research-article

Survey of Code Reuse Attacks and Comparison of Mitigation Techniques

Authors:

Ayman M. El-Zoghby,

Marianne A. AzerAuthors Info & Claims

ICSIE '20: Proceedings of the 9th International Conference on Software and Information Engineering

Pages 88 - 96

https://doi.org/10.1145/3436829.3436865

Published: 05 January 2021 Publication History

Abstract

Code-Reuse Attacks (CRAs) are solid mechanisms to bypass advanced software and hardware defenses. Due to vulnerabilities found in software which allows attackers to corrupt the memory space of the vulnerable software to modify maliciously the contents of the memory; hence controlling the software to be able to run arbitrary code. The CRAs defenses either prevents the attacker from reading program code, controlling program memory space directly or indirectly through the usage of pointers. This paper provides a thorough evaluation of the current mitigation techniques against CRAs with regards to impact on performance, coverage, and efficiency of those techniques.

References

[1]

Aleph, O. Smashing the stack for fun and profit. 1996.

[2]

Shacham, H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM conference on Computer and communications security. 2007. New York.

Digital Library

[3]

Tran, M., et al. On the expressiveness of return-into-libc attacks. In International Workshop on Recent Advances in Intrusion Detection. 2011. Springer.

Digital Library

[4]

Meer, H.J.B.U., Memory corruption attacks the (almost) complete history. 2010.

[5]

Szekeres, L., et al. Sok: Eternal war in memory. in 2013 IEEE Symposium on Security and Privacy. 2013. IEEE.

Digital Library

[6]

Abadi, M., et al. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security. 2005. ACM.

Digital Library

[7]

Bletsch, T., et al. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. 2011. ACM.

Digital Library

[8]

Giuffrida G., Tanenbaum S., Enhanced operating system security through efficient and fine-grained address space randomization. In 21st USENIX Security Symposium. USENIX Sec, 2012.

[9]

Larsen P., Homescu A. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy, S&P, 2014

[10]

Snow, K.Z., et al. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 2013 IEEE Symposium on Security and Privacy. 2013. IEEE.

Digital Library

[11]

Memory Secrecy Assumption: Strackx, R., et al. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security. 2009. ACM.

[12]

Code Randomization, Isomeron: Davi, L., et al. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. in NDSS. 2015

[13]

Barresi A., Razavi K. CAIN: Silently Breaking ASLR in the Cloud. In WOOT, 2015

[14]

Bosman E., Razavi K. Dedup est machina: Memory deduplication as an advanced exploitation vector. In 37th IEEE Symposium on Security and Privacy, 2016

[15]

Carlini, N., et al. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium USENIX Security 15. 2015.

[16]

Hu, H., et al. Automatic generation of data-oriented exploits. In 24th USENIX Security Symposium USENIX Security 15. 2015

[17]

Hiser, J., et al., ILR: Where'd My Gadgets Go?, in 2012 IEEE Symposium on Security and Privacy. 2012. p. 571--585.

Digital Library

[18]

Salwan, J., ROPgadget--Gadgets finder and auto-roper. 2011.

[19]

Shacham, H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM conference on Computer and communications security. 2007. New York.

Digital Library

[20]

Carlini, N. and D. Wagner. ROP is Still Dangerous: Breaking Modern Defenses. In 23rd USENIX Security Symposium USENIX Security 14. 2014

[21]

Checkoway, S. and H. Shacham, Escape from return-oriented programming: Return-oriented programming without returns (on the x86). 2010: [Department of Computer Science and Engineering], University of California

[22]

Tran, M., et al. On the expressiveness of return-into-libc attacks. in International Workshop on Recent Advances in Intrusion Detection. 2011. Springer

Digital Library

[23]

Intel. Intel 64 and IA-32 architectures software developer's manual, volume 2B: Instruction set reference A-Z. Order Number 325383, 2014

[24]

