More Web Proxy on the site http://driver.im/

Article

"Weird machines" in ELF: a spotlight on the underappreciated metadata

Authors:

Rebecca Shapiro,

Sean W. SmithAuthors Info & Claims

WOOT'13: Proceedings of the 7th USENIX conference on Offensive Technologies

Page 11

Published: 13 August 2013 Publication History

Abstract

Although software exploitation historically started as an exercise in coaxing the target's execution into attacker-supplied binary shellcode, it soon became a practical study in pushing the limits of unexpected computation that could be caused by crafted data not containing any native code. We show how the ABI metadata that drives the creation of a process' runtime can also drive arbitrary computation. We introduce our design and implementation of Cobbler, a proof-of-concept toolkit capable of compiling a Turing-complete language into well-formed ELF executable metadata that get "executed" by the runtime loader (RTLD). Our proof-of-concept toolkit highlights how important it is that defenders expand their focus beyond the code and data sections of untrusted binaries, both in static analysis and in the dynamic analysis of the early runtime setup stages as well as any time the RTLD is invoked.

References

[1]

Brainfuck. http://esolangs.org/wiki/brainfuck.

[2]

ERESI Project. http://www.eresi-project.org.

[3]

ALBERTINI, A. Corkami reverse engineering & visual documentations. http://code.google.com/p/corkami/.

[4]

ANONYMOUS AUTHOR. Once upon a free(). Phrack 57:9. http://phrack.org/issues.html?issue= 57&id=9.

[5]

ARGYROUDIS, P., AND KARAMITAS, C. Heap Exploitation. Abstraction by Example. OWASP AppSecResearch, 2012. http://census-labs.com/media/ heap-owasp-appsec-2012.pdf.

[6]

BRATUS, S. Hackers and Computer Science: What Hacker Research Taught Me. 27th Chaos Communications Congress, December 2010. http://events.ccc.de/congress/ 2010/Fahrplan/events/3983.en.html.

[7]

BRATUS, S., BANGERT, J., GABROVSKY, A., SHUBINA, A., BILAR, D., AND LOCASTO, M. E. Composition Patterns of Hacking. The First International Workshop on Cyberpatterns Unifying Design Patterns with Security, Attack and Forensic Patterns, July 2012.

[8]

BRATUS, S., LOCASTO, M. E., PATTERSON, M. L., SASSAMAN, L., AND SHUBINA, A. Exploit Programming: from Buffer Overflows to "Weird Machines" and Theory of Computation. ;login: (December 2011).

[9]

CESARE, S. Runtime Kernel kmem Patching. http://althing.cs.dartmouth.edu/local/vsc07.html.

[10]

CESARE, S. Shared Library Call Redirection via ELF PLT Infection, Dec 2000.

[11]

CHEN, S., XU, J., SEZER, E. C., GAURIAR, P., AND IYER, R. K. Non-control-data attacks are realistic threats. In USENIX Security Symposium (2005), pp. 177-192.

[12]

CHURCHILL, A. Magic Turing Machine v5: Rotlung Reanimator / Chancellor of the Spires. http://www.toothycat.net/ ~hologram/Turing/HowItWorks.html.

[13]

CODEFOX. SignElf. http://sourceforge.net/ projects/signelf/.

[14]

DULLIEN, T. Exploitation and state machines: Programming the "weird machine", revisited. In Infiltrate Conference (Apr 2011).

[15]

DULLIEN, T., KORNAU, T., AND WEINMANN, R.-P. A Framework for Automated Architecture-Independent Gadget Search. In USENIX WOOT (August 2010).

[16]

EAGLE, C. Ripples in the Gene Pool - Creating Genetic: Mutations to Survive the Vulerability Window. Defcon 14, August 2006.

[17]

ELITHEELI. "stupid machines". https://github.com/ elitheeli/stupid-machines.

[18]

FORREST, S., SOMAYAJI, A., AND ACKLEY, D. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI) (Washington, DC, USA, 1997), HOTOS '97, IEEE Computer Society, pp. 67-.

[19]

GEER, D. CyberInsecurity: The Cost of Monopoly. Computer and Communications Industry Association (CCIA) report, 2003.

[20]

GLÜCKSMANN, I. Injecting custom payload into signed Windows executables Analysis of the CVE-2012-0151 vulnerability. ReCON, June 2012. http://recon.cx/2012/ schedule/events/246.en.html.

[21]

GRUGQ, AND SCUT. Armouring the ELF: Binary encryption on the UNIX platform. Phrack 58:5. http://phrack.org/ issues.html?issue=58&id=5.

[22]

HUKU, AND ARGP. The Art of Exploitation: Exploiting VLC, a jemalloc Case Stud y. Phrack Magazine 68, 13 (Apr 2012).

[23]

HUND, R., HOLZ, T., AND FREILING, F. C. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium (2009), USENIX Association, pp. 383-398.

[24]

JP. Advanced Doug Lea's malloc Exploits. Phrack 61:6. http://phrack.org/issues.html?issue=61&id=6.

[25]

KLOG. Backdooring Binary Objects. Phrack 56:9. http://phrack.org/issues.html?issue=56&id=9.

[26]

KORNAU, T. A gentle introduction to return-oriented programming. http://blog.zynamics.com/2010/03/12/, March 2010. Zynamics blog.

[27]

LEVINE, J. Linkers and Loaders. The Morgan Kaufmann Series in Software Engineering and Programming, 1999.

[28]

MATZ, M., HUBICKA, J., JAEGER, A., AND MITCHELL, M. System V Application Binary Interface AMD64 Architecture Processor Supplement Draft Version 0.96, June 2005. http://www.uclibc.org/docs/psABI-x86_64.pdf.

[29]

MAXX. Vudo malloc Tricks. Phrack 57:8. http://phrack.org/issues.html?issue=57&id=8.

[30]

MAYHEM. The Cerberus ELF Interface. Phrack 61:8. http://phrack.org/issues.html?issue=61&id=8.

[31]

MAYHEM. Understanding Linux ELF RTLD internals. http://s.eresi-project.org/inc/articles/elf-rtld.txt, Dec 2002.

[32]

NERGAL. The Advanced return-into-lib(c) Exploits: PaX Case Study. Phrack Magazine 58, 4 (Dec 2001).

[33]

OAKLEY, J., AND BRATUS, S. Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code. In USENIX WOOT (2011), pp. 91-102.

[34]

ONE, A. Smashing the Stack for Fun and Profit. Phrack 49:14. http://phrack.org/issues.html?issue=49&id=14.

[35]

PATTERSON, M. L., AND BRATUS, S. The Science of Insecurity. 28th Chaos Communications Congress, December 2011. http://langsec.org/.

[36]

REDPANTZ. The Art of Exploitation: MS IIS 7.5 Remote Heap Overflow. Phrack Magazine 68, 12 (Apr 2012).

[37]

RICHARTE, G. Re: Future of Buffer Overflows. Bugtraq, October 2000. http://seclists.org/bugtraq/2000/Nov/32.

[38]

ROEMER, R., BUCHANAN, E., SHACHAM, H., AND SAVAGE, S. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15, 1 (Mar. 2012), 2:1-2:34.

[39]

SD, AND DEVIK. Linux On-the-fly Kernel Patching without LKM, Dec 2001.

[40]

SHACHAM, H. The Geometry of Innocent Flesh on the Bone: return-into-libc without Function Calls. In ACM Conference on Computer and Communications Security (2007), pp. 552-561.

[41]

SHELL CREW, T. E. Embedded ELF Debugging : the middle head of Cerberus. Phrack 63:9. http://phrack.org/ issues.html?issue=63&id=9.

[42]

SKAPE. ELF binary signing and verification. http://www.hick.org/code/skape/papers/elfsign.txt, January 2003.

