On the Expressiveness of Return-into-libc Attacks

@inproceedings{Tran2011OnTE,
  title={On the Expressiveness of Return-into-libc Attacks},
  author={Minh Tran and Mark Etheridge and Tyler K. Bletsch and Xuxian Jiang and Vincent W. Freeh and Peng Ning},
  booktitle={International Symposium on Recent Advances in Intrusion Detection},
  year={2011}
}
Return-into-libc (RILC) is one of the most common forms of code-reuse attacks. [] Key Result The development of TC-RILC on both Linux and Windows platforms demonstrates the expressiveness and practicality of the generalized RILC attack.

Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming

This work proposes a ROP attack technique, based on a handpicked but flexible and Turing-complete set of gadgets, and describes an efficient scanner which locates these gadgets in a given program.

A practical analysis of ROP attacks

An automated tool is designed which works on 64-bit systems and generates a ROP chain from ROP gadgets to execute arbitrary system calls and studies different techniques of performing ROP Attacks and finds the difficulties encountered to perform such attacks.

Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications

It is demonstrated that many of these defenses that do not consider object-oriented C++ semantics precisely can be generically bypassed in practice, and that even recently proposed defenses that specifically target C++ are vulnerable to COOP.

Out of Control: Overcoming Control-Flow Integrity

As existing defenses like ASLR, DEP, and stack cookies are not sufficient to stop determined attackers from exploiting our software, interest in Control Flow Integrity (CFI) is growing. In its ideal

Systematic Analysis of Defenses against Return-Oriented Programming

It is proved by construction that attack extensions implementing the hypothesized functionality are possible even if a 'perfect' version of the defense is implemented, and can be used to formalize the process of threat model definition, analyze defense configurations, reason about composability and efficacy, and hypothesize about new attacks and defenses.

Binary Debloating for Security via Demand Driven Loading

This work creates a defense mechanism by debloating libraries to reduce the dynamic functions linked so that the possibilities of constructing malicious programs diminishes significantly, and presents a decision-tree based predictor, which acts as an oracle, and an optimized runtime system, which works directly with library binaries like GNU libc and libstdc++.

Subversive-C: Abusing and Protecting Dynamic Message Dispatch

This paper demonstrates the first COOP-style exploit for Objective-C, the predominant programming language on Apple's OS X and iOS platforms, and retrofit the Objective- C runtime with the first practical and efficient defense against this novel attack.

It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks

This paper significantly improve and simplify the COOP attack, and presents a comprehensive code-reuse defense which is resilient against reuse of dynamically-bound functions and introduces two novel defense techniques: a practical technique to randomize the layout of tables containing code pointers resilient to memory disclosure and booby trap insertion to mitigate the threat of brute-force attacks iterating over the randomized tables.

A Formal Model for an Ideal CFI

This work provides a formal model to achieve a fully precise dynamic protection of the flow of execution against control flow hijacking attacks and proves the correctness of the scheme for an abstract machine as a model of modern processors.

Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses

This paper proposes a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack, and constructs a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.
...

References

SHOWING 1-10 OF 39 REFERENCES

Return-Oriented Programming: Systems, Languages, and Applications

This work presents a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets, and constructs a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures.

Jump-oriented programming: a new class of code-reuse attack

This paper introduces a new class of code-reuse attack, called jump-oriented programming, which eliminates the reliance on the stack and ret instructions (including ret-like instructions such as pop+jmp) seen in return- oriented programming without sacrificing expressive power.

Return-Oriented Programming without Returns on ARM

A Turing-complete attack that can induce arbitrary change of behavior in running programs without requiring code injection is presented, and it can not be detected by return address checkers.

Return-oriented programming without returns

We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction

When good instructions go bad: generalizing return-oriented programming to RISC

It is argued that the threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code.

G-Free: defeating return-oriented programming through gadget-less binaries

G-Free is presented, a compiler-based approach that represents the first practical solution against any possible form of ROP, and is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-Branch instructions to prevent them from being misused by an attacker.

Escape From Return-Oriented Programming : Return-oriented Programming without Returns ( on the x 86 )

It is shown that on the x86 it is possible to mount a return-oriented programming attack without using any return instructions, and a new attack is proposed that makes use of certain instruction sequences that behave like a return.

Surgically Returning to Randomized lib(c)

It is concluded that position independent executables (PIE) are essential to complement ASLR and to prevent the attack presented in this paper, which can exploit the majority of programs vulnerable to stack-based buffer overflows surgically.

Countering code-injection attacks with instruction-set randomization

A new, general approach for safeguarding systems against any type of code-injection attack, by creating process-specific randomized instruction sets of the system executing potentially vulnerable software that can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.

The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

  • H. Shacham
  • Computer Science, Mathematics
    CCS '07
  • 2007
A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.