Article

Surgically Returning to Randomized lib(c)

Authors:

Giampaolo Fresi Roglia,

Lorenzo Martignoni,

Roberto Paleari,

Danilo BruschiAuthors Info & Claims

ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

Pages 60 - 69

https://doi.org/10.1109/ACSAC.2009.16

Published: 07 December 2009 Publication History

Publisher Site

Abstract

To strengthen systems against code injection attacks, the write or execute only policy (W + X) and address space layout randomization (ASLR) are typically used in combination. The former separates data and code, while the latter randomizes the layout of a process. In this paper we present a new attack to bypass W + X and ASLR. The state-of-the-art attack against this combination of protections is based on brute-force, while ours is based on the leakage of sensitive information about the memory layout of the process. Using our attack an attacker can exploit the majority of programs vulnerable to stack-based buffer overflows surgically, i.e., in a single attempt. We have estimated that our attack is feasible on 95.6% and 61.8% executables (of medium size) for Intel x86 and x86-64 architectures, respectively. We also analyze the effectiveness of other existing protections at preventing our attack. We conclude that position independent executables (PIE) are essential to complement ASLR and to prevent our attack. However, PIE requires recompilation, it is often not adopted even when supported, and it is not available on all ASLR-capable operating systems. To overcome these limitations, we propose a new protection that is as effective as PIE, does not require recompilation, and introduces only a minimal overhead.

Cited By

View all

Nikolaev RNadeem HStone CRavindran BFalsafi BFerdman MLu SWenisch T(2022)Adelie: continuous address space layout re-randomization for Linux driversProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507779(483-498)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507779
Schwartz ECohen CGennari JSchwartz SLigatti JOu XKatz JVigna G(2020)A Generic Technique for Automatically Finding Defense-Aware Code Reuse AttacksProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417234(1789-1801)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417234
Wang ZWu CZhang YTang BYew PXie MLai YKang YCheng YShi ZHeninger NTraynor P(2019)SafehiddenProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361424(1239-1256)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361424
Show More Cited By

Recommendations

On the Security of Randomized Defenses Against Adversarial Samples
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Deep Learning has been shown to be particularly vulnerable to adversarial samples. To combat adversarial strategies, numerous defensive techniques have been proposed. Among these, a promising approach is to use randomness in order to make the ...
Cryptanalysis of Ha-Moon's Countermeasure of Randomized Signed Scalar Multiplication

Side channel attacks (SCA) are serious attacks on mobile devices. In SCA, the attacker can observe the side channel information while the device performs the cryptographic operations, and he/she can detect the secret stored in the device using such side ...
Launching Return-Oriented Programming Attacks against Randomized Relocatable Executables
TRUSTCOM '11: Proceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications

Since the day it was proposed, return-oriented programming has shown to be an effective and powerful attack technique against the write or execute only (W xor X) protection. However, a general belief in the previous research is, systems deployed with ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

December 2009

492 pages

ISBN:9780769539195

Publisher

IEEE Computer Society

United States

Publication History

Published: 07 December 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Nikolaev RNadeem HStone CRavindran BFalsafi BFerdman MLu SWenisch T(2022)Adelie: continuous address space layout re-randomization for Linux driversProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507779(483-498)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507779
Schwartz ECohen CGennari JSchwartz SLigatti JOu XKatz JVigna G(2020)A Generic Technique for Automatically Finding Defense-Aware Code Reuse AttacksProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417234(1789-1801)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417234
Wang ZWu CZhang YTang BYew PXie MLai YKang YCheng YShi ZHeninger NTraynor P(2019)SafehiddenProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361424(1239-1256)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361424
Marco-Gisbert HRipoll-Ripoll I(2019)SSPFAInternational Journal of Information Security10.1007/s10207-018-00425-818:4(519-532)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10207-018-00425-8
Wang ZWu CLi JLai YZhang XHsu WCheng Y(2017)ReRanzACM SIGPLAN Notices10.1145/3140607.305075252:7(143-156)Online publication date: 8-Apr-2017
https://dl.acm.org/doi/10.1145/3140607.3050752
Elsabagh MFleck DStavrou AKarri RSinanoglu OSadeghi AYi X(2017)Strict Virtual Call Integrity Checking for C++ BinariesProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052976(140-154)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052976
Rein AKarri RSinanoglu OSadeghi AYi X(2017)DRIVEProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052975(728-742)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052975
Wang ZWu CLi JLai YZhang XHsu WCheng Y(2017)ReRanzProceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/3050748.3050752(143-156)Online publication date: 8-Apr-2017
https://dl.acm.org/doi/10.1145/3050748.3050752
Evtyushkin DPonomarev DAbu-Ghazaleh NHsu WYang CLipasti MLee H(2016)Jump over ASLRThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195686(1-13)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195686
Williams-King DGobieski GWilliams-King KBlake JYuan XColp PZheng MKemerlis VYang JAiello WKeeton KRoscoe T(2016)ShufflerProceedings of the 12th USENIX conference on Operating Systems Design and Implementation10.5555/3026877.3026906(367-382)Online publication date: 2-Nov-2016
https://dl.acm.org/doi/10.5555/3026877.3026906
Show More Cited By

Abstract

Cited By

Recommendations

On the Security of Randomized Defenses Against Adversarial Samples

Cryptanalysis of Ha-Moon's Countermeasure of Randomized Signed Scalar Multiplication

Launching Return-Oriented Programming Attacks against Randomized Relocatable Executables

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations