Skip to main content
SpringerLink
Log in

Background and Evolution of Code-Reuse Attacks

  • Chapter
  • First Online:
Building Secure Defenses Against Code-Reuse Attacks

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

  • 673 Accesses

Abstract

In general, control-flow attacks allow an adversary to subvert the intended execution-flow of a program by exploiting a program error. For instance, a buffer overflow error can be exploited to write data beyond the boundaries of the buffer. As a consequence, an adversary can overwrite critical control-flow information which is located close to the buffer. Since control-flow information guide the program’s execution-flow, an adversary can thereby trigger malicious and unintended program actions such as installing a backdoor, injecting a malware, or accessing sensitive data.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    To control the register, the adversary can either use a buffer overflow exploit that overwrites memory areas that are used to load the target register, or invoke a sequence that initializes the target register and then directly calls the stack pivot.

References

  1. Blazakis, D.: Interpreter exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT’10 (2010). http://dl.acm.org/citation.cfm?id=1925004.1925011

  2. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966919

  3. Brunette, G.: Solaris non-executable stack overview. https://blogs.oracle.com/gbrunett/entry/solaris_non_executable_stack_overview (2007)

  4. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08 (2008). http://doi.acm.org/10.1145/1455770.1455776

  5. Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE’09 (2009). http://dl.acm.org/citation.cfm?id=1855491.1855497

  6. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS’10 (2010). http://doi.acm.org/10.1145/1866307.1866370

  7. Chen, P., Xing, X., Mao, B., Xie, L.: Return-oriented rootkit without returns (on the x86). In: Information and Communications Security. Lecture Notes in Computer Science, vol. 6476 (2010). http://link.springer.com/chapter/10.1007%2F978-3-642-17650-0_24

  8. Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., Yin, X.: Automatic construction of jump-oriented programming shellcode (on the x86). In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966918

  9. Chen, X., Caselden, D., Scott, M.: The dual use exploit: CVE-2013-3906 used in both targeted attacks and crimeware campaigns. https://www.fireeye.com/blog/threat-research/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html (2013)

  10. Chiueh, T., Hsu, F.H.: RAD: a compile-time solution to buffer overflow attacks. In: Proceedings of the 21st International Conference on Distributed Computing Systems, ICDCS’01 (2001). http://dl.acm.org/citation.cfm?id=876878.879316

  11. Chiueh, T., Prasad, M.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the 2003 USENIX Annual Technical Conference, ATC’03 (2003). https://www.usenix.org/legacy/event/usenix03/tech/full_papers/prasad/prasad_html/camera.html

  12. Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). http://doi.acm.org/10.1145/1966913.1966920

  13. Dullien, T., Kornau, T., Weinmann, R.P.: A framework for automated architecture-independent gadget search. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT’10 (2010). http://dl.acm.org/citation.cfm?id=1925004.1925012

  14. Francillon, A., Castelluccia, C.: Code injection attacks on Harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08 (2008). http://doi.acm.org/10.1145/1455770.1455775

  15. Frantzen, M., Shuey, M.: StackGhost: hardware facilitated stack protection. In: Proceedings of the 10th USENIX Security Symposium (2001). http://dl.acm.org/citation.cfm?id=1251327.1251332

  16. Goodin, D.: Apple quicktime backdoor creates code-execution peril. http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/ (2010)

  17. Gupta, S., Pratap, P., Saran, H., Arun-Kumar, S.: Dynamic code instrumentation to detect and recover from return address corruption. In: Proceedings of the 2006 International Workshop on Dynamic Systems Analysis, WODA’06, pp. 65–72 (2006). http://doi.acm.org/10.1145/1138912.1138926

  18. Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: size does matter in Turing-complete return-oriented programming. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, WOOT’12 (2012). http://dl.acm.org/citation.cfm?id=2372399.2372409

  19. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009). http://dl.acm.org/citation.cfm?id=1855768.1855792

  20. Iozzo, V., Miller, C.: Fun and games with Mac OS X and iPhone payloads. In: Black Hat Europe (2009). http://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf

  21. jduck: The latest Adobe exploit and session upgrading. http://bugix-security.blogspot.de/2010/03/adobe-pdf-libtiff-working-exploitcve.html (2010)

  22. Kornau, T.: Return oriented programming for the ARM architecture. Master’s thesis, Ruhr-University Bochum (2009). http://static.googleusercontent.com/media/www.zynamics.com/en//downloads/kornau-tim--diplomarbeit--rop.pdf

  23. Krahmer, S.: x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://users.suse.com/~krahmer/no-nx.pdf (2005)

  24. Lian, W., Shacham, H., Savage, S.: Too lejit to quit: extending JIT spraying to ARM. In: 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). http://www.internetsociety.org/doc/too-lejit-quit-extending-jit-spraying-arm

  25. Lindner, F.: Router exploitation. http://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf (2009)

  26. Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID’11 (2011). http://dx.doi.org/10.1007/978-3-642-23644-0_6

  27. Lu, K., Xiong, S., Gao, D.: Ropsteg: program steganography with return oriented programming. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY’14 (2014). http://doi.acm.org/10.1145/2557547.2557572

  28. Marschalek, M.: Dig deeper into the ie vulnerability (cve-2014-1776) exploit. https://www.cyphort.com/dig-deeper-ie-vulnerability-cve-2014-1776-exploit/ (2014)

  29. Microsoft: Data execution prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/ (2006)

  30. Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 58(4) (2001). http://www.phrack.org/issues.html?issue=58&id=4#article

  31. Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Security Symposium (2011). http://dl.acm.org/citation.cfm?id=2028067.2028092

  32. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07 (2007). http://doi.acm.org/10.1145/1315245.1315313

  33. Solar Designer: lpr LIBC RETURN exploit. http://insecure.org/sploits/linux.libc.return.lpr.sploit.html (1997)

  34. Solar Designer: Non-executable stack patch. http://lkml.iu.edu/hypermail/linux/kernel/9706.0/0341.html (1997)

  35. Stancill, B., Snow, K., Otterness, N., Monrose, F., Davi, L., Sadeghi, A.R.: Check my profile: leveraging static analysis for fast and accurate detection of rop gadgets. In: Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, vol. 8145 (2013). http://dx.doi.org/10.1007/978-3-642-41284-4_4

  36. Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS’14 (2014). http://www.internetsociety.org/doc/persistent-data-only-malware-function-hooks-without-code

  37. Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the 22nd USENIX Security Symposium (2013). http://dl.acm.org/citation.cfm?id=2534766.2534814

  38. Westin, K.: GnuTLS crypto library vulnerability CVE-2014-3466. http://www.tripwire.com/state-of-security/latest-security-news/gnutls-crypto-library-vulnerability-cve-2014-3466/ (2014)

  39. Zovi, D.D.: Practical return-oriented programming. SOURCE Boston. http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf (2010)

Download references

Author information

Authors and Affiliations

  1. CASED, Technische Universität Darmstadt, Darmstadt, Germany

    Lucas Davi & Ahmad-Reza Sadeghi

Authors
  1. Lucas Davi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2015 The Author(s)

About this chapter

Cite this chapter

Davi, L., Sadeghi, AR. (2015). Background and Evolution of Code-Reuse Attacks. In: Building Secure Defenses Against Code-Reuse Attacks. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-25546-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25546-0_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25544-6

  • Online ISBN: 978-3-319-25546-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation