More Web Proxy on the site http://driver.im/

Article

Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection

Authors:

Ahmad-Reza Sadeghi,

Daniel Lehmann,

Fabian MonroseAuthors Info & Claims

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

Pages 401 - 416

Published: 20 August 2014 Publication History

Abstract

Return-oriented programming (ROP) offers a robust attack technique that has, not surprisingly, been extensively used to exploit bugs in modern software programs (e.g., web browsers and PDF readers). ROP attacks require no code injection, and have already been shown to be powerful enough to bypass fine-grained memory randomization (ASLR) defenses. To counter this ingenious attack strategy, several proposals for enforcement of (coarse-grained) control-flow integrity (CFI) have emerged. The key argument put forth by these works is that coarse-grained CFI policies are sufficient to prevent ROP attacks. As this reasoning has gained traction, ideas put forth in these proposals have even been incorporated into coarse-grained CFI defenses in widely adopted tools (e.g., Microsoft's EMET framework).

In this paper, we provide the first comprehensive security analysis of various CFI solutions (covering kBouncer, ROPecker, CFI for COTS binaries, ROP-Guard, and Microsoft EMET 4.1). A key contribution is in demonstrating that these techniques can be effectively undermined, even under weak adversarial assumptions. More specifically, we show that with bare minimum assumptions, turing-complete and real-world ROP attacks can still be launched even when the strictest of enforcement policies is in use. To do so, we introduce several new ROP attack primitives, and demonstrate the practicality of our approach by transforming existing real-world exploits into more stealthy attacks that bypass coarse-grained CFI defenses.

References

[1]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In ACM Conference on Computer and Communications Security (CCS), 2005.

Digital Library

[2]

M. Abadi, M. Budiu, Ú. Erlingsson, G. C. Necula, and M. Vrable. XFI: Software guards for system address spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2006.

Digital Library

[3]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13 (1), 2009.

Digital Library

[4]

Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 2000.

[5]

E. Bachaalany. Inside EMET 4.0. REcon Montreal, 2013. Presentation. Slides: http://recon. cx/2013/slides/Recon2013-Elias%20Bachaalany- Inside%20EMET%204.pdf.

[6]

blexim. Basic integer overflows. Phrack Magazine, 60(10), 2002.

[7]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In ACM Conference on Computer and Communications Security (CCS), 2008.

Digital Library

[8]

M. Budiu, U. Erlingsson, and M. Abadi. Architectural support for software-based protection. In Workshop on Architectural and System Support for Improving Software Dependability, ASID '06, 2006.

Digital Library

[9]

Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine, 56(5), 1996.

[10]

C4SS!0 and h1ch4m. MPlayer Lite r33064 m3u Buffer Overflow Exploit (DEP Bypass). http://www.exploit-db.com/ exploits/17565/, 2011.

[11]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security Symposium, 2014.

Digital Library

[12]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security (CCS), 2010.

Digital Library

[13]

Y. Cheng, Z. Zhou, Y. Miao, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.

[14]

T. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In International Conference on Distributed Computing Systems (ICDCS), 2001.

Digital Library

[15]

C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, 1998.

Digital Library

[16]

J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In IEEE Symposium on Security and Privacy, Oakland '14, 2014.

Digital Library

[17]

D. Dai Zovi. Practical return-oriented programming. SOURCE Boston, 2010. Presentation. Slides: http://trailofbits. files.wordpress.com/2010/04/practical-rop.pdf.

[18]

L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Symposium on Network and Distributed System Security (NDSS), 2012.

[19]

L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. Technical Report TUD-CS-2014-0097, Technische Universität Darmstadt, 2014.

[20]

I. Fratric. ROPGuard: Runtime prevention of return-oriented programming attacks. http://www.ieee.hr/_download/repository/Ivan_ Fratric.pdf, 2012.

[21]

gera. Advances in format string exploitation. Phrack Magazine, 59(12), 2002.

[22]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy, Oakland '14, 2014.

Digital Library

[23]

E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX Security Symposium, 2014.

Digital Library

[24]

S. Jalayeri. By passing EMET 3.5's ROP mitigations. https: //repret.wordpress.com/2012/08/08/bypassing-emet-3-5s-rop-mitigations/, 2012.

[25]

D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.

[26]

jduck. The latest Adobe exploit and session upgrading. http://bugix-security.blogspot.de/2010/03/ adobe-pdf-libtiff-working-exploitcve.html, 2010.

[27]

T. Kornau. Return oriented programming for the ARM architecture. Master's thesis, Ruhr-University Bochum, 2009.

[28]

Microsoft. Data Execution Prevention (DEP). http:// support.microsoft.com/kb/875352/EN-US/, 2006.

[29]

Microsoft. Enhanced Mitigation Experience Toolkit. https://www.microsoft.com/emet, 2014.

[30]

Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 58(4), 2001.

[31]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX Security Symposium, 2013.

Digital Library

[32]

J. Pewny and T. Holz. Compiler-based CFI for iOS. In Annual Computer Security Applications Conference (ACSAC), 2013.

Digital Library

[33]

J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4), 2004.

Digital Library

[34]

F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the effectiveness of current anti-ROP defenses. In Symposium on Recent Advances in Intrusion Detection (RAID), 2014.

[35]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM Conference on Computer and Communications Security (CCS), 2007.

Digital Library

[36]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy, Oakland '13, 2013.

Digital Library

[37]

Solar Designer. "return-to-libc" attack. Bugtraq, 1997.

[38]

A. Sotirov and M. Dowd. Bypassing browser memory protections in Windows Vista. http://www.phreedom.org/research/ bypassing-browser-memory-protections/, 2008.

[39]

M. Thomlinson. Announcing the BlueHat Prize winners. https://blogs.technet.com/b/msrc/archive/ 2012/07/26/announcing-the-bluehat-prizewinners.aspx?Redirected=true, 2012.

[40]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in GCC & LLVM. In USENIX Security Symposium, 2014.

Digital Library

[41]

V. van der Veen, N. dutt-Sharma, L. Cavallaro, and H. Bos. Memory errors: The past, the present, and the future. In Symposium on Research in Attacks, Intrustions, and Defenses (RAID), 2012.

Digital Library

[42]

Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE Symposium on Security and Privacy, 2010.

Digital Library

[43]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy, 2009.

Digital Library

[44]

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[45]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In IEEE Symposium on Security and Privacy, Oakland '13, 2013.

Digital Library

[46]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security Symposium, 2013.

Digital Library

Cited By

Priyadarshan SNguyen HChouhan RSekar RCalandrino JTroncoso C(2023)SAFERProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620319(1451-1468)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620319
Zou CGao YXue J(2022)Practical Software-Based Shadow Stacks on x86-64ACM Transactions on Architecture and Code Optimization10.1145/355697719:4(1-26)Online publication date: 7-Oct-2022
https://dl.acm.org/doi/10.1145/3556977
Zou CWang XGao YXue J(2022)Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-RandomizationACM Transactions on Software Engineering and Methodology10.1145/349451631:2(1-37)Online publication date: 4-Mar-2022
https://dl.acm.org/doi/10.1145/3494516
Show More Cited By

Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

The wide adoption of non-executable page protections in recent versions of popular operating systems has given rise to attacks that employ return-oriented programming (ROP) to achieve arbitrary code execution without the injection of any code. Existing ...
Analyzing the Gadgets
ESSoS 2016: Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639

Current low-level exploits often rely on code-reuse, whereby short sections of code gadgets are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this ...
Assessing the Impact of Script Gadgets on CSP at Scale
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in which an attacker is able to inject their malicious ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

August 2014

1067 pages

ISBN:9781931971157

Program Chair:
Kevin Fu
University of Michigan

Sponsors

Akamai: Akamai
Google Inc.
IBMR: IBM Research
NSF
Microsoft Reasearch: Microsoft Reasearch
USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 20 August 2014

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Priyadarshan SNguyen HChouhan RSekar RCalandrino JTroncoso C(2023)SAFERProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620319(1451-1468)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620319
Zou CGao YXue J(2022)Practical Software-Based Shadow Stacks on x86-64ACM Transactions on Architecture and Code Optimization10.1145/355697719:4(1-26)Online publication date: 7-Oct-2022
https://dl.acm.org/doi/10.1145/3556977
Zou CWang XGao YXue J(2022)Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-RandomizationACM Transactions on Software Engineering and Methodology10.1145/349451631:2(1-37)Online publication date: 4-Mar-2022
https://dl.acm.org/doi/10.1145/3494516
Brown MPruett MBigelow RMururu GPande S(2021)Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget setsProceedings of the ACM on Programming Languages10.1145/34855315:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485531
Feng LHuang JHu JReddy A(2021)FastCFI: Real-time Control-Flow Integrity Using FPGA without Code InstrumentationACM Transactions on Design Automation of Electronic Systems10.1145/345847126:5(1-39)Online publication date: 5-Jun-2021
https://dl.acm.org/doi/10.1145/3458471
Chen DLim WBakhshalipour MGibbons PHoe JParno BSherwood TBerger EKozyrakis C(2021)HerQules: securing programs via hardware-enforced message queuesProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446736(773-788)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446736
Papaevripides MAthanasopoulos E(2021)Exploiting Mixed BinariesACM Transactions on Privacy and Security10.1145/341889824:2(1-29)Online publication date: 2-Jan-2021
https://dl.acm.org/doi/10.1145/3418898
Yao DZhang ZZhang G(2020)Practical Control Flow Integrity using Multi-Variant executionProceedings of the 2020 International Conference on Internet Computing for Science and Engineering10.1145/3424311.3424312(14-19)Online publication date: 14-Jan-2020
https://dl.acm.org/doi/10.1145/3424311.3424312
Larsen PFranz MOkhravi HWang C(2020)Adoption Challenges of Code RandomizationProceedings of the 7th ACM Workshop on Moving Target Defense10.1145/3411496.3421226(45-49)Online publication date: 9-Nov-2020
https://dl.acm.org/doi/10.1145/3411496.3421226
Li XLi JHou RMeng DPalesi MPalermo GGraves CArima E(2020)RCeckerProceedings of the 17th ACM International Conference on Computing Frontiers10.1145/3387902.3392629(158-164)Online publication date: 11-May-2020
https://dl.acm.org/doi/10.1145/3387902.3392629
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents