March 2019 from https://internals.rust-lang.org/t/enabling-windows-exploit-mitigations-by-default-in-rust-programs/8716.Google Scholar
- 2019. As input parameters. Retrieved November 2019 from https://doc.rust-lang.org/rust-by-example/fn/closures/input_parameters.html.Google Scholar
- 2019. Closures. Retrieved November 2019 from https://doc.rust-lang.org/rust-by-example/fn/closures.html.Google Scholar
- 2019. Community makes Rust an easy choice for npm. Retrieved January 2020 from https://www.rust-lang.org/static/pdfs/Rust-npm-Whitepaper.pdf.Google Scholar
- 2019. GDB: The GNU Project Debugger. Retrieved November 2019 from https://www.gnu.org/software/gdb.Google Scholar
- 2019. Implications of rewriting a browser component in rust. Retrieved from https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/.Google Scholar
- 2019. Multiprocess Firefox. Retrieved from https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Multiprocess_Firefox.Google Scholar
- 2019. Rust—Foreign function interface. Retrieved November 2019 from https://doc.rust-lang.org/nomicon/ffi.html.Google Scholar
- 2019. Rust 2019: Security. Retrieved from https://snf.github.io/2019/01/10/rust-2019-security/.Google Scholar
- 2019. The rust programming language. Retrieved November 2019 from https://doc.rust-lang.org/book/.Google Scholar
- Aaron Turon. 2019. Abstraction without overhead: Traits in rust. Retrieved November 2019 from https://blog.rust-lang.org/2015/05/11/traits.html.Google Scholar
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’05). 340--353. Google Scholar
Digital Library
- Periklis Akritidis. 2010. Cling: A memory allocator to mitigate dangling pointers. In Proceedings of the USENIX Security Symposium (USENIX SEC’10). 177--192. Google Scholar
Digital Library
- Hussain M. J. Almohri and David Evans. 2018. Fidelius charm: Isolating unsafe rust code. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY’18). ACM, New York, NY, 248--255. DOI:https://doi.org/10.1145/3176258.3176330 Google Scholar
Digital Library
- Starr Andersen and Vincent Abella. 2004. Changes to functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory protection technologies, data execution prevention. Microsoft TechNet Library. Retrieved from http://technet.microsoft.com/en-us/library/bb457155.aspx.Google Scholar
- Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, and Herbert Bos. 2016. An in-depth analysis of disassembly on full-scale x86/x64 binaries. In Proceedings of the 25th USENIX Security Symposium (USENIX SEC’16). Google Scholar
Digital Library
- Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, and Daniel Teuchert. 2019. NAUTILUS: Fishing for deep bugs with grammars. In Proceedings of the Network and Distributed System Security Symposium (NDSS’19).Google Scholar
Cross Ref
- Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with input-to-state correspondence. In Proceedings of the Network and Distributed System Security Symposium (NDSS’19).Google Scholar
Cross Ref
- Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis. 2015. The devil is in the constants: Bypassing defenses in browser JIT engines. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15). The Internet Society.Google Scholar
Cross Ref
- Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamari, and Leonid Ryzhyk. 2017. System programming in rust: Beyond safety. SIGOPS Oper. Syst. Rev. 51, 1 (September 2017), 94--99. DOI:https://doi.org/10.1145/3139645.3139660 Google Scholar
Digital Library
- Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the ACM Programming Language Design and Implementation Conference (PLDI’06). 158--168. Google Scholar
Digital Library
- Vincent Blanchon. [n.d.]. Go: Memory Safety with Bounds Check. Retrieved May 2020 from https://medium.com/a-journey-with-go/go-memory-safety-with-bounds-check-1397bef748b5.Google Scholar
- Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the USENIX Security Symposium (USENIX SEC’15). 161--176. Google Scholar
Digital Library
- Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, et al. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, Vol. 81. 346--355. Google Scholar
Digital Library
- Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the USENIX Security Symposium (USENIX SEC’14). 401--416. Google Scholar
Digital Library
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, 901--913. DOI:https://doi.org/10.1145/2810103.2813646 Google Scholar
Digital Library
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’15). 901--913. Google Scholar
Digital Library
- Enes Göktaş, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out Of control: Overcoming control-flow integrity. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’14). 575--589. Google Scholar
Digital Library
- Enes Goktas, Angelos Oikonomopoulos, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, and Herbert Bos. 2016. Bypassing clang’s safestack for fun and profit. In Proceedings of the Black Hat Europe Conference (Black Hat Europe’16).Google Scholar
- Istvan Haller, Enes Göktaş, Elias Athanasopoulos, Georgios Portokalidis, and Herbert Bos. 2015. ShrinkWrap: VTable protection without loose ends. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’15). ACM, 341--350. Google Scholar
Digital Library
- Rick Hudson. 2018. Getting to go: The journey of go’s garbage collector. Retrieved May 2020 from https://blog.golang.org/ismmkeynote.Google Scholar
- Dongseok Jang, Zachary Tatlock, and Sorin Lerner. 2014. SafeDispatch: Securing c++ virtual calls from memory corruption attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14). The Internet Society.Google Scholar
Cross Ref
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2017. RustBelt: Securing the foundations of the rust programming language. Proc. ACM Program. Lang. 2, Article 66 (December 2017), 34 pages. DOI:https://doi.org/10.1145/3158154 Google Scholar
Digital Library
- Kuznetsov, Volodymyr and Szekeres, László and Payer, Mathias and Candea, George and Sekar, R. and Song, Dawn. 2014. Code-pointer integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI’14). USENIX Association, Berkeley, CA, 147--163. http://dl.acm.org/citation.cfm?id=2685048.2685061 Google Scholar
Digital Library
- Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, and Michael Franz. 2016. Subversive-C: Abusing and protecting dynamic message dispatch. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC’16). 209--221. Google Scholar
Digital Library
- Giorgi Maisuradze, Michael Backes, and Christian Rossow. 2017. Dachshund: Digging for and securing (non-)blinded constants in JIT code. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS’17).Google Scholar
Cross Ref
- Nicholas D. Matsakis and Felix S. Klock, II. 2014. The rust language. Ada Lett. 34, 3 (October 2014), 103--104. DOI:https://doi.org/10.1145/2692956.2663188 Google Scholar
Digital Library
- Leo A. Meyerovich and Ariel S. Rabkin. 2013. Empirical analysis of programming language adoption. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages Applications (OOPSLA’13). ACM, New York, NY, 1--18. DOI:https://doi.org/10.1145/2509136.2509515 Google Scholar
Digital Library
- Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the reproducibility of crowd-reported security vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, Baltimore, MD, 919--936. Google Scholar
Digital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. ACM Sigplan Not. 44, 6 (2009), 245--258. Google Scholar
Digital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2010. CETS: Compiler-enforced temporal safety for C. In Proceedings of the ACM SIGPLAN International Symposium on Memory Management (ISMM’10). 31--40. Google Scholar
Digital Library
- Gene Novark and Emery D. Berger. 2010. DieHarder: Securing the heap. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’10). 573--584. Google Scholar
Digital Library
- Angelos Oikonomopoulos, Elias Athanasopoulos, Herbert Bos, and Cristiano Giuffrida. 2016. Poking holes in information hiding. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16). USENIX Association, Berkeley CA, 121--138. Google Scholar
Digital Library
- PaX Team. 2003. Address Space Layout Randomization (ASLR). Retrieved from http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- Mathias Payer. 2012. Too much PIE is bad for performance. Technical Report 766 (2012).Google Scholar
- Eric Christopher Reed. 2015. Patina: A formalization of the rust programming language. Master’s Thesis. University of Washington (2015).Google Scholar
- Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, Ahmad-Reza Sadeghi, and Hamed Okhravi. 2017. Address oblivious code reuse: On the effectiveness of leakage resilient diversity. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS’17).Google Scholar
Cross Ref
- Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c++ applications. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’15). Google Scholar
Digital Library
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC’12). 309--318. Google Scholar
Digital Library
- Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security. 552--61. Google Scholar
Digital Library
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (S8P’13). IEEE Computer Society, Los Alamitos, CA, 48--62. DOI:https://doi.org/10.1109/SP.2013.13 Google Scholar
Digital Library
- Theofilos Petsios. 2019. Millions of Binaries Later: A Look Into Linux Hardening in the Wild. Retrieved November 2019 from https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/.Google Scholar
- Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC 8 LLVM. In Proceedings of the USENIX Security Symposium (USENIX SEC’14). 941--955. Google Scholar
Digital Library
- Victor van der Veen, Enes Göktaş, Moritz Contag, Andre Pawloski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’16). 934--953.Google Scholar
Cross Ref
- Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, L. Szekeres, S. McCamant, D. Song, and Wei Zou. 2013. Practical control flow integrity 8 randomization for binary executables. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’13). 559--573. Google Scholar
Digital Library
- Mingwei Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of the USENIX Security Symposium (USENIX SEC’13). 337--352. Google Scholar
Digital Library
Index Terms
Exploiting Mixed Binaries
Recommendations
Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
SP '15: Proceedings of the 2015 IEEE Symposium on Security and PrivacyCode reuse attacks such as return-oriented programming (ROP) have become prevalent techniques to exploit memory corruption vulnerabilities in software programs. A variety of corresponding defenses has been proposed, of which some have already been ...
LMP: light-weighted memory protection with hardware assistance
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security ApplicationsDespite a long history and numerous proposed defenses, memory corruption attacks are still viable. A secure and low-overhead defense against return-oriented programming (ROP) continues to elude the security community. Currently proposed solutions still ...
Analyzing the Gadgets
ESSoS 2016: Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639Current low-level exploits often rely on code-reuse, whereby short sections of code gadgets are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this ...






Comments