[43]

SKAPE. Locreate: an Anagram for Relocate. Uninformed 6 (Jan 2007).

[44]

THE GRUGQ. Cheating the ELF: Subversive Dynamic Linking to Libraries. althing.cs.dartmouth.edu/local/subversiveld.pdf.

[45]

VELDHUIZEN, T. L. C++ Templates are Turing Complete. http://ubietylab.net/ubigraph/content/Papers/pdf/CppTuring.pdf. Indiana University Computer Science.

Cited By

Rein AKarri RSinanoglu OSadeghi AYi X(2017)DRIVEProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052975(728-742)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052975
Kell SMulligan DSewell P(2016)The missing link: explaining ELF static linking, semanticallyACM SIGPLAN Notices10.1145/3022671.298399651:10(607-623)Online publication date: 19-Oct-2016
https://dl.acm.org/doi/10.1145/3022671.2983996
Kell SMulligan DSewell PVisser ESmaragdakis Y(2016)The missing link: explaining ELF static linking, semanticallyProceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications10.1145/2983990.2983996(607-623)Online publication date: 19-Oct-2016
https://dl.acm.org/doi/10.1145/2983990.2983996
Show More Cited By

Recommendations

The Weird Machines in Proof-Carrying Code
SPW '14: Proceedings of the 2014 IEEE Security and Privacy Workshops

We review different attack vectors on Proof-Carrying Code (PCC) related to policy, memory model, machine abstraction, and formal system. We capture the notion of weird machines in PCC to formalize the shadow execution arising in programs when their ...
How the ELF ruined Christmas
SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

Throughout the last few decades, computer software has experienced an arms race between exploitation techniques leveraging memory corruption and detection/protection mechanisms. Effective mitigation techniques, such as Address Space Layout Randomization,...
Attack Surface Measurement: A Weird Machines Perspective
EICC '24: Proceedings of the 2024 European Interdisciplinary Cybersecurity Conference

Provided the number of research papers using the term "attack surface" the amount of practitioner literature, and even the number of software tools aimed at attack surface management, we consider the ideas, lexicon, and measurement of attack surfaces ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

WOOT'13: Proceedings of the 7th USENIX conference on Offensive Technologies

August 2013

13 pages

Program Chairs:
Jon Oberheide
Duo Security
,
William Robertson
Northeastern University

Sponsors

Google Inc.
DUOS: DUO Security

Publisher

USENIX Association

United States

Publication History

Published: 13 August 2013

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rein AKarri RSinanoglu OSadeghi AYi X(2017)DRIVEProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052975(728-742)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052975
Kell SMulligan DSewell P(2016)The missing link: explaining ELF static linking, semanticallyACM SIGPLAN Notices10.1145/3022671.298399651:10(607-623)Online publication date: 19-Oct-2016
https://dl.acm.org/doi/10.1145/3022671.2983996
Kell SMulligan DSewell PVisser ESmaragdakis Y(2016)The missing link: explaining ELF static linking, semanticallyProceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications10.1145/2983990.2983996(607-623)Online publication date: 19-Oct-2016
https://dl.acm.org/doi/10.1145/2983990.2983996
Di Federico ACama AShoshitaishvili YKruegel CVigna G(2015)How the ELF ruined ChristmasProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831184(643-658)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831184
Zhang MSekar R(2015)Control Flow and Code Integrity for COTS binariesProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818016(91-100)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1145/2818000.2818016
Tan SBratus SGoodspeed TPayne CHahn AButler KSherr M(2014)Interrupt-oriented bugdoor programmingProceedings of the 30th Annual Computer Security Applications Conference10.1145/2664243.2664268(116-125)Online publication date: 8-Dec-2014
https://dl.acm.org/doi/10.1145/2664243.2664268

View Options

View options

Media

Figures

Other

Tables

View Table of Contents