Tianning Zhang
Abstract
Abstract
Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like Return-oriented Programming(ROP) attacks. Moreover, in these victim programs, most syscall instructions lack the following ret instructions, which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell. Lacking this kind of gadget greatly constrains the capability of code-reuse attacks.
This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming (SeBROP) to address these challenges. Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability. By leveraging a side-channel that exists in the victim program, we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment. Then, we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent. Our technique can stitch a number of system calls without returns, which is more superior to conventional ROP attacks. Finally, the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set. SeBROP attack can defeat almost all state-of-the-art defense techniques. The SeBROP attack is compatible with both modern 64-bit and 32-bit systems.
To validate its effectiveness, We craft three exploits of the SeBROP attack for three real-world applications, i.e., 32-bit Apache 1.3.49, 32-bit ProFTPD 1.3.0, and 64-bit Nginx 1.4.0. Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx, ProFTPD, and Apache with less than 8500/4300/2100 requests, respectively.
- 1. Return-oriented programming: systems, languages, and applicationsACM Transactions on Information and System Security20121512:12:3410.1145/2133375.2133377Google Scholar
Digital Library
- 2. Whitehouse, Ollie. An analysis of address space layout randomization on windows vista. Symantec Advanced Threat Research, 2007, 1–14Google Scholar
- 3. Lie D, Thekkath C A, Mitchell M, Lincoln P, Boneh D, Mitchell J C, Horowitz M. Architectural support for copy and tamper resistant software. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems. 2000, 168–177Google Scholar
- 4. Bittau A, Belay A, Mashtizadeh A J, Mazières D, Boneh D. Hacking blind. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 227–242Google Scholar
- 5. Lu K, Song C, Lee B, Chung S P, Kim T, Lee W. Aslr-guard: Stopping address space leakage for code reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 280–291Google Scholar
- 6. Bosman E, Bos H. Framing signals — a return to portable shellcode. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 243–258Google Scholar
- 7. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacksProceedings of USENIX Security Symposium1998986378Google Scholar
- 8. Kil C, Jun J, Bookholt C, Xu J, Ning P. Address space layout permutation aslp: Towards fine-grained randomization of commodity software. In: Proceedings of Annual Computer Security Applications Conference. 2006, 339–348Google Scholar
- 9. Crane S, Liebchen C, Homescu A, Davi L, Larsen P, Sadeghi A, Brunthaler S, Franz M. Readactor: practical code randomization resilient to memory disclosure. In: Proceedings of IEEE Symposium on Security and Privacy. 2015, 763–780Google Scholar
- 10. Crane S J, Volckaert S, Schuster F, Liebchen C, Larsen P, Davi L, Sadeghi A, Holz T, Sutter B D, Franz M. It’s a trap: table randomization and protection against function-reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 243–255Google Scholar
- 11. Snow K Z, Monrose F, Davi L, Dmitrienko A, Liebchen C, Sadeghi A. Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2013, 574–588Google Scholar
- 12. Maisuradze G, Backes M, Rossow C. What cannot be read, cannot be leveraged? revisiting assumptions of jit-rop defenses. In: Proceedings of USENIX Security Symposium. 2016, 139–156Google Scholar
- 13. Bhatkar S, DuVarney D C, Sekar R. Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of USENIX Security Symposium. 2005, 255–270Google Scholar
- 14. Davi L V, Dmitrienko A, Nürnberger S, Sadeghi A. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In: Proceedings of ACM Symposium on Information, Computer and Communications Security. 2013, 299–310Google Scholar
- 15. Wartell R, Mohan V, Hamlen K W, Lin Z. Binary stirring: selfrandomizing instruction addresses of legacy x86 binary code. In: Proceedings of the ACM Conference on Computer and Communications Security. 2012, 157–168Google Scholar
- 16. Hiser J, Nguyen-Tuong A, Co M, Hall M, Davidson J W. Ilr: where’d my gadgets go? In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 571–585Google Scholar
- 17. Pappas V, Polychronakis M, Keromytis A D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 601–615Google Scholar
