Advertisement

Background and Evolution of Code-Reuse Attacks

  • Lucas Davi
  • Ahmad-Reza Sadeghi
Chapter
Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)

Abstract

In general, control-flow attacks allow an adversary to subvert the intended execution-flow of a program by exploiting a program error. For instance, a buffer overflow error can be exploited to write data beyond the boundaries of the buffer. As a consequence, an adversary can overwrite critical control-flow information which is located close to the buffer. Since control-flow information guide the program’s execution-flow, an adversary can thereby trigger malicious and unintended program actions such as installing a backdoor, injecting a malware, or accessing sensitive data.

References

  1. 1.
    Blazakis, D.: Interpreter exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT’10 (2010). http://dl.acm.org/citation.cfm?id=1925004.1925011
  2. 2.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966919
  3. 3.
    Brunette, G.: Solaris non-executable stack overview. https://blogs.oracle.com/gbrunett/entry/solaris_non_executable_stack_overview (2007)
  4. 4.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08 (2008). http://doi.acm.org/10.1145/1455770.1455776
  5. 5.
    Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE’09 (2009). http://dl.acm.org/citation.cfm?id=1855491.1855497
  6. 6.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS’10 (2010). http://doi.acm.org/10.1145/1866307.1866370
  7. 7.
    Chen, P., Xing, X., Mao, B., Xie, L.: Return-oriented rootkit without returns (on the x86). In: Information and Communications Security. Lecture Notes in Computer Science, vol. 6476 (2010). http://link.springer.com/chapter/10.1007%2F978-3-642-17650-0_24
  8. 8.
    Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., Yin, X.: Automatic construction of jump-oriented programming shellcode (on the x86). In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966918
  9. 9.
    Chen, X., Caselden, D., Scott, M.: The dual use exploit: CVE-2013-3906 used in both targeted attacks and crimeware campaigns. https://www.fireeye.com/blog/threat-research/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html (2013)
  10. 10.
    Chiueh, T., Hsu, F.H.: RAD: a compile-time solution to buffer overflow attacks. In: Proceedings of the 21st International Conference on Distributed Computing Systems, ICDCS’01 (2001). http://dl.acm.org/citation.cfm?id=876878.879316
  11. 11.
    Chiueh, T., Prasad, M.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the 2003 USENIX Annual Technical Conference, ATC’03 (2003). https://www.usenix.org/legacy/event/usenix03/tech/full_papers/prasad/prasad_html/camera.html
  12. 12.
    Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966920
  13. 13.
    Dullien, T., Kornau, T., Weinmann, R.P.: A framework for automated architecture-independent gadget search. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT’10 (2010). http://dl.acm.org/citation.cfm?id=1925004.1925012
  14. 14.
    Francillon, A., Castelluccia, C.: Code injection attacks on Harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08 (2008). http://doi.acm.org/10.1145/1455770.1455775
  15. 15.
    Frantzen, M., Shuey, M.: StackGhost: hardware facilitated stack protection. In: Proceedings of the 10th USENIX Security Symposium (2001). http://dl.acm.org/citation.cfm?id=1251327.1251332
  16. 16.
    Goodin, D.: Apple quicktime backdoor creates code-execution peril. http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/ (2010)
  17. 17.
    Gupta, S., Pratap, P., Saran, H., Arun-Kumar, S.: Dynamic code instrumentation to detect and recover from return address corruption. In: Proceedings of the 2006 International Workshop on Dynamic Systems Analysis, WODA’06, pp. 65–72 (2006). http://doi.acm.org/10.1145/1138912.1138926
  18. 18.
    Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: size does matter in Turing-complete return-oriented programming. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, WOOT’12 (2012). http://dl.acm.org/citation.cfm?id=2372399.2372409
  19. 19.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009). http://dl.acm.org/citation.cfm?id=1855768.1855792
  20. 20.
    Iozzo, V., Miller, C.: Fun and games with Mac OS X and iPhone payloads. In: Black Hat Europe (2009). http://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf
  21. 21.
    jduck: The latest Adobe exploit and session upgrading. http://bugix-security.blogspot.de/2010/03/adobe-pdf-libtiff-working-exploitcve.html (2010)
  22. 22.
    Kornau, T.: Return oriented programming for the ARM architecture. Master’s thesis, Ruhr-University Bochum (2009). http://static.googleusercontent.com/media/www.zynamics.com/en//downloads/kornau-tim--diplomarbeit--rop.pdf
  23. 23.
    Krahmer, S.: x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://users.suse.com/~krahmer/no-nx.pdf (2005)
  24. 24.
    Lian, W., Shacham, H., Savage, S.: Too lejit to quit: extending JIT spraying to ARM. In: 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). http://www.internetsociety.org/doc/too-lejit-quit-extending-jit-spraying-arm
  25. 25.
  26. 26.
    Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID’11 (2011). http://dx.doi.org/10.1007/978-3-642-23644-0_6
  27. 27.
    Lu, K., Xiong, S., Gao, D.: Ropsteg: program steganography with return oriented programming. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY’14 (2014). http://doi.acm.org/10.1145/2557547.2557572
  28. 28.
    Marschalek, M.: Dig deeper into the ie vulnerability (cve-2014-1776) exploit. https://www.cyphort.com/dig-deeper-ie-vulnerability-cve-2014-1776-exploit/ (2014)
  29. 29.
    Microsoft: Data execution prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/ (2006)
  30. 30.
    Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 58(4) (2001). http://www.phrack.org/issues.html?issue=58&id=4#article
  31. 31.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Security Symposium (2011). http://dl.acm.org/citation.cfm?id=2028067.2028092
  32. 32.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07 (2007). http://doi.acm.org/10.1145/1315245.1315313
  33. 33.
    Solar Designer: lpr LIBC RETURN exploit. http://insecure.org/sploits/linux.libc.return.lpr.sploit.html (1997)
  34. 34.
    Solar Designer: Non-executable stack patch. http://lkml.iu.edu/hypermail/linux/kernel/9706.0/0341.html (1997)
  35. 35.
    Stancill, B., Snow, K., Otterness, N., Monrose, F., Davi, L., Sadeghi, A.R.: Check my profile: leveraging static analysis for fast and accurate detection of rop gadgets. In: Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, vol. 8145 (2013). http://dx.doi.org/10.1007/978-3-642-41284-4_4
  36. 36.
    Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS’14 (2014). http://www.internetsociety.org/doc/persistent-data-only-malware-function-hooks-without-code
  37. 37.
    Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the 22nd USENIX Security Symposium (2013). http://dl.acm.org/citation.cfm?id=2534766.2534814
  38. 38.
  39. 39.
    Zovi, D.D.: Practical return-oriented programming. SOURCE Boston. http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf (2010)

Copyright information

© The Author(s) 2015

Authors and Affiliations

  • Lucas Davi
    • 1
  • Ahmad-Reza Sadeghi
    • 1
  1. 1.CASEDTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations