Abstract
In the continuous arms race between attackers and defenders, various attack vectors against script engines have been exploited and subsequently secured. This paper explores a new attack vector that has not received much academic scrutiny: bytecode and its lookup tables. Based on our study of the internals of modern bytecode interpreters, we present four distinct strategies to achieve arbitrary code execution in an interpreter. To protect interpreters from our attack we propose two separate defense strategies: bytecode pointer checksums and non-writable enforcement. To demonstrate the feasibility of our approach, we instantiate our attacks and proposed defense strategies for Python and Lua interpreters. Our evaluation shows that the proposed defenses effectively mitigate bytecode injection attacks with low overheads of less than 16% on average.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (S&P) (2013)
Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and protecting dynamic code generation. In: Symposium on Network and Distributed System Security (NDSS) (2015)
Theori: Chakra JIT CFG bypass (2016). http://theori.io/research/chakra-jit-cfg-bypass
Frassetto, T., Gens, D., Liebchen, C., Sadeghi, A.R.: JITGuard: hardening just-in-time compilers with SGX. In: ACM Conference on Computer and Communications Security (CCS) (2017)
Willam Forbes: The PyPI Python Package Hack (2017). https://www.bytelion.com/pypi-python-package-hack
Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Annual Computer Security Applications Conference (ACSAC) (2010)
Oracle Corporation: Securitymanager (java platform se 8) (2018). https://docs.oracle.com/javase/8/docs/api/java/lang/SecurityManager.html
GitBook: Lua sandbox library (1.2.7) (2017). http://mozilla-services.github.io/lua_sandbox
Google Developers: Introduction—Caja (2018). https://developers.google.com/caja/
GitHub: zopefoundation/restrictedpython: a restricted execution environment for python to run untrusted code (2018). https://github.com/zopefoundation/RestrictedPython
Google Cloud: Google app engine: build scalable web and mobile backends in any language on Google’s infrastructure. https://cloud.google.com/appengine/ (2018)
Blazakis, D.: Interpreter exploitation: pointer inference and JIT spraying. BlackHat DC (2010)
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)
Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security Symposium (2014)
Niu, B., Tan, G.: Per-input control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2015)
Lua: Lua: uses (2018). https://www.lua.org/uses.html
van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H., Giuffrida, C.: The dynamics of innocent flesh on the bone: code reuse ten years later. In: ACM Conference on Computer and Communications Security (CCS) (2017)
Lettner, J., Kollenda, B., Homescu, A., Larsen, P., Schuster, F., Davi, L., Sadeghi, A.R., Holz, T., Franz, M., Irvine, U.: Subversive-c: abusing and protecting dynamic message dispatch. In: USENIX Annual Technical Conference (2016)
Python Performance Benchmark Suite 0.6.1 Documentation: The python performance benchmark suite (2017). http://pyperformance.readthedocs.io
Alioth: The computer language benchmarks game (2017). http://benchmarksgame.alioth.debian.org
Mashtizadeh, A.J., Bittau, A., Boneh, D., Mazières, D.: CCFI: cryptographically enforced control flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2015)
Rohlf, C., Ivnitskiy, Y.: Attacking clientside JIT compilers. Black Hat USA (2011)
Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: bypassing defenses in browser JIT engines. In: NDSS (2015)
Maisuradze, G., Backes, M., Rossow, C.: What cannot be read, cannot be leveraged? Revisiting assumptions of JIT-ROP defenses. In: USENIX Security Symposium (2016)
Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Librando: transparent code randomization for just-in-time compilers. In: ACM Conference on Computer and Communications Security (CCS) (2013)
Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., Pewny, J.: You can run but you can’t read: preventing disclosure exploits in executable code. In: ACM Conference on Computer and Communications Security (CCS) (2014)
Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE Symposium on Security and Privacy (S&P) (2015)
Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: ACM Conference on Computer and Communications Security (CCS) (2015)
Werner, J., Baltas, G., Dallara, R., Otterness, N., Snow, K.Z., Monrose, F., Polychronakis, M.: No-execute-after-read: preventing code disclosure in commodity software. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2016)
Snow, K.Z., Rogowski, R., Werner, J., Koo, H., Monrose, F., Polychronakis, M.: Return to the zombie gadgets: undermining destructive code reads via code inference attacks. In: IEEE Symposium on Security and Privacy (S&P) (2016)
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (S&P) (2015)
Crane, S., Volckaert, S., Schuster, F., Liebchen, C., Larsen, P., Davi, L., Sadeghi, A.R., Holz, T., Sutter, B.D., Franz, M.: It’s a TRaP: table randomization and protection against function reuse attacks. In: ACM Conference on Computer and Communications Security (CCS) (2015)
Acknowledgements
We would like to thank Stephen Crane, Bart Coppens, our shepherd Vasileios Kemerlis, and the anonymous reviewers for their valuable input.
This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the National Science Foundation under award numbers CNS-1513837 and CNS-1619211, and by the Office for Naval Research under award number N00014-17-1-2782.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA), its Contracting Agents, the National Science Foundation, the Office for Naval Research, or any other agency of the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Park, T., Lettner, J., Na, Y., Volckaert, S., Franz, M. (2018). Bytecode Corruption Attacks Are Real—And How to Defend Against Them. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-93411-2_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93410-5
Online ISBN: 978-3-319-93411-2
eBook Packages: Computer ScienceComputer Science (R0)