Article

The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

Author:
Hovav Shacham

University of California, San Diego, La Jolla, CA

University of California, San Diego, La Jolla, CA
View Profile

CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityOctober 2007Pages 552–561https://doi.org/10.1145/1315245.1315313

Published:28 October 2007Publication History

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Pages 552–561

ABSTRACT

We present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the properties of the x86 instruction set.

References

Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), Nov. 1996. http://www.phrack.org/archives/49/P49-14.Google Scholar
Anonymous. Once upon a free(). Phrack Magazine, 57(9), Aug. 2001. http://www.phrack.org/archives/57/p57-0x09.Google Scholar
E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanović. Randomized instruction set emulation. ACM Trans. Info. & System Security, 8(1):3--40, Feb. 2005. Google ScholarDigital Library
blexim. Basic integer overflows. Phrack Magazine, 60(10), Dec. 2002. http://www.phrack.org/archives/60/p60-0x0a.txt.Google Scholar
J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In K. Julisch and C. Krügel, editors, Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005, volume 3548 of LNCS, pages 32--50. Springer-Verlag, July 2005. Google ScholarDigital Library
dark spyrit. Win32 buffer overflows (location, exploitation and prevention). Phrack Magazine, 55(15), Sept. 1999. http://www.phrack.org/archives/55/P55-15.Google Scholar
M. Garg. About ELF auxiliary vectors, Aug. 2006. Online: manugarg.googlepages.com/aboutelfauxiliaryvectors.Google Scholar
M. Garg. Sysenter based system call mechanism in Linux 2.6, July 2006. Online: manugarg.googlepages.com/systemcallinlinux2_6.html.Google Scholar
Gera. Insecure programming by example, 2002. Online: community.corest.com/~gera/InsecureProgramming/.Google Scholar
gera and riq. Advances in format string exploiting. Phrack Magazine, 59(7), July 2001. http://www.phrack.org/archives/59/p59-0x07.txt.Google Scholar
O. Horovitz. Big loop integer protection. Phrack Magazine, 60(9), Dec. 2002. http://www.phrack.org/archives/60/p60-0x09.txt.Google Scholar
Intel Corporation. IA-32 Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference, 2001.Google Scholar
M. Kaempf. Vudo malloc tricks. Phrack Magazine, 57(8), Aug. 2001. http://www.phrack.org/archives/57/p57-0x08.Google Scholar
klog. The frame pointer overwrite. Phrack Magazine, 55(8), Sept. 1999. http://www.phrack.org/archives/55/P55-08.Google Scholar
S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, Sept. 2005. Online: http://www.suse.de/~krahmer/no-nx.pdf.Google Scholar
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In P. McDaniel, editor, Proc. 14th USENIX Sec. Symp., pages 161--76. USENIX, Aug. 2005. Google ScholarDigital Library
D. Litchfield. Defeating the stack based buffer overflow prevention mechanism of Microsoft Windows 2003 Server, Sept. 2003. Online: http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf.Google Scholar
mammon_. The Bastard project: libdisasm. http://bastard.sourceforge.net/libdisasm.html.Google Scholar
S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In A. Keromytis, editor, Proc. 15th USENIX Sec. Symp., pages 209--24. USENIX, July 2006. Google ScholarDigital Library
J. McDonald. Defeating Solaris/SPARC non-executable stack protection. Bugtraq, Mar. 1999.Google Scholar
Nergal. The advanced return-into-lib(c) exploits (PaX case study). Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/archives/58/p58-0x04.Google Scholar
PaX Team. PaX non-executable pages design & implementation. pax.grsecurity.net/docs/noexec.txt.Google Scholar
M. Riepe. GNU Libelf. http://www.mr511.de/software/.Google Scholar
rix. Writing ia32 alphanumeric shellcodes). Phrack Magazine, 57(15), Dec. 2001. http://www.phrack.org/archives/57/p57-0x18.Google Scholar
Scut/team teso. Exploiting format string vulnerabilities. http://www.team-teso.net, 2001.Google Scholar
H. Shacham. The geometry of innocent flesh on the bone, Oct. 2007. Online: http://hovav.net/dist/geometry.pdf.Google Scholar
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In B. Pfitzmann and P. Liu, editors, Proc. 11th ACM Conf. Comp. and Comm. Sec. - CCS 2004, pages 298--307. ACM Press, Oct. 2004. Google ScholarDigital Library
Solar Designer. "return-to-libc" attack. Bugtraq, Aug. 1997.Google Scholar
Solar Designer. JPEG COM marker processing vulnerability in Netscape browsers, July 2000. Online: www.openwall.com/advisories/OW-002-netscape-jpeg/.Google Scholar
N. Sovarel, D. Evans, and N. Paul. Where's the FEEB? the effectiveness of instruction set randomization. In P. McDaniel, editor, Proc. 14th USENIX Sec. Symp., pages 145--60. USENIX, Aug. 2005. Google ScholarDigital Library
The Metasploit Project. Shellcode archive. Online: http://www.metasploit.com/shellcode.html.Google Scholar
The Santa Cruz Operation. System V Application Binary Interface: Intel386 Architecture Processor Supplement, fourth edition, 1996.Google Scholar
D. Wheeler. Secure Programming for Linux and Unix HOWTO. Linux Documentation Project, 2003. Online: http://www.dwheeler.com/secure-programs/.Google Scholar
M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. Online: http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm.Google Scholar

Index Terms

The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
Read More
The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

In 2007, Shacham published a seminal paper on Return-Oriented Programming (ROP), the first systematic formulation of code reuse. The paper has been highly influential, profoundly shaping the way we still think about code reuse today: an attacker ...
Read More
When good instructions go bad: generalizing return-oriented programming to RISC
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

This paper reconsiders the threat posed by Shacham's "return-oriented programming" -- a technique by which W-xor-X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security
October 2007
628 pages
ISBN:9781595937032
DOI:10.1145/1315245
General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Sabrina De Capitani di Vimercati
University of Milan, Italy
,
Paul Syverson
Naval Research Laboratory, USA
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 October 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
instruction set
return-into-libc
turing completeness
Qualifiers
- Article
Conference

Acceptance Rates
CCS '07 Paper Acceptance Rate55of302submissions,18%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 792
  Total Citations
  View Citations
- 9,239
  Total Downloads
- Downloads (Last 12 months)650
- Downloads (Last 6 weeks)82
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications

The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later

When good instructions go bad: generalizing return-oriented programming to RISC