On trends in low-level exploitation

Authors

  • Christian W. Otterstad University of Bergen

Abstract

Low-level computer exploitation and its mitigation counterpart has accumulated some noteworthy history. Presently, especially in academia, it features a plethora of mitigation techniques and also various possible modes of attack. It has seen numerous developments building upon basic methods for both sides and certain trends have emerged. This paper is primarily an overview paper, focusing especially on x86 GNU/Linux. The basic reasons inherent for allowing low-level exploitability are identified and explained to provide background knowledge. The paper furthermore describes the history, present state of the art and future developments that are topical and appear to be important in the field. Several attack and defense techniques have overlapping notions with not always obvious differences. Herein the notion of the bar being raised for both exploits and mitigation methods is examined and extrapolated upon based on the known relevant present state and history. The difference between academia and the industry is discussed especially where it relates to application of new mitigation techniques. Based on this examination some patterns and trends are identified and a conjecture for the likely future development of both is presented and justified.

Author Biography

Christian W. Otterstad, University of Bergen

Department of Informatics

References

J. P. Anderson, “Computer Security technology planning study.” http://csrc.
nist.gov/publications/history/ande72.pdf, 1972. [Online; accessed 24-
August-2016].

H. Meer, “Memory corruption attacks the (almost) complete history.” Black Hat
USA, August 2010, August 2010. [Online; accessed 19-October-2016].

V. van der Veen, N. dutt Sharma, L. Cavallaro, and H. Bos, “Memory errors:
The past, the present, and the future,” in Proceedings of the 15th International Conference on Research in Attacks, Intrusions, and Defenses, RAID’12, (Berlin, Heidelberg), pp. 86–106, Springer-Verlag, 2012.

L. Szekeres, M. Payer, T. Wei, and D. Song, “Sok: Eternal war in memory,”
in Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13,
(Washington, DC, USA), pp. 48–62, IEEE Computer Society, 2013.

L. V. Davi, A. Dmitrienko, S. N¨urnberger, and A.-R. Sadeghi, “Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and arm,” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS ’13, (New York, NY, USA), pp. 299–310, ACM, 2013.

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose, “Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection,” in Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, (Berkeley, CA, USA), pp. 401–416, USENIX Association, 2014.

S. Bratus, M. E. Locasto, M. L. Patterson, L. Sassaman, and A. Shubina,
“Exploit programming: From buffer overflows to weird machines and theory
of computation.” http://www.cs.dartmouth.edu/~sergey/langsec/papers/
Bratus.pdf, December 2011.

Aleph1, “Smashing the stack for fun and profit.” PHRACK Magazine, vol. 7, no. 49, file 14 of 16, 1996.

C. Yang-Seo, S. Dong-il, and S. Sung-Won, A New Stack Buffer Overflow Hacking Defense Technique with Memory Address Confirmation, pp. 146–159. Berlin, Heidelberg: Springer Berlin Heidelberg, 2002.

anonymous, “Once upon a free()....” Phrack Inc, Volume 0x0b, Issue 0x39, Phile 0x09 of 0x12, 2001. [Online; accessed 23-August-2016].

Solar Designer, “Getting around non-executable stack (and fix).”
http://seclists.org/bugtraq/1997/Aug/63, August 1997. [Online; accessed 24-
August-2016].

C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks,” in Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7, SSYM’98, (Berkeley, CA, USA), pp. 5–5, USENIX Association, 1998.

Bulba and Kil3r, “Bypassing stackguard and stackshield.” PHRACK Magazine, vol. 10, no. 56, file 5 of 16. [Online; accessed 24-August-2016].

Scut at Team Teso, “Exploiting format string vulnerabilities, version 1.2.” https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf, March 2001.
[Online; accessed 23-August-2016].

gera and riq, “Advances in format string exploitation.” PHRACK Magazine, vol. 11, no. 59, file 7 of 18. [Online; accessed 24-August-2016].

blexim, “Phrack inc, volume 0x0b, issue 0x3c, phile 0x0a of 0x10.”
http://phrack.org/issues/60/10.html, December 2002. [Online; accessed 24-
August-2016].

PaX Team, “aslr.txt.” http://pax.grsecurity.net/docs/aslr.txt, March 2003. [Online; accessed 24-August-2016].

PaX Team, “pax-future.txt.” https://pax.grsecurity.net/docs/pax-future.txt, March 2003. [Online; accessed 24-August-2016].

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity,” in
Proceedings of the 12th ACM Conference on Computer and Communications
Security, CCS ’05, (New York, NY, USA), pp. 340–353, ACM, 2005.

H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, (New York, NY, USA), pp. 552–561, ACM, 2007.

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, “Jump-oriented programming: a new class of code-reuse attack,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, (New York, NY, USA), pp. 30–40, ACM, 2011.

M. Payer and T. R. Gross, “String oriented programming: when aslr is not
enough,” in Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop, PPREW ’13, (New York, NY, USA), pp. 2:1–2:9, ACM, 2013.

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, “Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization,” in Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13, (Washington, DC, USA), pp. 574–588, IEEE Computer Society, 2013.

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazi`eres, and D. Boneh, “Hacking Blind,” in Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14, (Washington, DC, USA), pp. 227–242, IEEE Computer Society, 2014.

M. Backes, T. Holz, B. Kollenda, P. Koppe, S. N¨urnberger, and J. Pewny,
“You can run but you can’t read: Preventing disclosure exploits in executable
code,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and
Communications Security, CCS ’14, (New York, NY, USA), pp. 1342–1353, ACM, 2014.

V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis, “ret2dir: Rethinking kernel isolation,” in 23rd USENIX Security Symposium (USENIX Security 14), (San Diego, CA), pp. 957–972, USENIX Association, Aug. 2014.

