Aggrandizing the beast's limbs: patulous code reuse attack on ARM architecture

Document Type: ORIGINAL RESEARCH PAPER

Authors

Department of Computer Engineering and Information Technology, Amirkabir University of Technology, Tehran, Iran

Abstract

Since smartphones are usually personal devices full of private information, they are a popular target for a vast variety of real-world attacks such as Code Reuse Attack (CRA). CRAs enable attackers to execute any arbitrary algorithm on a device without injecting an executable code. Since the standard platform for mobile devices is ARM architecture, we concentrate on available ARM-based CRAs. Currently, three types of CRAs are proposed on ARM architecture including Return2ZP, ROP, and BLX-attack in accordance to three sub-models available on X86. Ret2Libc, ROP, and JOP. In this paper, we have considered some unique aspects of ARM architecture to provide a general model for code reuse attacks called Patulous Code Reuse Attack (PCRA). Our attack applies all available machine instructions that change Program Counter (PC) as well as direct or indirect branches in order to deploy the principles of CRA convention. We have demonstrated the effectiveness of our approach by defining five different sub-models of PCRA, explaining the algorithm of finding PCRA gadgets, introducing a useful set of gadgets, and providing a sample proof of concept exploit on Android 4.4 platform.

Keywords


[1] Eric Grevstad. CPU-based security: The NX bit. Disponvel on line em julho de, 2004.

[2] PaX Team. PaX address space layout randomization (ASLR). 2003.

[3] Joh Oberheide. A look at ASLR in android ice cream sandwich 4.0. The Duo Bulletin, 2012.

[4] Manjeet Singh Vaneet. Linux Kernel Memory Protection (ARM). 5(4), 2014. ISSN 0975-9646. doi: 5869-5871.

[5] Hovav Shacham, Matthew Page, Ben Pfaff, EuJin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomizaion. In Proceedings of the 11th ACM conference on Computer and communications security, pages 298-307. ACM, 2004.

[6] Alexander Sotirov and Mark Dowd. Bypassing browser memory protections in Windows Vista. Blackhat USA, 2008.

[7] Gene Novark and Emery D. Berger. DieHarder: securing the heap. In Proceedings of the 17th ACM conference on Computer and communications security, pages 573-584. ACM, 2010.

[8] Will Dietz, Peng Li, John Regehr, and Vikram Adve. Understanding integer overflow in C/C++. In Proceedings of the 34th International Conference on Software Engineering, pages 760-770. IEEE Press, 2012.

[9] Scott M. Pike, Bruce W. Weide, and Joseph E. Hollingsworth. Checkmate: cornering C++ dynamic memory errors with checked pointers. In ACM SIGCSE Bulletin, volume 32, pages 352-356. ACM, 2000.

[10] Vivek Ramach and ran.  SecurityTube.net Hack of the Day: Demystifying the Execve Shellcode (Stack Method).  URL  http://hackoftheday.securitytube.net/ 2013/04/demystifying-execve-shellcode- stack.html.

[11] Charlie Miller and Vincenzo Iozzo. Fun and games with Mac OS X and iPhone payloads. BlackHat Europe, 2009. URL http://trafficlight.bitdefender.com/info?url=http%3A//reverse.put.as/wp-content/uploads/2011/06/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf&language=en_US.

[12] Collin Mulliner and Charlie Miller. Injecting SMS messages into smart phones forsecurity analysis. In USENIX Workshop on Offensive Technologies (WOOT), 2009. URL http://trafficlight.bitdefender.com/info?url=https%3A//www.usenix.org/event/woot09/tech/full-papers/mulliner.pdf&language=en_US.

[13] M. Keith. Android 2.0-2.1 Reverse Shell Exploit,2010.

[14] Ralf-Philipp Weinmann. All Your Baseband Are Belong To Us. hack. lu, 2010.

[15] Zi-Shun Huang and Ian G. Harris. Return-oriented vulnerabilities in ARM executables. In Homeland Security (HST), 2012 IEEE Conference on Technologies for, pages 1-6. IEEE, 2012.

[16] Joshua J. Drake, Zach Lanier, Collin Mulliner, Pau Oliva Fora, Stephen A. Ridley, and Georg Wicherski. Android Hacker's Handbook. John Wiley & Sons, 2014.

[17] Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy. Return-oriented programming without returns on ARM. System Security Lab-Ruhr University Bochum, Tech. Rep, 2010.

[18] F. Aminmansour and H.R. Shahriari. Patulous Code Reuse Attack: A novel code reuse attack on ARM architecture (A proof of concept on Android OS). In 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pages 104-109, September 2015. doi: 10.1109/ISCISC.2015. 7387906.

[19] David Seal. ARM architecture reference manual. Pearson Education, 2001.

[20] Richard Earnshaw. Procedure call standard for the ARM architecture. ARM Limited, October, 2003.

[21] Pritesh. Android OS Architecture - Android Tutorials - c4learn.com. URL  http://www.c4learn. com/android/android-os-architecture/.

[22] Aleph One. Smashing the stack for fun and profit. Phrack magazine, 7(49):14{16, 1996.

[23] Stack Shield. A stack smashing technique protection tool for Linux. 2011.

[24] Ali-Akbar Sadeghi, Farzane Aminmansour, and Hamid-Reza Shahriari. Tazhi: A novel technique for hunting trampoline gadgets of jump oriented programming (A class of code reuse attacks). In Information Security and Cryptology (ISCISC), 2014 11th International ISC Conference on, pages 21-26. IEEE, 2014.

[25] Ali-Akbar Sadeghi, Farzane Aminmansour, and HamidReza Shahriari. Tiny Jump-oriented Programming Attack (A Class of Code Reuse Attacks). In 12th International ISC Conference on Information Security and Cryptology (ISCISC), Guilan, Iran, 2015.

[26] Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552-561. ACM, 2007.

[27] Jose Angel Martinez-Lorenzo, Yolanda Rodriguez-Vaqueiro, Carey Rappaport, Oscar Rubinos Lopez, Antonio Garcia Pino, Zi-Shun Huang, Ian G. Harris, Lance Fiondella, Swapna Gokhale, Nicholas Lownes, and others. SUPPLEMENT NO. 6: APRIL 2013. URL http://trafficlight.bitdefender.com/info?url=https%3A//www.llis.dhs.gov/sites/default/files/HSAJ_012B_IEEE_Supplement.pdf&language=en_US.

[28] Gang Tan and Jason Croft. An Empirical Security Study of the Native Code in the JDK. In Usenix Security Symposium, pages 365-378, 2008.

[29] Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 40-51. ACM, 2011.

[30] ZhiJun Huang, Tao Zheng, and Jia Liu. A dynamic detective method against ROP attack on ARM platform. In Proceedings of the Second International Workshop on Software Engineering for Embedded Systems, pages 51-57. IEEE Press, 2012.