More content
This commit is contained in:
Valentin Brandl
parent
e53c639bb1
commit
5bd8c61a69
BIN
work/01paper.pdf
BIN
work/01paper.pdf
Binary file not shown.
@ -1,6 +1,7 @@
|
||||
\documentclass[conference]{IEEEtran}
|
||||
\IEEEoverridecommandlockouts{}
|
||||
% The preceding line is only needed to identify funding in the first footnote. If that is unneeded, please comment it out.
|
||||
% The preceding line is only needed to identify funding in the first footnote.
|
||||
% If that is unneeded, please comment it out.
|
||||
\usepackage{csquotes}
|
||||
\usepackage[style=ieee,backend=biber]{biblatex}
|
||||
|
||||
@ -30,7 +31,8 @@
|
||||
%%fuer abkuerzungen begin
|
||||
\usepackage[acronym,hyperfirst = false]{glossaries}
|
||||
\glsdisablehyper{}
|
||||
%\usepackage[acronym,acronymlists={main, abbreviationlist},shortcuts,toc,description,footnote]{glossaries}
|
||||
%\usepackage[acronym,acronymlists={main,
|
||||
%abbreviationlist},shortcuts,toc,description,footnote]{glossaries}
|
||||
\newglossary[clg]{abbreviationlist}{cyi}{cyg}{List of Abbreviations}
|
||||
\newglossary[slg]{symbolslist}{syi}{syg}{Symbols}
|
||||
\renewcommand{\firstacronymfont}[1]{\emph{#1}}
|
||||
@ -149,9 +151,18 @@ attacker controlled code.
|
||||
|
||||
This is only one of several types and exploitation techniques but the general
|
||||
idea stays the same: ovewrite the return address or some kind of function
|
||||
pointer (e.g. in vtables or the \ac{plt}) and once that function is called, the
|
||||
pointer (e.g.\ in vtables or the \ac{plt}) and once that function is called, the
|
||||
execution flow is hijacked and the attacker can execute arbitiary code.
|
||||
|
||||
The most trivial kinds of exploits is known as a \mintinline{ASM}{NOP} sled.
|
||||
Here the attacker appends as many \mintinline{ASM}{NOP} instructions before any
|
||||
shellcode (e.g.\ to invoke \mintinline{shell}{/bin/sh}) and points the
|
||||
overwritten \ac{ip} somewhere inside the \mintinline{ASM}{NOP}s. The execution
|
||||
\enquote{slides} through the \mintinline{ASM}{NOP}s until it reaches the
|
||||
shellcode. Most of the migration techniques described in this paper protect
|
||||
against this kind of exploit but there are different and more complex ways of
|
||||
exploiting \acp{bof} that are not that easily migrated.
|
||||
|
||||
\subsection{Implications}
|
||||
|
||||
\section{Concept and Methods}\label{ref:concept}
|
||||
@ -171,7 +182,9 @@ The easiest and maybe single most effective method to prevent \acp{bof} is to
|
||||
check, if a write or read operation is out of bounds. This requires storing the
|
||||
size of a buffer together with the pointer to the buffer and check for each read
|
||||
or write in the buffer, if it is in bounds at runtime. Still almost any language
|
||||
that comes with a runtime, uses runtime checking.
|
||||
that comes with a runtime, uses runtime checking. For this technique to be
|
||||
effective effective in general, writes to a raw pointer must be disallowed.
|
||||
Otherwise the security checks can be circumvented.
|
||||
|
||||
\subsection{Prevent/Detect Overriding Return Address}
|
||||
|
||||
@ -224,11 +237,16 @@ exploiting technique uses existing calls to the libc with attacker controlled
|
||||
parameters, e.g.\ if the programm uses the \mintinline{shell}{system} command,
|
||||
the attacker can plant \mintinline{shell}{/bin/sh} as parameter on the stack,
|
||||
followed by the address of \mintinline{shell}{system} and get a shell on the
|
||||
system. \ac{rop} (a superset of ret-to-libc exploits) uses so called ROP
|
||||
gadgets, combinations of memory modifying instructions followed by the ret
|
||||
instruction to build instruction chains, that execute the desired shellcode.
|
||||
This is done by placing the desired return addresses in the right order on the
|
||||
stack and reuses the existing code to circumvent the w\^{}x protection.
|
||||
system. \ac{rop} (a superset of ret-to-libc exploits) uses so called \ac{rop}
|
||||
gadgets, combinations of memory modifying instructions followed by the
|
||||
\mintinline{ASM}{RET} instruction to build instruction chains, that execute the
|
||||
desired shellcode. This is done by placing the desired return addresses in the
|
||||
right order on the stack and reuses the existing code to circumvent the w\^{}x
|
||||
protection. These combinations of memory modification followed by
|
||||
\mintinline{ASM}{RET} instructions are called \ac{rop} chains and are turing
|
||||
complete~\cite{Rop2007}, so in theory it is possible to implement any imaginable
|
||||
payload, as long as the exploited program contains enough gadgets and the
|
||||
overflowing buffer has enough space.
|
||||
|
||||
|
||||
\section{Discussion}\label{ref:discussion}
|
||||
@ -238,10 +256,11 @@ stack and reuses the existing code to circumvent the w\^{}x protection.
|
||||
\subsubsection{\ac{aslr}}
|
||||
|
||||
\Ac{aslr} has been really effective and wildly used in production. It is
|
||||
included in most major operating systems~\cite{FBSDaslr}. Some
|
||||
even use kernel \ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at %TODO
|
||||
runtime, it does not require any changes in the code itself, the programm only
|
||||
has to be compiled as a \ac{pie}.
|
||||
included in most major operating systems~\cite{FBSDaslr}. Some even use kernel
|
||||
\ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at runtime, it does
|
||||
not require any changes in the code itself, the programm only has to be compiled
|
||||
as a \ac{pie}. On 32-bit CPUs, only 16-bit of the address are randomized. These
|
||||
16-bit can be brute forced in a few minutes or seconds~\cite{AslrEffective2004}.
|
||||
|
||||
\subsubsection{w\^{}x}
|
||||
|
||||
|
||||
@ -8,6 +8,13 @@ own:
|
||||
year = {2002}
|
||||
}
|
||||
|
||||
@inproceedings{Rop2007,
|
||||
author = {{Shacham, Hovav}},
|
||||
booktitle = {{Proceedings of the 14th ACM conference on Computer and communications security (CCS)}},
|
||||
title = {{The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)}},
|
||||
year = {2007}
|
||||
}
|
||||
|
||||
@inproceedings{Detection2018,
|
||||
author = {{Chaim, Marcos and Santos, Daniel and Cruzes, Daniela}},
|
||||
booktitle = {{International Journal of Systems and Software Security and Protection (IJSSSP)}},
|
||||
@ -46,6 +53,13 @@ year = {2001}
|
||||
year = {1998}
|
||||
}
|
||||
|
||||
@inproceedings{AslrEffective2004,
|
||||
year = {2004},
|
||||
booktitle = {{11\textsuperscript{th} ACM conference on Computer and communications security (CCS)}},
|
||||
title = {{On the Effectiveness of Address-Space Randomization}},
|
||||
author = {{Shacham, Hovav and Page, Matthew and Pfaff, Ben and Goh, Eu-Jin and Modadugu, Nagendra and Boneh, Dan}}
|
||||
}
|
||||
|
||||
@ARTICLE{Smashing2004,
|
||||
author={J. {Pincus} and B. {Baker}},
|
||||
journal={{IEEE Security \& Privacy}},
|
||||
|
||||
Loading…
Reference in New Issue
Block a user