ABSTRACT
We present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the properties of the x86 instruction set.
- Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), Nov. 1996. http://www.phrack.org/archives/49/P49-14.Google Scholar
- Anonymous. Once upon a free(). Phrack Magazine, 57(9), Aug. 2001. http://www.phrack.org/archives/57/p57-0x09.Google Scholar
- E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanović. Randomized instruction set emulation. ACM Trans. Info. & System Security, 8(1):3--40, Feb. 2005. Google ScholarDigital Library
- blexim. Basic integer overflows. Phrack Magazine, 60(10), Dec. 2002. http://www.phrack.org/archives/60/p60-0x0a.txt.Google Scholar
- J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In K. Julisch and C. Krügel, editors, Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005, volume 3548 of LNCS, pages 32--50. Springer-Verlag, July 2005. Google ScholarDigital Library
- dark spyrit. Win32 buffer overflows (location, exploitation and prevention). Phrack Magazine, 55(15), Sept. 1999. http://www.phrack.org/archives/55/P55-15.Google Scholar
- M. Garg. About ELF auxiliary vectors, Aug. 2006. Online: manugarg.googlepages.com/aboutelfauxiliaryvectors.Google Scholar
- M. Garg. Sysenter based system call mechanism in Linux 2.6, July 2006. Online: manugarg.googlepages.com/systemcallinlinux2_6.html.Google Scholar
- Gera. Insecure programming by example, 2002. Online: community.corest.com/~gera/InsecureProgramming/.Google Scholar
- gera and riq. Advances in format string exploiting. Phrack Magazine, 59(7), July 2001. http://www.phrack.org/archives/59/p59-0x07.txt.Google Scholar
- O. Horovitz. Big loop integer protection. Phrack Magazine, 60(9), Dec. 2002. http://www.phrack.org/archives/60/p60-0x09.txt.Google Scholar
- Intel Corporation. IA-32 Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference, 2001.Google Scholar
- M. Kaempf. Vudo malloc tricks. Phrack Magazine, 57(8), Aug. 2001. http://www.phrack.org/archives/57/p57-0x08.Google Scholar
- klog. The frame pointer overwrite. Phrack Magazine, 55(8), Sept. 1999. http://www.phrack.org/archives/55/P55-08.Google Scholar
- S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, Sept. 2005. Online: http://www.suse.de/~krahmer/no-nx.pdf.Google Scholar
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In P. McDaniel, editor, Proc. 14th USENIX Sec. Symp., pages 161--76. USENIX, Aug. 2005. Google ScholarDigital Library
- D. Litchfield. Defeating the stack based buffer overflow prevention mechanism of Microsoft Windows 2003 Server, Sept. 2003. Online: http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf.Google Scholar
- mammon_. The Bastard project: libdisasm. http://bastard.sourceforge.net/libdisasm.html.Google Scholar
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In A. Keromytis, editor, Proc. 15th USENIX Sec. Symp., pages 209--24. USENIX, July 2006. Google ScholarDigital Library
- J. McDonald. Defeating Solaris/SPARC non-executable stack protection. Bugtraq, Mar. 1999.Google Scholar
- Nergal. The advanced return-into-lib(c) exploits (PaX case study). Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/archives/58/p58-0x04.Google Scholar
- PaX Team. PaX non-executable pages design & implementation. pax.grsecurity.net/docs/noexec.txt.Google Scholar
- M. Riepe. GNU Libelf. http://www.mr511.de/software/.Google Scholar
- rix. Writing ia32 alphanumeric shellcodes). Phrack Magazine, 57(15), Dec. 2001. http://www.phrack.org/archives/57/p57-0x18.Google Scholar
- Scut/team teso. Exploiting format string vulnerabilities. http://www.team-teso.net, 2001.Google Scholar
- H. Shacham. The geometry of innocent flesh on the bone, Oct. 2007. Online: http://hovav.net/dist/geometry.pdf.Google Scholar
- H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In B. Pfitzmann and P. Liu, editors, Proc. 11th ACM Conf. Comp. and Comm. Sec. - CCS 2004, pages 298--307. ACM Press, Oct. 2004. Google ScholarDigital Library
- Solar Designer. "return-to-libc" attack. Bugtraq, Aug. 1997.Google Scholar
- Solar Designer. JPEG COM marker processing vulnerability in Netscape browsers, July 2000. Online: www.openwall.com/advisories/OW-002-netscape-jpeg/.Google Scholar
- N. Sovarel, D. Evans, and N. Paul. Where's the FEEB? the effectiveness of instruction set randomization. In P. McDaniel, editor, Proc. 14th USENIX Sec. Symp., pages 145--60. USENIX, Aug. 2005. Google ScholarDigital Library
- The Metasploit Project. Shellcode archive. Online: http://www.metasploit.com/shellcode.html.Google Scholar
- The Santa Cruz Operation. System V Application Binary Interface: Intel386 Architecture Processor Supplement, fourth edition, 1996.Google Scholar
- D. Wheeler. Secure Programming for Linux and Unix HOWTO. Linux Documentation Project, 2003. Online: http://www.dwheeler.com/secure-programs/.Google Scholar
- M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. Online: http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm.Google Scholar
Index Terms
- The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Recommendations
Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications SecurityWe introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityIn 2007, Shacham published a seminal paper on Return-Oriented Programming (ROP), the first systematic formulation of code reuse. The paper has been highly influential, profoundly shaping the way we still think about code reuse today: an attacker ...
When good instructions go bad: generalizing return-oriented programming to RISC
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityThis paper reconsiders the threat posed by Shacham's "return-oriented programming" -- a technique by which W-xor-X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-...
Comments