research-article

Filter-resistant code injection on ARM

Authors:

Pieter Philippaerts,

Frank Piessens,

Thomas WalterAuthors Info & Claims

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Pages 11 - 20

https://doi.org/10.1145/1653662.1653665

Published: 09 November 2009 Publication History

Abstract

Code injections attacks are one of the most powerful and important classes of attacks on software. In such attacks, the attacker sends malicious input to a software application, where it is stored in memory. The malicious input is chosen in such a way that its representation in memory is also a valid representation of a machine code program that performs actions chosen by the attacker. The attacker then triggers a bug in the application to divert the control flow to this injected machine code. A typical action of the injected code is to launch a command interpreter shell, and hence the malicious input is often called shellcode.

Attacks are usually performed against network facing applications, and such applications often perform validations or encodings on input. Hence, a typical hurdle for attackers, is that the shellcode has to pass one or more filtering methods before it is stored in the vulnerable application's memory space. Clearly, for a code injection attack to succeed, the malicious input must survive such validations and transformations. Alphanumeric input (consisting only of letters and digits) is typically very robust for this purpose: it passes most filters and is untouched by most transformations.

This paper studies the power of alphanumeric shellcode on the ARM 32 bit RISC processor. It shows that the subset of ARM machine code programs that (when interpreted as data) consist only of alphanumerical characters is a Turing complete subset. This is a non-trivial result, as the number of instructions that consist only of alphanumeric characters is very limited. To craft useful exploit code (and to achieve Turing completeness), several tricks are needed, including the use of self-modifying code.

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In 12th ACM Conference on Computer and Communications Security, Nov. 2005.

Digital Library

[2]

Aleph1. Smashing the stack for fun and profit. Phrack, 49, 1996.

[3]

A. Anisimov. Defeating Microsoft Windows XP SP2 heap protection and DEP bypass.

[4]

Anonymous. Once upon a free(). Phrack, 57, 2001.

[5]

E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In 10th ACM Conference on Computer and Communications Security, Oct. 2003.

Digital Library

[6]

J. Bello Rivas. Overwriting the .dtors section, 2000.

[7]

S. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad rangeof memory error exploits. In 12th USENIX Security Symposium, Aug. 2003.

Digital Library

[8]

S. Bhatkar and R. Sekar. Data space randomization. In 5th Conference on Detection of Intrusions and Malware&Vulnerability Assessment, volume 5137 of Lecture Notes in Computer Science, July 2008.

Digital Library

[9]

S. Bhatkar, R. Sekar, and D. C. Duvarney. Efficient techniques for comprehensive protection from memory error exploits. In 14th USENIX Security Symposium, Aug. 2005.

Digital Library

[10]

Blexim. Basic integer overflows. Phrack, 60, Dec. 2002.

[11]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In 15th ACM Conference on Computer and Communications Security, Oct. 2008.

Digital Library

[12]

Bulba and Kil3r. Bypassing StackGuard and Stackshield. Phrack, 56, 2000.

[13]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: protecting pointers from buffer overflow vulnerabilities. In 12th USENIX Security Symposium, Aug. 2003.

Digital Library

[14]

C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention ofbuffer-overflow attacks. In 7th USENIX Security Symposium, Jan. 1998.

Digital Library

[15]

I. Dobrovitski. Exploit for CVS double free() for Linux pserver, Feb. 2003.

[16]

R. Eller. Bypassing msb data filters for buffer overflow exploits on intel platforms, Aug. 2000.

[17]

U. Erlingsson. Low-level software security: Attacks and defenses. Technical Report MSR-TR-2007-153, Microsoft Research, Nov. 2007.

[18]

H. Etoh and K. Yoda. Protecting from stack-smashing attacks. Technical report, IBM Research, June 2000.

[19]

funkysh. Into my ARMs: Developing StrongARM/Linux shellcode. Phrack, 58, Dec. 2001.

[20]

T. Hurman. Exploring Windows CE shellcode, June 2005.

[21]

R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In 3rd International Workshop on Automatic Debugging, 1997.

[22]

G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In 10th ACM Conference on Computer and Communications Security, Oct. 2003.

Digital Library

[23]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In 11th USENIX Security Symposium, Aug. 2002.

Digital Library

[24]

S. Kohler, C. Schindelhauer, and M. Ziegler. On approximating real-world halting problems. In 15th International Symposium on Fundamentals of Computation Theory, volume 3623 of Lecture Notes in Computer Science, Sept. 2005.

Digital Library

[25]

H. D. Moore. Cracking the iPhone.

[26]

U. Muller. Brainf*ck, June 1993.

[27]

T. Ormandy. LibTIFF next rle decoder remote heap buffer overflow vulnerability, Aug 2006.

[28]

T. Ormandy. LibTIFF TiffFetchShortPair remote buffer overflow vulnerability, Aug 2006.

[29]

A. Ortega. Android web browser gif file heap-based buffer overflow vulnerability, Mar. 2008.

[30]

N. Provos. Improving host security with system call policies. In 12th USENIX Security Symposium, Aug. 2003.

Digital Library

[31]

P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. Technical Report MSR-TR-2008-176, Microsoft Research, Nov. 2008.

[32]

G. Richarte. Four different tricks to bypass stackshield and stackguard protection, June 2002.

[33]

rix. Writing IA32 alphanumeric shellcodes. Phrack, 57, Aug. 2001.

[34]

O. Ruwase and M. S. Lam. A practical dynamic buffer overflow detector. In 11th Annual Network and Distributed System Security Symposium, Feb. 2004.

[35]

Scut. Exploiting format string vulnerabilities, 2001.

[36]

H. Shacham, M. Page, B. Pfaff, E. J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In 11th ACM conference on Computer and Communications Security, Oct. 2004.

Digital Library

[37]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In 14th ACM conference on Computer and Communications Security, Oct. 2007.

Digital Library

[38]

skape and Skywing. Bypassing windows hardware-enforced data execution prevention. Uninformed, 2, Sept. 2005.

[39]

A. Sloss, D. Symes, and C. Wright. ARM System Developer's Guide. Elsevier, 2004.

[40]

Solar Designer. Getting around non-executable stack (and fix), Aug. 1997.

[41]

A. Sotirov. Reverse engineering and the ANI vulnerability, Apr. 2007.

[42]

A. Sotirov and M. Dowd. Bypassing browser memory protections: Setting back browser security by 10 years. In BlackHat 2008, Aug. 2008.

[43]

N. Sovarel, D. Evans, and N. Paul. Where's the FEEB? the effectiveness of instruction set randomization. In 14th USENIX Security Symposium, Aug. 2005.

Digital Library

[44]

R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In European Workshop on System Security, Mar.2009.

Digital Library

[45]

R. Wojtczuk. Defeating Solar Designer non-executable stack patch, Feb. 1998.

[46]

Y. Younan, W. Joosen, and F. Piessens. Code injection in C and C++: A survey of vulnerabilities and countermeasures. Technical Report CW386, Dept. Computerwetenschappen, KULeuven, July 2004.

[47]

Y. Younan and P. Philippaerts. Alphanumeric RISC ARM shellcode. Phrack, 66, June 2009.

[48]

Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. PAriCheck: An efficient pointer arithmetic checker for C programs. Technical Report CW554, Dept. Computerwetenschappen, KULeuven, June 2009.

Cited By

Ghosh SBhatnagar MSaad WPanigrahi B(2021)Defending False Data Injection on State Estimation Over Fading Wireless ChannelsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.303137816(1424-1439)Online publication date: 2021
https://doi.org/10.1109/TIFS.2020.3031378
Lin JYu WYang X(2016)Towards Multistep Electricity Prices in Smart Grid Electricity MarketsIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2015.238847927:1(286-302)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.1109/TPDS.2015.2388479
Yang XLin JYu WMoulema PFu XZhao W(2015)A Novel En-Route Filtering Scheme Against False Data Injection Attacks in Cyber-Physical Networked SystemsIEEE Transactions on Computers10.1109/TC.2013.17764:1(4-18)Online publication date: Jan-2015
https://doi.org/10.1109/TC.2013.177
Show More Cited By

Index Terms

Filter-resistant code injection on ARM
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Filter-resistant code injection on ARM

Code injection attacks are one of the most powerful and important classes of attacks on software. In these attacks, the attacker sends malicious input to a software application, where it is stored in memory. The malicious input is chosen in such a way ...
Defining code-injection attacks
POPL '12

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

November 2009

664 pages

ISBN:9781605588940

DOI:10.1145/1653662

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Somesh Jha
University of Wisconsin, USA
,
Angelos D. Keromytis
Columbia University, USA and Symantec Research Labs Europe, France

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 9 - 13, 2009

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
760
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ghosh SBhatnagar MSaad WPanigrahi B(2021)Defending False Data Injection on State Estimation Over Fading Wireless ChannelsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.303137816(1424-1439)Online publication date: 2021
https://doi.org/10.1109/TIFS.2020.3031378
Lin JYu WYang X(2016)Towards Multistep Electricity Prices in Smart Grid Electricity MarketsIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2015.238847927:1(286-302)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.1109/TPDS.2015.2388479
Yang XLin JYu WMoulema PFu XZhao W(2015)A Novel En-Route Filtering Scheme Against False Data Injection Attacks in Cyber-Physical Networked SystemsIEEE Transactions on Computers10.1109/TC.2013.17764:1(4-18)Online publication date: Jan-2015
https://doi.org/10.1109/TC.2013.177
Younan YJoosen WPiessens F(2012)Runtime countermeasures for code injection attacks against C and C++ programsACM Computing Surveys10.1145/2187671.218767944:3(1-28)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187679
Ray DLigatti JField JHicks M(2012)Defining code-injection attacksProceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages10.1145/2103656.2103678(179-190)Online publication date: 25-Jan-2012
https://dl.acm.org/doi/10.1145/2103656.2103678
Ray DLigatti J(2012)Defining code-injection attacksACM SIGPLAN Notices10.1145/2103621.210367847:1(179-190)Online publication date: 25-Jan-2012
https://dl.acm.org/doi/10.1145/2103621.2103678
Snow KKrishnan SMonrose FProvos NWagner D(2011)SHELLOSProceedings of the 20th USENIX conference on Security10.5555/2028067.2028076(9-9)Online publication date: 8-Aug-2011
https://dl.acm.org/doi/10.5555/2028067.2028076
Song YZhang YSun YYan J(2011)Unicode-proof code injection attack on Windows CE — A novel approach of evading intrusion detection system for mobile network2011 IEEE 3rd International Conference on Communication Software and Networks10.1109/ICCSN.2011.6013556(116-120)Online publication date: May-2011
https://doi.org/10.1109/ICCSN.2011.6013556
Younan YPhilippaerts PPiessens FJoosen WLachmund SWalter T(2011)Filter-resistant code injection on ARMJournal in Computer Virology10.1007/s11416-010-0146-07:3(173-188)Online publication date: 1-Aug-2011
https://dl.acm.org/doi/10.1007/s11416-010-0146-0
Cha SPak BBrumley DLipton RAl-Shaer EKeromytis AShmatikov V(2010)Platform-independent programsProceedings of the 17th ACM conference on Computer and communications security10.1145/1866307.1866369(547-558)Online publication date: 4-Oct-2010
https://dl.acm.org/doi/10.1145/1866307.1866369
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents