Abstract
In general, control-flow attacks allow an adversary to subvert the intended execution-flow of a program by exploiting a program error. For instance, a buffer overflow error can be exploited to write data beyond the boundaries of the buffer. As a consequence, an adversary can overwrite critical control-flow information which is located close to the buffer. Since control-flow information guide the program’s execution-flow, an adversary can thereby trigger malicious and unintended program actions such as installing a backdoor, injecting a malware, or accessing sensitive data.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
To control the register, the adversary can either use a buffer overflow exploit that overwrites memory areas that are used to load the target register, or invoke a sequence that initializes the target register and then directly calls the stack pivot.
References
Blazakis, D.: Interpreter exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT’10 (2010). http://dl.acm.org/citation.cfm?id=1925004.1925011
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966919
Brunette, G.: Solaris non-executable stack overview. https://blogs.oracle.com/gbrunett/entry/solaris_non_executable_stack_overview (2007)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08 (2008). http://doi.acm.org/10.1145/1455770.1455776
Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE’09 (2009). http://dl.acm.org/citation.cfm?id=1855491.1855497
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS’10 (2010). http://doi.acm.org/10.1145/1866307.1866370
Chen, P., Xing, X., Mao, B., Xie, L.: Return-oriented rootkit without returns (on the x86). In: Information and Communications Security. Lecture Notes in Computer Science, vol. 6476 (2010). http://link.springer.com/chapter/10.1007%2F978-3-642-17650-0_24
Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., Yin, X.: Automatic construction of jump-oriented programming shellcode (on the x86). In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966918
Chen, X., Caselden, D., Scott, M.: The dual use exploit: CVE-2013-3906 used in both targeted attacks and crimeware campaigns. https://www.fireeye.com/blog/threat-research/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html (2013)
Chiueh, T., Hsu, F.H.: RAD: a compile-time solution to buffer overflow attacks. In: Proceedings of the 21st International Conference on Distributed Computing Systems, ICDCS’01 (2001). http://dl.acm.org/citation.cfm?id=876878.879316
Chiueh, T., Prasad, M.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the 2003 USENIX Annual Technical Conference, ATC’03 (2003). https://www.usenix.org/legacy/event/usenix03/tech/full_papers/prasad/prasad_html/camera.html
Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966920
Dullien, T., Kornau, T., Weinmann, R.P.: A framework for automated architecture-independent gadget search. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT’10 (2010). http://dl.acm.org/citation.cfm?id=1925004.1925012
Francillon, A., Castelluccia, C.: Code injection attacks on Harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08 (2008). http://doi.acm.org/10.1145/1455770.1455775
Frantzen, M., Shuey, M.: StackGhost: hardware facilitated stack protection. In: Proceedings of the 10th USENIX Security Symposium (2001). http://dl.acm.org/citation.cfm?id=1251327.1251332
Goodin, D.: Apple quicktime backdoor creates code-execution peril. http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/ (2010)
Gupta, S., Pratap, P., Saran, H., Arun-Kumar, S.: Dynamic code instrumentation to detect and recover from return address corruption. In: Proceedings of the 2006 International Workshop on Dynamic Systems Analysis, WODA’06, pp. 65–72 (2006). http://doi.acm.org/10.1145/1138912.1138926
Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: size does matter in Turing-complete return-oriented programming. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, WOOT’12 (2012). http://dl.acm.org/citation.cfm?id=2372399.2372409
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009). http://dl.acm.org/citation.cfm?id=1855768.1855792
Iozzo, V., Miller, C.: Fun and games with Mac OS X and iPhone payloads. In: Black Hat Europe (2009). http://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf
jduck: The latest Adobe exploit and session upgrading. http://bugix-security.blogspot.de/2010/03/adobe-pdf-libtiff-working-exploitcve.html (2010)
Kornau, T.: Return oriented programming for the ARM architecture. Master’s thesis, Ruhr-University Bochum (2009). http://static.googleusercontent.com/media/www.zynamics.com/en//downloads/kornau-tim--diplomarbeit--rop.pdf
Krahmer, S.: x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://users.suse.com/~krahmer/no-nx.pdf (2005)
Lian, W., Shacham, H., Savage, S.: Too lejit to quit: extending JIT spraying to ARM. In: 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). http://www.internetsociety.org/doc/too-lejit-quit-extending-jit-spraying-arm
Lindner, F.: Router exploitation. http://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf (2009)
Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID’11 (2011). http://dx.doi.org/10.1007/978-3-642-23644-0_6
Lu, K., Xiong, S., Gao, D.: Ropsteg: program steganography with return oriented programming. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY’14 (2014). http://doi.acm.org/10.1145/2557547.2557572
Marschalek, M.: Dig deeper into the ie vulnerability (cve-2014-1776) exploit. https://www.cyphort.com/dig-deeper-ie-vulnerability-cve-2014-1776-exploit/ (2014)
Microsoft: Data execution prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/ (2006)
Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 58(4) (2001). http://www.phrack.org/issues.html?issue=58&id=4#article
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Security Symposium (2011). http://dl.acm.org/citation.cfm?id=2028067.2028092
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07 (2007). http://doi.acm.org/10.1145/1315245.1315313
Solar Designer: lpr LIBC RETURN exploit. http://insecure.org/sploits/linux.libc.return.lpr.sploit.html (1997)
Solar Designer: Non-executable stack patch. http://lkml.iu.edu/hypermail/linux/kernel/9706.0/0341.html (1997)
Stancill, B., Snow, K., Otterness, N., Monrose, F., Davi, L., Sadeghi, A.R.: Check my profile: leveraging static analysis for fast and accurate detection of rop gadgets. In: Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, vol. 8145 (2013). http://dx.doi.org/10.1007/978-3-642-41284-4_4
Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS’14 (2014). http://www.internetsociety.org/doc/persistent-data-only-malware-function-hooks-without-code
Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the 22nd USENIX Security Symposium (2013). http://dl.acm.org/citation.cfm?id=2534766.2534814
Westin, K.: GnuTLS crypto library vulnerability CVE-2014-3466. http://www.tripwire.com/state-of-security/latest-security-news/gnutls-crypto-library-vulnerability-cve-2014-3466/ (2014)
Zovi, D.D.: Practical return-oriented programming. SOURCE Boston. http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf (2010)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2015 The Author(s)
About this chapter
Cite this chapter
Davi, L., Sadeghi, AR. (2015). Background and Evolution of Code-Reuse Attacks. In: Building Secure Defenses Against Code-Reuse Attacks. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-25546-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-25546-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25544-6
Online ISBN: 978-3-319-25546-0
eBook Packages: Computer ScienceComputer Science (R0)