Abstract
With the advent of the low-level exploitation mitigation techniques W\(\oplus \)X, ASLR, and stack canaries, the attacker has in most cases been forced to use ROP (Return-Oriented Programming) to enable successful arbitrary code execution. Strong, fine-grained ASLR has further raised the bar, requiring the attacker to possess an information leak or primitive to read memory. As a further mitigation technique to this attack scenario, XnR (Execute-no-Read) and similar protections have been suggested, which prevent an attacker from reading executable memory. This paper shows that BROP (Blind Return Oriented Programming) can in certain cases be used to exploit mitigation techniques similar to XnR on Linux x86-64. We examine some important aspects of BROP and its First Principles counterpart in the context of defeating XnR, and present and discuss extensions and complications. An exploit implementation is also presented and discussed, showing that XnR by itself—without sufficiently strong ASLR—offers no protection against BROP-type reading of memory.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., Pewny, J.: You can run but you can’t read: preventing disclosure exploits in executable code. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014), pp. 1342–1353, NY, USA (2014). http://doi.acm.org/10.1145/2660267.2660378
Bittau, A., Belay, A., Mashtizadeh, A., Maziéres, D., Boneh, D.: Hacking blind. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP 2014), pp. 227–242 (2014). http://dx.doi.org/10.1109/SP.2014.22
Conti, M., Crane, S., Frassetto, T., Homescu, A., Koppen, G., Larsen, P., Liebchen, C., Perry, M., Sadeghi, A.R.: Selfrando: securing the tor browser against de-anonymization exploits. In: The Annual Privacy Enhancing Technologies Symposium (PETS), July 2016
Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: 36th IEEE Symposium on Security and Privacy (Oakland), May 2015
Davi, L.V., Dmitrienko, A., Nürnberger, S., Sadeghi, A.R.: Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and arm. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS 2013), pp. 299–310, NY, USA (2013). http://doi.acm.org/10.1145/2484313.2484351
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.: ILR: where’d my gadgets go? In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 571–585, May 2012
Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: Proceedings of the 24th USENIX Conference on Security Symposium (SEC 2015), pp. 177–192. USENIX Association, Berkeley, CA, USA (2015). http://dl.acm.org/citation.cfm?id=2831143.2831155
Keener, L.: Evaluating the generality and limits of blind return-oriented programming attacks. Ph.D. thesis, Naval Postgraduate School, Monterey, California (2015). http://calhoun.nps.edu/handle/10945/47979
Maisuradze, G., Backes, M., Rossow, C.: What cannot be read, cannot be leveraged? revisiting assumptions of JIT-ROP defenses. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 139–156. USENIX Association, Austin, TX (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/maisuradze
Marco, H., Ripoll, I.: ASLR-NG: ASLR Next Generation. http://cybersecurity.upv.es/solutions/aslr-ng/aslr-ng.html. Accessed 06 July 2016
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP 2013), pp. 574–588 (2013). http://dx.doi.org/10.1109/SP.2013.45
Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 256–267, NY, USA (2015). http://doi.acm.org/10.1145/2810103.2813685
Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), pp. 157–168, NY, USA (2012). http://doi.acm.org/10.1145/2382196.2382216
Werner, J., Baltas, G., Dallara, R., Otterness, N., Snow, K.Z., Monrose, F., Polychronakis, M.: No-execute-after-read: preventing code disclosure in commodity software. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ASIA CCS 2016), pp. 35–46, NY, USA (2016). http://doi.acm.org/10.1145/2897845.2897891
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Otterstad, C. (2017). On the Effectiveness of Non-readable Executable Memory Against BROP. In: Batten, L., Kim, D., Zhang, X., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2017. Communications in Computer and Information Science, vol 719. Springer, Singapore. https://doi.org/10.1007/978-981-10-5421-1_18
Download citation
DOI: https://doi.org/10.1007/978-981-10-5421-1_18
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5420-4
Online ISBN: 978-981-10-5421-1
eBook Packages: Computer ScienceComputer Science (R0)