PaX Team, “Rap: Rip rop.” https://pax.grsecurity.net/docs/
PaXTeam-H2HC15-RAP-RIP-ROP.pdf, October 2015. [Online; accessed 24-
August-2016].

V. Pappas, M. Polychronakis, and A. D. Keromytis, “Smashing the gadgets:
Hindering return-oriented programming using in-place code randomization,” in
Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12,
(Washington, DC, USA), pp. 601–615, IEEE Computer Society, 2012.

R.Wartell, V. Mohan, K.W. Hamlen, and Z. Lin, “Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, (New York, NY, USA), pp. 157–168, ACM, 2012.

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. Davidson, “Ilr: Where’d my
gadgets go?,” in Security and Privacy (SP), 2012 IEEE Symposium on, pp. 571–585, May 2012.

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum, “Enhanced operating system
security through efficient and fine-grained address space randomization,” in
Proceedings of the 21st USENIX Conference on Security Symposium, Security’12, (Berkeley, CA, USA), pp. 40–40, USENIX Association, 2012.

H. Marco and I. Ripoll, “ASLR-NG: ASLR Next Generation.” http:
//cybersecurity.upv.es/solutions/aslr-ng/aslr-ng.html, April 2016.
[Online; accessed 25-August-2016].

M. Conti, S. Crane, T. Frassetto, A. Homescu, G. Koppen, P. Larsen, C. Liebchen, M. Perry, and A.-R. Sadeghi, “Selfrando: Securing the tor browser against de-anonymization exploits,” in The annual Privacy Enhancing Technologies Symposium (PETS), July 2016.

D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh, “Jump over aslr: Attacking branch predictors to bypass aslr.” http://www.cs.ucr.edu/~nael/pubs/micro16.pdf, October 2016. [Online; accessed 20-October-2016].

J. Gionta, W. Enck, and P. Ning, “Hidem: Protecting the contents of userspace
memory in the face of disclosure vulnerabilities,” in Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY ’15, (New York, NY, USA), pp. 325–336, ACM, 2015.

A. Tang, S. Sethumadhavan, and S. Stolfo, “Heisenbyte: Thwarting memory
disclosure attacks using destructive code reads,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, (New York, NY, USA), pp. 256–267, ACM, 2015.

J. Werner, G. Baltas, R. Dallara, N. Otterness, K. Z. Snow, F. Monrose, and M. Polychronakis, “No-execute-after-read: Preventing code disclosure in
commodity software,” in Proceedings of the 11th ACM on Asia Conference on
Computer and Communications Security, ASIA CCS ’16, (New York, NY, USA),
pp. 35–46, ACM, 2016.

M. Castro, M. Costa, and T. Harris, “Securing software by enforcing data-flow
integrity,” in Proceedings of the 7th Symposium on Operating Systems Design
and Implementation, OSDI ’06, (Berkeley, CA, USA), pp. 147–160, USENIX
Association, 2006.

N. Carlini, A. Barresi, M. Payer, D.Wagner, and T. R. Gross, “Control-flow bending: On the effectiveness of control-flow integrity,” in Proceedings of the 24th USENIX Conference on Security Symposium, SEC’15, (Berkeley, CA, USA), pp. 161–176, USENIX Association, 2015.

T. H. Dang, P. Maniatis, and D. Wagner, “The performance cost of shadow stacks and stack canaries,” in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’15, (New York, NY, USA), pp. 555–566, ACM, 2015.

D. Sullivan, O. Arias, L. Davi, P. Larsen, A.-R. Sadeghi, and Y. Jin, “Strategy
without tactics: Policy-agnostic hardware-enhanced control-flow integrity,” in
Proceedings of the 53rd Annual Design Automation Conference, DAC ’16, (New York, NY, USA), pp. 163:1–163:6, ACM, 2016.

Y. Xia, Y. Liu, H. Chen, and B. Zang, “Cfimon: Detecting violation of control flow integrity using performance counters,” in Proceedings of the 2012 42Nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), DSN ’12, (Washington, DC, USA), pp. 1–12, IEEE Computer Society, 2012.

“Intel®.” https://software.intel.com/sites/default/files/managed/
4d/2a/control-flow-enforcement-technology-preview.pdf, June 2016.
[Online; accessed 30-August-2016].

“Close, but no cigar: On the effectiveness of intel’s cet against code reuse attacks.” https://forums.grsecurity.net/viewtopic.php?f=7&t=4490&sid=
423204cbf3f9297d44eb975533e038ea, June 2016. [Online; accessed 30-August-2016].

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer, “Non-control-data attacks are realistic threats,” in Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM’05, (Berkeley, CA, USA), pp. 12–12, USENIX Association, 2005.

H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang, “Automatic generation of data-oriented exploits,” in Proceedings of the 24th USENIX Conference on Security Symposium, SEC’15, (Berkeley, CA, USA), pp. 177–192, USENIX Association, 2015.

O. Lysne, K. J. Hole, C. Otterstad, Ø. Ytrehus, R. Aarseth, and J. Tellnes, “Vendor malware: Detection limits and mitigation,” IEEE Computer, 2016.

PaX Team, “Frequently asked questions about rap.” https://grsecurity.net/
rap_faq.php, 2016. [Online; accessed 24-August-2016].

M. Gibbons Nature, vol. 402, pp. C81–C84, dec 1999.

D. Oleksiuk, “Exploring and exploiting lenovo firmware secrets.” http://blog.
cr4.sh/2016/06/exploring-and-exploiting-lenovo.html, June 2016. [Online;
accessed 25-August-2016].

Published

2016-11-30

Issue

Section

Norsk Informasjonssikkerhetskonferanse 2016