- 18. Backes M, Holz T, Kollenda B, Kopp. P, Nürnberger S, Pewny J. You can run but you can’t read: preventing disclosure exploits in executable code. In: Proceedings of ACM Conference on Computer and Communications Security. 2014, 1342–1353Google Scholar
- 19. Backes M, Nürnberger S. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In: Proceedings of USENIX Security Symposium. 2014, 433–447Google Scholar
- 20. Zhang M, Sahita R, Liu D. executable-only-memory switch(xomswitch): Hiding your code from advanced code reuse attacks in one shot. Black Hat Asia, 2018Google Scholar
- 21. Pomonis M, Petsios T, Keromytis A D, Polychronakis M, Kemerlis V P. kr^x: Comprehensive kernel protection against just-in-time code reuse. In: Proceedings of European Conference on Computer Systems. 2017, 420–436Google Scholar
- 22. Tang A, Sethumadhavan S, Stolfo S J. Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 256–267Google Scholar
- 23. Shacham H, Page M, Pfaff B, Goh E, Modadugu N, Boneh D. On the effectiveness of address-space randomization. In: Proceedings of ACM Conference on Computer and Communications Security. 2004, 298–307Google Scholar
- 24. Petsios T, Kemerlis V P, Polychronakis M, Keromytis A D. Dynaguard: Armoring canary-based protections against brute-force attacks. In: Proceedings of Annual Computer Security Applications Conference. 2015, 351–360Google Scholar
- 25. Williams-King D, Gobieski G, Williams-King K, Blake J P, Yuan X, Colp P, Zheng M, Kemerlis V P, Yang J, Aiello W. Shuffler: fast and deployable continuous code re-randomization. In: Proceedings of USENIX Symposium on Operating Systems Design and Implementation. 2016, 367–382Google Scholar
- 26. Wang Z, Wu C, Li J, Lai Y, Zhang X, Hsu W, Cheng Y. Reranz: A light-weight virtual machine to mitigate memory disclosure attacks. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 2017, 143–156Google Scholar
- 27. Giuffrida C, Kuijsten A, Tanenbaum A S. Enhanced operating system security through efficient and fine-grained address space randomization. In: Proceedings of USENIX Security Symposium. 2012, 475–490Google Scholar
- 28. Lu K, Lee W, Nürnberger S, Backes M. How to make aslr win the clone wars: runtime re-randomization. In: Proceedings of Annual Network and Distributed System Security Symposium. 2016Google Scholar
- 29. Abadi M, Budiu M, Erlingsson Ú, Ligatti J. Control-flow integrity. In: Proceedings of ACM Conference on Computer and Communications Security. 2005, 340–353Google Scholar
- 30. Christoulakis N, Christou G, Athanasopoulos E, Ioannidis S. Hcfi: hardware-enforced control-flow integrity. In: Proceedings of ACM Conference on Data and Application Security and Privacy. 2016, 38–49Google Scholar
- 31. Pappas V, Polychronakis M, Keromytis A D. Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of USENIX Security Symposium. 2013, 447–462Google Scholar
- 32. Cheng Y, Zhou Z, Yu M, Ding X, Deng R H. Ropecker: A generic and practical approach for defending against rop attacks. In: Proceedings of Annual Network and Distributed System Security Symposium. 2014, 1–14Google Scholar
- 33. Davi L, Sadeghi A, Lehmann D, Monrose F. Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of USENIX Security Symposium. 2014, 401–416Google Scholar
- 34. Kuznetsov V, Szekeres L, Payer M, Candea G, Sekar R, Song D. Codepointer integrity. In: The Continuing Arms Race: Code-Reuse Attacks and Defenses, Code-Pointer Integrity. Association for Computing Machinery and Morgan Claypool, 2018Google Scholar
Recommendations
A dynamic detective method against ROP attack on ARM platform
SEES '12: Proceedings of the Second International Workshop on Software Engineering for Embedded Systemswith the popularity of embedded devices, especially smart phones, a growing attention has been paid to their programs' security. Many viruses on PC platforms migrated to embedded device have brought new threats to the security of the embedded platform. ...
SmashEx: Smashing SGX Enclaves Using Exceptions
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityExceptions are a commodity hardware functionality which is central to multi-tasking OSes as well as event-driven user applications. Normally, the OS assists the user application by lifting the semantics of exceptions received from hardware to program-...
G-Free: defeating return-oriented programming through gadget-less binaries
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications ConferenceDespite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. ...
Comments