C. Team. The mona tool. https://github.com/corelan/mona.

[25]

Schwartz, E.J., T. Avgerinos, and D. Brumley. Q: Exploit Hardening Made Easy. in USENIX Security Symposium. 2011

[26]

Homescu A., Stewart M. Microgadgets: Size does matter in turing-complete return-oriented programming. In Presented as part of the 6th USENIX Workshop on Offensive Technologies, Berkeley, CA, 2012. USENIX

[27]

Diatchki I., Pike L., and Erkok L. Practical considerations in control-flow integrity monitoring. Software Testing Verification and Validation Workshop, IEEE International Conference on, 0: 537--544, 2011

[28]

Li J., Wang Z. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European Conference on Computer Systems, EuroSys '10, pages 195--208, New York, NY, USA, 2010.

Digital Library

[29]

Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In 2015 IEEE Symposium on Security and Privacy. 2015. IEEE.

[30]

Landi W. et al. Undecidability of static analysis. ACM letters on programming languages and systems, 1(4):323--337, 1992

[31]

IEEE and O. Group. Posix.1-2008.

[32]

Bosman E. and Bos H. Framing signals - a return to portable shellcode. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 243--258, May 2014

Digital Library

[33]

Henning J. SPEC CPU2006 benchmark descriptions. SIGARCH Comput. Archit. News, 34 (4):1--17, Sept. 2006

[34]

Nethercote, N. and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM Sigplan notices, ACM.2007

[35]

Carlini, N., et al. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium USENIX Security 15. 2015

[36]

Tice, C., et al. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In 23rd USENIX Security Symposium USENIX Security 14. 2014.

[37]

Bhatkar, S., D.C. DuVarney, and R. Sekar. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In USENIX Security Symposium. 2003.

[38]

Team, P., PaX address space layout randomization (ASLR). 2003

[39]

Oxymoron: Backes, M. and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In 23rd USENIX Security Symposium USENIX Security 14. 2014

[40]

Zhang, C., et al. Practical control flow integrity and randomization for binary executables. In 2013 IEEE Symposium on Security and Privacy. 2013. IEEE

Digital Library

[41]

Gruss, Daniel, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. Kaslr is dead: long live kaslr. In International Symposium on Engineering Secure Software and Systems, pp. 161--176. Springer, Cham, 2017.

[42]

Chen, Yaohui, Dongli Zhang, Ruowen Wang, Rui Qiao, Ahmed M. Azab, Long Lu, Hayawardh Vijayakumar, and Wenbo Shen. NORAX: Enabling execute-only memory for COTS binaries on AArch64. In 2017 IEEE Symposium on Security and Privacy (SP), pp. 304--319. IEEE, 2017.

[43]

Chen, Xi, Herbert Bos, and Cristiano Giuffrida. CodeArmor: Virtualizing the code space to counter disclosure attacks. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 514--529. IEEE, 2017.

[44]

Polychronakis, Michalis, and Angelos D. Keromytis. "ROP payload detection using speculative code execution." In 2011 6th International Conference on Malicious and Unwanted Software, pp. 58--65. IEEE, 2011.

[45]

Onarlioglu, K., et al. G-Free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference. 2010. ACM.

Digital Library

[46]

Zhang, M. and R. Sekar. Control Flow Integrity for COTS Binaries. In Presented as part of the 22nd USENIX Security Symposium USENIX Security 13). 2013.

[47]

Göktas, E., et al. Out of control: Overcoming control-flow integrity. in 2014 IEEE Symposium on Security and Privacy. 2014. IEEE

Digital Library

[48]

Evans, I., et al. Missing the point (er): On the effectiveness of code pointer integrity. In 2015 IEEE Symposium on Security and Privacy. 2015. IEEE

Digital Library

[49]

Hu, Hong, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R. Harris, Taesoo Kim, and Wenke Lee. Enforcing unique code target property for control-flow integrity. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1470--1486. 2018

Digital Library

[50]

Wang, Shuai, Pei Wang, and Dinghao Wu. Uroboros: Instrumenting stripped binaries with static reassembling. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 1, pp. 236--247. IEEE, 2016.

[51]

Chen, Ping, Hai Xiao, Xiaobin Shen, Xinchun Yin, Bing Mao, and Li Xie. "DROP: Detecting return-oriented programming malicious code." In International Conference on Information Systems Security, pp. 163--177. Springer, Berlin, Heidelberg, 2009.

[52]

Davi, Lucas, Ahmad-Reza Sadeghi, and Marcel Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40--51. 2011.

Digital Library

[53]

ROP Guard Fratrić, Ivan. ROPGuard: Runtime prevention of return-oriented programming attacks. Technical report, 2012.

[54]

Zhang, Mingwei, and R. Sekar."Control flow integrity for COTS binaries. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 337--352. 2013.

[55]

Bletsch, Tyler, Xuxian Jiang, and Vince Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference, pp. 353--362. 2011

Digital Library

[56]

Hiser, Jason D., Anh Nguyen-Tuong, and Jack W. Davidson. Method of instruction location randomization (ILR) and related system. U.S. Patent 10,193,927, issued January 29, 2019.

[57]

Pappas, Vasilis, Michalis Polychronakis, and Angelos D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In 2012 IEEE Symposium on Security and Privacy, pp. 601--615. IEEE, 2012.

Digital Library

[58]

Pappas, V., M. Polychronakis, and A.D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. in Presented as part of the 22nd USENIX Security Symposium USENIX Security 13. 2013.

[59]

Cheng, Y., et al., ROPecker: A generic and practical approach for defending against ROP attack. 2014.

[60]

Kim, Jeehong, Inhyeok Kim, Changwoo Min, and Young Ik Eom. Zero-sum defender: Fast and space-efficient defense against return-oriented programming attacks. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 97, no. 1 (2014): 303--305.

[61]

Cowan, C., et al. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. in USENIX Security Symposium. 1998.

[62]

Burow, N., et al., Control-flow integrity: Precision, security, and performance. 2017. 50(1): p.

Cited By

Williams RGavazzi AKirda E(2023)Solder: Retrofitting Legacy Code with Cross-Language Patches2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER56733.2023.00015(49-60)Online publication date: Mar-2023
https://doi.org/10.1109/SANER56733.2023.00015
El-Zoghby ASaid Elsayed MJurcut AAzer M(2023)NG-MVEE: A New Proposed Hybrid Technique for Enhanced Mitigation of Code Re-Use AttackIEEE Access10.1109/ACCESS.2023.326988111(48169-48191)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3269881

Index Terms

Survey of Code Reuse Attacks and Comparison of Mitigation Techniques
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

ROPocop - Dynamic mitigation of code-reuse attacks

Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques; but nevertheless, new ...
Code-reuse attacks: new frontiers and defenses
SeBROP: blind ROP attacks without returns
Abstract
Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICSIE '20: Proceedings of the 9th International Conference on Software and Information Engineering

November 2020

251 pages

ISBN:9781450377218

DOI:10.1145/3436829

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Ain Shams University: Ain Shams University, Egypt

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICSIE 2020

ICSIE 2020: 2020 9th International Conference on Software and Information Engineering

November 11 - 13, 2020

Cairo, Egypt

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
110
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)3

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Williams RGavazzi AKirda E(2023)Solder: Retrofitting Legacy Code with Cross-Language Patches2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER56733.2023.00015(49-60)Online publication date: Mar-2023
https://doi.org/10.1109/SANER56733.2023.00015
El-Zoghby ASaid Elsayed MJurcut AAzer M(2023)NG-MVEE: A New Proposed Hybrid Technique for Enhanced Mitigation of Code Re-Use AttackIEEE Access10.1109/ACCESS.2023.326988111(48169-48191)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3269881

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents