skip to main content
research-article
Open Access

Exploiting Mixed Binaries

Published:02 January 2021Publication History
Skip Abstract Section

Abstract

Unsafe programming systems are still very popular, despite the shortcomings due to several published memory-corruption vulnerabilities. Toward defending memory corruption, compilers have started to employ advanced software hardening such as Control-flow Integrity (CFI) and SafeStack. However, there is a broad interest for realizing compilers that impose memory safety with no heavy runtime support (e.g., garbage collection). Representative examples of this category are Rust and Go, which enforce memory safety primarily statically at compile time.

Software hardening and Rust/Go are promising directions for defending memory corruption, albeit combining the two is questionable. In this article, we consider hardened mixed binaries, i.e., machine code that has been produced from different compilers and, in particular, from hardened C/C++ and Rust/Go (e.g., Mozilla Firefox, Dropbox, npm, and Docker). Our analysis is focused on Mozilla Firefox, which outsources significant code to Rust and is open source with known public vulnerabilities (with assigned CVE). Furthermore, we extend our analysis in mixed binaries that leverage Go, and we derive similar results.

The attacks explored in this article do not exploit Rust or Go binaries that depend on some legacy (vulnerable) C/C++ code. In contrast, we explore how Rust/Go compiled code can stand as a vehicle for bypassing hardening in C/C++ code. In particular, we discuss CFI and SafeStack, which are available in the latest Clang. Our assessment concludes that CFI can be completely nullified through Rust or Go code by constructing much simpler attacks than state-of-the-art CFI bypasses.

References

  1. [n.d.]. American Fuzzy Lop. Retrieved November 2019 from http://lcamtuf.coredump.cx/afl.Google ScholarGoogle Scholar
  2. [n.d.]. Clang—Control flow integrity. Retrieved November 2019 from https://clang.llvm.org/docs/ControlFlowIntegrity.html.Google ScholarGoogle Scholar
  3. [n.d.]. Clang - safestack. Retrieved November 2019 from https://clang.llvm.org/docs/SafeStack.html.Google ScholarGoogle Scholar
  4. [n.d.]. Go Channels. Retrieved May 2020 from https://tour.golang.org/concurrency/2.Google ScholarGoogle Scholar
  5. [n.d.]. Go Closures. Retrieved May 2020 from https://tour.golang.org/moretypes/25.Google ScholarGoogle Scholar
  6. [n.d.]. Go Goroutines. Retrieved May 2020 from https://tour.golang.org/concurrency/1.Google ScholarGoogle Scholar
  7. [n.d.]. Go Interfaces. Retrieved May 2020 from https://tour.golang.org/methods/9.Google ScholarGoogle Scholar
  8. [n.d.]. Go-stats. Retrieved May 2020 from https://github.com/segmentio/go-stats.Google ScholarGoogle Scholar
  9. [n.d.]. Golang. Retrieved May 2020 from https://golang.org/.Google ScholarGoogle Scholar
  10. [n.d.]. Kernel Control Flow Integrity. Retrieved November 2019 from https://source.android.com/devices/tech/debug/kcfi.Google ScholarGoogle Scholar
  11. [n.d.]. Mozilla Research—Rust. Retrieved from https://research.mozilla.org/rust/.Google ScholarGoogle Scholar
  12. [n.d.]. Rust in Production. Retrieved January 2020 from https://www.rust-lang.org/production.Google ScholarGoogle Scholar
  13. [n.d.]. Stack Overflow: Developer Survey Results 2020. Retrieved August 2020 from https://insights.stackoverflow.com/survey/2020.Google ScholarGoogle Scholar
  14. 2010. Kraken JavaScript Benchmark. Retrieved November 2019 from https://krakenbenchmark.mozilla.org/kraken-1.1/driver.html.Google ScholarGoogle Scholar
  15. 2014. Memory exploit mitigations #15179. Retrieved from https://github.com/rust-lang/rust/issues/15179.Google ScholarGoogle Scholar
  16. 2014. RFC: Memory exploit mitigation #145. Retrieved from https://github.com/rust-lang/rfcs/pull/145.Google ScholarGoogle Scholar
  17. 2014. Sanitize memory and CPU registers for sensitive data #17046. Retrieved from https://github.com/rust-lang/rust/issues/17046.Google ScholarGoogle Scholar
  18. 2015. Strengths and weaknesses of LLVM’s safestack buffer overflow protection. Retrieved November 2019 from http://blog.includesecurity.com/2015/11/LLVM-SafeStack-buffer-overflowprotection.html.Google ScholarGoogle Scholar
  19. 2015. Update LLVM and add the safestack attribute to all generated functions. #26612. Retrieved from https://github.com/rust-lang/rust/issues/26612.Google ScholarGoogle Scholar
  20. 2017. Disarming control flow guard using advanced code reuse attacks. Retrieved March 2019 https://www.endgame.com/blog/technical-blog/disarming-control-flow-guard-using-advanced-code-reuse-attacks.Google ScholarGoogle Scholar
  21. 2017. Safe Rust code miscompilation due to a bug in LLVM’s Global Value Numbering #45839. Retrieved March 2019 from https://github.com/rust-lang/rust/issues/45839, last accessed in March 2019.Google ScholarGoogle Scholar
  22. 2018. CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia. Retrieved from https://bugzilla.mozilla.org/show_bug.cgi?id=1462682.Google ScholarGoogle Scholar
  23. 2018. Enabling Windows exploit mitigations by default in Rust programs? Retrieved March 2019 from https://internals.rust-lang.org/t/enabling-windows-exploit-mitigations-by-default-in-rust-programs/8716.Google ScholarGoogle Scholar
  24. 2019. As input parameters. Retrieved November 2019 from https://doc.rust-lang.org/rust-by-example/fn/closures/input_parameters.html.Google ScholarGoogle Scholar
  25. 2019. Closures. Retrieved November 2019 from https://doc.rust-lang.org/rust-by-example/fn/closures.html.Google ScholarGoogle Scholar
  26. 2019. Community makes Rust an easy choice for npm. Retrieved January 2020 from https://www.rust-lang.org/static/pdfs/Rust-npm-Whitepaper.pdf.Google ScholarGoogle Scholar
  27. 2019. GDB: The GNU Project Debugger. Retrieved November 2019 from https://www.gnu.org/software/gdb.Google ScholarGoogle Scholar
  28. 2019. Implications of rewriting a browser component in rust. Retrieved from https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/.Google ScholarGoogle Scholar
  29. 2019. Multiprocess Firefox. Retrieved from https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Multiprocess_Firefox.Google ScholarGoogle Scholar
  30. 2019. Rust—Foreign function interface. Retrieved November 2019 from https://doc.rust-lang.org/nomicon/ffi.html.Google ScholarGoogle Scholar
  31. 2019. Rust 2019: Security. Retrieved from https://snf.github.io/2019/01/10/rust-2019-security/.Google ScholarGoogle Scholar
  32. 2019. The rust programming language. Retrieved November 2019 from https://doc.rust-lang.org/book/.Google ScholarGoogle Scholar
  33. Aaron Turon. 2019. Abstraction without overhead: Traits in rust. Retrieved November 2019 from https://blog.rust-lang.org/2015/05/11/traits.html.Google ScholarGoogle Scholar
  34. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’05). 340--353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Periklis Akritidis. 2010. Cling: A memory allocator to mitigate dangling pointers. In Proceedings of the USENIX Security Symposium (USENIX SEC’10). 177--192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Hussain M. J. Almohri and David Evans. 2018. Fidelius charm: Isolating unsafe rust code. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY’18). ACM, New York, NY, 248--255. DOI:https://doi.org/10.1145/3176258.3176330 Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Starr Andersen and Vincent Abella. 2004. Changes to functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory protection technologies, data execution prevention. Microsoft TechNet Library. Retrieved from http://technet.microsoft.com/en-us/library/bb457155.aspx.Google ScholarGoogle Scholar
  38. Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, and Herbert Bos. 2016. An in-depth analysis of disassembly on full-scale x86/x64 binaries. In Proceedings of the 25th USENIX Security Symposium (USENIX SEC’16). Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, and Daniel Teuchert. 2019. NAUTILUS: Fishing for deep bugs with grammars. In Proceedings of the Network and Distributed System Security Symposium (NDSS’19).Google ScholarGoogle ScholarCross RefCross Ref
  40. Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with input-to-state correspondence. In Proceedings of the Network and Distributed System Security Symposium (NDSS’19).Google ScholarGoogle ScholarCross RefCross Ref
  41. Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis. 2015. The devil is in the constants: Bypassing defenses in browser JIT engines. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15). The Internet Society.Google ScholarGoogle ScholarCross RefCross Ref
  42. Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamari, and Leonid Ryzhyk. 2017. System programming in rust: Beyond safety. SIGOPS Oper. Syst. Rev. 51, 1 (September 2017), 94--99. DOI:https://doi.org/10.1145/3139645.3139660 Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the ACM Programming Language Design and Implementation Conference (PLDI’06). 158--168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Vincent Blanchon. [n.d.]. Go: Memory Safety with Bounds Check. Retrieved May 2020 from https://medium.com/a-journey-with-go/go-memory-safety-with-bounds-check-1397bef748b5.Google ScholarGoogle Scholar
  45. Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the USENIX Security Symposium (USENIX SEC’15). 161--176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, et al. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, Vol. 81. 346--355. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the USENIX Security Symposium (USENIX SEC’14). 401--416. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, 901--913. DOI:https://doi.org/10.1145/2810103.2813646 Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’15). 901--913. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Enes Göktaş, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out Of control: Overcoming control-flow integrity. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’14). 575--589. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Enes Goktas, Angelos Oikonomopoulos, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, and Herbert Bos. 2016. Bypassing clang’s safestack for fun and profit. In Proceedings of the Black Hat Europe Conference (Black Hat Europe’16).Google ScholarGoogle Scholar
  52. Istvan Haller, Enes Göktaş, Elias Athanasopoulos, Georgios Portokalidis, and Herbert Bos. 2015. ShrinkWrap: VTable protection without loose ends. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’15). ACM, 341--350. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Rick Hudson. 2018. Getting to go: The journey of go’s garbage collector. Retrieved May 2020 from https://blog.golang.org/ismmkeynote.Google ScholarGoogle Scholar
  54. Dongseok Jang, Zachary Tatlock, and Sorin Lerner. 2014. SafeDispatch: Securing c++ virtual calls from memory corruption attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14). The Internet Society.Google ScholarGoogle ScholarCross RefCross Ref
  55. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2017. RustBelt: Securing the foundations of the rust programming language. Proc. ACM Program. Lang. 2, Article 66 (December 2017), 34 pages. DOI:https://doi.org/10.1145/3158154 Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Kuznetsov, Volodymyr and Szekeres, László and Payer, Mathias and Candea, George and Sekar, R. and Song, Dawn. 2014. Code-pointer integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI’14). USENIX Association, Berkeley, CA, 147--163. http://dl.acm.org/citation.cfm?id=2685048.2685061 Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, and Michael Franz. 2016. Subversive-C: Abusing and protecting dynamic message dispatch. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC’16). 209--221. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Giorgi Maisuradze, Michael Backes, and Christian Rossow. 2017. Dachshund: Digging for and securing (non-)blinded constants in JIT code. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS’17).Google ScholarGoogle ScholarCross RefCross Ref
  59. Nicholas D. Matsakis and Felix S. Klock, II. 2014. The rust language. Ada Lett. 34, 3 (October 2014), 103--104. DOI:https://doi.org/10.1145/2692956.2663188 Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Leo A. Meyerovich and Ariel S. Rabkin. 2013. Empirical analysis of programming language adoption. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages Applications (OOPSLA’13). ACM, New York, NY, 1--18. DOI:https://doi.org/10.1145/2509136.2509515 Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the reproducibility of crowd-reported security vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, Baltimore, MD, 919--936. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. ACM Sigplan Not. 44, 6 (2009), 245--258. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2010. CETS: Compiler-enforced temporal safety for C. In Proceedings of the ACM SIGPLAN International Symposium on Memory Management (ISMM’10). 31--40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Gene Novark and Emery D. Berger. 2010. DieHarder: Securing the heap. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’10). 573--584. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Angelos Oikonomopoulos, Elias Athanasopoulos, Herbert Bos, and Cristiano Giuffrida. 2016. Poking holes in information hiding. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16). USENIX Association, Berkeley CA, 121--138. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. PaX Team. 2003. Address Space Layout Randomization (ASLR). Retrieved from http://pax.grsecurity.net/docs/aslr.txt.Google ScholarGoogle Scholar
  67. Mathias Payer. 2012. Too much PIE is bad for performance. Technical Report 766 (2012).Google ScholarGoogle Scholar
  68. Eric Christopher Reed. 2015. Patina: A formalization of the rust programming language. Master’s Thesis. University of Washington (2015).Google ScholarGoogle Scholar
  69. Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, Ahmad-Reza Sadeghi, and Hamed Okhravi. 2017. Address oblivious code reuse: On the effectiveness of leakage resilient diversity. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS’17).Google ScholarGoogle ScholarCross RefCross Ref
  70. Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c++ applications. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’15). Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC’12). 309--318. Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security. 552--61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (S8P’13). IEEE Computer Society, Los Alamitos, CA, 48--62. DOI:https://doi.org/10.1109/SP.2013.13 Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Theofilos Petsios. 2019. Millions of Binaries Later: A Look Into Linux Hardening in the Wild. Retrieved November 2019 from https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/.Google ScholarGoogle Scholar
  75. Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC 8 LLVM. In Proceedings of the USENIX Security Symposium (USENIX SEC’14). 941--955. Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. Victor van der Veen, Enes Göktaş, Moritz Contag, Andre Pawloski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’16). 934--953.Google ScholarGoogle ScholarCross RefCross Ref
  77. Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, L. Szekeres, S. McCamant, D. Song, and Wei Zou. 2013. Practical control flow integrity 8 randomization for binary executables. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’13). 559--573. Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. Mingwei Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of the USENIX Security Symposium (USENIX SEC’13). 337--352. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Exploiting Mixed Binaries

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 24, Issue 2
        May 2021
        242 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/3446639
        Issue’s Table of Contents

        Copyright © 2021 Owner/Author

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 2 January 2021
        • Accepted: 1 August 2020
        • Revised: 1 June 2020
        • Received: 1 January 2020
        Published in tops Volume 24, Issue 2

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!