Dwarf Frankenstein is still in your memory: tiny code reuse attacks

Document Type: ORIGINAL RESEARCH PAPER

Authors

1 Amirkabir University of Technology

2 Amirkabir University of Technology (Tehran Polytechnic)

3 Amirkabir University of Technology- Tehran

Abstract

Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. A large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. However, a usual aspect among these methods is consideration of the common behaviour of code reuse attacks, which is the construction of a gadget chain. Therefore, the implication of a gadget and the minimum size of an attack chain are a matter of controversy. Conservative or relaxed thresholds may cause false positive and false negative alarms, respectively. The main contribution of this paper is to provide a tricky aspect of code reuse techniques, called tiny code reuse attacks (Tiny-CRA) that demonstrates the ineffectiveness of the threshold based detection methods. We show that with bare minimum assumptions, Tiny-CRA can reduce the size of a gadget chain in shuch a way that no distinction can be detected between normal behavior of a program and a code-reuse execution. To do so, we exhibit our Tiny-CRA primitives and introduce a useful gadget set available in libc. We demonstrate the effectiveness of our approach by implementing nine different shell-codes and exploiting real-world buffer overflow vulnerability in HT Editor 2.0.20.

Keywords


 [1] E. Grevstad, "CPU-based security: The NX bit,"Disponvel Line Em Julho De, 2004.

[2] P. Team, PaX address space layout randomization (ASLR). 2003.

[3] H. Etoh and K. Yoda, GCC extension for protecting applications from stack-smashing attacks. 2000.

[4] M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning, On the expressiveness of return-into-libc attacks," in Recent Advances in Intrusion Detection, 2011, pp. 121141.

[5] H. Shacham, The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86)," in Proceedings of the 14th ACM Conference on Computer and Communications Security, New York, NY, USA, 2007, pp. 552561.

[6] L. Davi, A.-R. Sadeghi, and M. Winandy, ROPdefender: A detection tool to defend against return-oriented programming attacks," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, pp. 4051.

[7] I. Fratric, Runtime Prevention of Return-Oriented Programming Attacks. June, 2012.

[8] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, Return-oriented Programming Without Returns," in Proceedings of the 17th ACM Conference on Computer and Communications Security, New York, NY, USA, 2010, pp. 559572.

[9] T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, Jump-oriented Programming: A New Class of Code-reuse Attack," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, New York, NY, USA, 2011, pp. 3040.

[10] K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization," in Security and Privacy (SP), 2013 IEEE Symposium on, 2013, pp. 574588.

[11] R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T.Walter, Breaking the memory secrecy assumption," in Proceedings of the Second European Workshop on System Security, 2009, pp. 18.

[12] F. J. Serna, CVE-2012-0769, the case of the perfect info leak. 2009.

[13] E. Gkta, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis, "Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard," in Proceedings of the 23rd USENIX conference on Security Symposium, 2014, pp. 417432.

[14] A.-A. Sadeghi, F. Aminmansour, and H. Shahriari, "Tiny Jump-oriented Programming Attack (A Class of Code Reuse Attacks)," in 12th International ISC Conference on Information Security and Cryptology (ISCISC), Guilan, Iran, 2015.

[15] ZadYree, "HT Editor 2.0.20 Buffer Overflow (ROP PoC)," 13-Nov-2012. [Online]. Available: http://www.exploit-db.com/exploits/22683/.

[16] A. Bacchelli, "Mining challenge 2013: Stack overflow," in The 10th Working Conference on Mining Software Repositories, 2013.

[17] G. Novark and E. D. Berger, "DieHarder: securing the heap," in Proceedings of the 17th ACM conference on Computer and communications security, 2010, pp. 573584.

[18] W. Dietz, P. Li, J. Regehr, and V. Adve, "Understanding integer overflow in C/C++," in Proceedings of the 34th International Conference on Software Engineering, 2012, pp. 760770.

[19] S. M. Pike, B. W.Weide, and J. E. Hollingsworth, "Checkmate: cornering C++ dynamic memory errors with checked pointers," in ACM SIGCSE Bulletin, 2000, vol. 32, pp. 352356.

[20] B. Martin, M. Brown, A. Paller, D. Kirby, and S. Christey, "2011 CWE/SANS top 25 most dangerous software errors," Common Weakness Enumer., vol. 7515, 2011.

[21] A. Francillon and C. Castelluccia, "Code injection attacks on harvard-architecture devices," in Proceedings of the 15th ACM conference on Computer and communications security, 2008, pp. 1526.

[22] S. Andersen and V. Abella, Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies. 2004.

[23] L. Le, "Payload already inside: datafire-use for ROP exploits," Black Hat USA, 2010.

[24] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, "DROP: Detecting return-oriented programming malicious code," in Information Systems Security, Springer, 2009, pp. 163177.

[25] M. Polychronakis and A. D. Keromytis, "ROP payload detection using speculative code execution," in Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on, 2011, pp. 5865.

[26] C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, "Pin: building customized program analysis tools with dynamic instrumentation," ACM Sigplan Not., vol. 40, no. 6, pp. 190200, 2005.

[27] F. Yao, J. Chen, and G. Venkataramani, "JOP-alarm: Detecting jump-oriented programming-based anomalies in applications," in Computer Design (ICCD), 2013 IEEE 31st International Conference on, 2013, pp. 467470.

[28] M. Kayaalp, T. Schmitt, J. Nomani, D. Ponomarev, and N. Abu-Ghazaleh, "SCRAP: Architecture for signature-based protection from code reuse attacks," in High Performance Computer Architecture (HPCA2013), 2013 IEEE 19th International Symposium on, 2013, pp. 258269.

[29] Z. Huang, T. Zheng, Y. Shi, and A. Li, "A dynamic detection method against ROP and JOP," in Systems and Informatics (ICSAI), 2012 International Conference on, 2012, pp. 10721077.

[30] V. Pappas, M. Polychronakis, and A. D. Keromytis, "Transparent ROP Exploit Mitigation Using Indirect Branch Tracing.," in USENIX Security, 2013, pp. 447462.

[31] Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng, "ROPecker: A generic and practical approach for defending against ROP attacks," in Symposium on Network and Distributed System Security (NDSS), 2014.

[32] A.A. Sadeghi, F. Aminmansour, and H.R. Shahriari, "Tazhi: A novel technique for hunting trampoline gadgets of jump oriented programming (A class of code reuse attacks)," in Information Security and Cryptology (ISCISC), 2014 11th International ISC Conference on, 2014, pp. 2126.

[33] F. Aminmansour and H. R. Shahriari, "Patulous Code Reuse Attack: A novel code reuse attack on ARM architecture (A proof of concept on Android OS)," in 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), 2015, pp. 104109.

[34] N. Carlini and D.Wagner, "Rop is still dangerous: Breaking modern defenses," in USENIX Security Symposium, 2014.

[35] H. Marco-Gisbert and I. Ripoll, On the Effectiveness of Full-ASLR on 64-bit Linux. DeepSeC, 2014.

[36] L. Davi and F. Monrose, "Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection," in 23rd USENIX Security Symposium.

[37] A. Sotirov and M. Dowd, "Bypassing browser memory protections in Windows Vista," Blackhat USA, 2008.

[38] Mike: Operating Systems Development - Errors, Exceptions, Interruptions. (2008). Mike, "Operating Systems Development - Errors, Exceptions, Interruptions," 2008.

[Online] .Available: http://www.brokenthorn.com/Resources/OSDev15.html.

[39] J. Salwan, "Shellcodes database."

[Online]. Available: http://shell-storm.org/shellcode/.

 [40] Zad, "87289: HT Editor Filename Handling Over-flow," 2012.

[Online]. Available: http://osvdb. org/show/osvdb/87289.

[41] V. Ramachandran, "Demystifying the Execve Shellcode (Stack Method)," 2013. [Online]. Available: http://hackoftheday.securitytube.net/2013/04/demystifying-execve-shellcode-stack.html.

[42] P. Chen, X. Xing, B. Mao, L. Xie, X. Shen, and X. Yin, "Automatic construction of jump-oriented programming shellcode (on the x86)," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, pp. 2029.

[43] P. Chen, X. Xing, H. Han, B. Mao, and L. Xie, "Efficient detection of the return-oriented programming malicious code," in Information Systems Security, Springer, 2011, pp. 140155.

[44] Aminmansour, Farzane, and Hamid Reza Shahriari. "Aggrandizing the beast's limbs: patulous code reuse attack on ARM architecture." The ISC International Journal of Information Security 8, no. 1, 2016, pp. 39-52.