Abstract
Current low-level exploits often rely on code-reuse, whereby short sections of code (gadgets) are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this attack vector by applying code transformations to reduce the number of available gadgets. Nevertheless, it has emerged that the residual gadgets can still be sufficient to conduct a successful attack. Crucially, the lack of a common metric for “gadget quality” hinders the effective comparison of current mitigations.
This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality. We apply these metrics to binaries produced when compiling programs for architectures implementing Intel’s recent MPX CPU extensions. Our results demonstrate a 17 % increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions, making them better suited for ROP attacks.
The stamp on the top of this paper refers to an approval process conducted by the ESSoS artifact evaluation committee chaired by Alessandra Gorla and Jacques Klein.
At the time this research was conducted Eric Bodden was at Fraunhofer SIT and TU Darmstadt.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
References
Intel 64, ia-32 architectures software developer’s manual combined volumes,: 1, 2a, 2b, 2c, 3a, 3b, and 3c, June 2015
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communication Security (CCS), Alexandria, VA, pp. 340–353, November 2005
Aycock, J.: A brief history of just-in-time. ACM Comput. Surv. (CSUR) 35(2), 97–113 (2003)
Batchelder, D., Blackbird, J., Felstead, D., Henry, P., Jones, J., Kulkarni, A., Lambert, J., Lauricella, M., Malcolmson, K., Miller, M., Ng, N., Pecelj, D., Rains, T., Sekhar, V., Stewart, H., Thompson, T., Weston, D., Zink, T.: Microsoft Security Intelligence Report, vol. 16 (2013)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 30–40. ACM, New York (2011)
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: On the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 161–176. USENIX Association, Washington, D.C., August 2015
Carlini, N., Wagner, D.: ROP is still dangerous: Breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 385–399. USENIX Association, San Diego, August 2014
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS 2010, pp. 559–572. ACM (2010)
Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H., ROPecker: A generic and practical approach for defending against ROP attacks (2014)
Conti, M., Crane, S., Davi, L., Franz, M., Larsen, P., Negro, M., Liebchen, C., Qunaibit, M., Sadeghi, A.-R.: Losing control: On the effectiveness of control-flow integrity under stack attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 952–963. ACM, New York (2015)
Davi, L., Sadeghi, A.-R., Lehmann, D., Monrose, F.: Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the 23rd USENIX Conference on Security, SEC 2014, pp. 401–416. USENIX Association, Berkeley (2014)
Ducklin, P.: Anatomy of an exploit - inside the CVE-2013-3893 internet explorer zero-day-part 2, October 2013
Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 417–432. USENIX Association, Berkeley (2014)
Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2014, pp. 575–589. IEEE Computer Society, Washington, DC (2014)
Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: Size does matter in turing-complete return-oriented programming. In: Presented as part of the 6th USENIX Workshop on Offensive Technologies. USENIX, Berkeley (2012)
Jurczyk, M.: One font vulnerability to rule them all #2: Adobe reader RCE exploitation, August 2015
Li, X., Szor, P.: Emerging stack pivoting exploits bypass common security, May 2013
Microsoft. Data execution prevention
One, A.: Smashing the stack for fun and profit. Phrack 7(49), 14–16 (1996)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 447–462. USENIX, Berkeley (2013)
Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Heidelberg (2015)
Pi, P.: Unpatched flash player flaw, more POCs found in hacking team leak, July 2015
Ramakesavan, R., Zimmerman, D., Singaravelu, P.: Intel memory protection extensions (intel mpx) enabling guide, April 2015
Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In: 36th IEEE Symposium on Security and Privacy (Oakland), May 2015
Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Heidelberg (2014)
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, pp. 25–25. USENIX Association, Berkeley (2011)
Serna, F.J.: The info leak era of software exploitation (2012)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561. ACM, New York (2007)
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2013, pp. 574–588 (2013)
Sotirov, A.: Heap feng shui in javascript (2007)
Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 941–955. USENIX Association, San Diego, August 2014
van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 927–940. ACM, New York (2015)
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 337–352. USENIX Association, Berkeley (2013)
Acknowledgements
We want to express our thanks to the anonymous reviewers for their valuable comments. In particular, we want to thank our shepherd, Mathias Payer, who helped us give this paper its final form. This work was supported by the BMBF within EC SPRIDE, by the Hessian LOEWE excellence initiative within CASED, by the DFG Collaborative Research Center CROSSING, by the DFG Priority Program 1496 Reliably Secure Software Systems, and the project INTERFLOW.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Follner, A., Bartel, A., Bodden, E. (2016). Analyzing the Gadgets. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-30806-7_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30805-0
Online ISBN: 978-3-319-30806-7
eBook Packages: Computer ScienceComputer Science (R0)