Cryptography Reference
In-Depth Information
However, attacking techniques have advanced a lot since the introduction of
address space randomization. In particular, return-oriented programming [14]
has made attacks without injected code more powerful, in many cases able to
perform arbitrary computation. This raises the question of whether randomiz-
ing certain code and data objects is still as effective as what we believed. In
this paper, we show that randomizing the base and order of functions in shared
libraries and randomizing the location and order of entries in PLT and GOT
do not introduce significant diculty to attacks using return-oriented program-
ming. In particular, we present an attack on a system in which the library base
addresses, the order of library functions, and the PLT and GOT are random-
ized. In the course of presenting the attack, we also detail a few improvements
to return-oriented programming to make our attack more effective. We continue
to show that a previously proposed fix of encrypting GOT might not work in
many cases. We argue that address space randomization was introduced without
considering such attacks, and a simple fix probably does not exist.
Note that what we study here is more than returning to randomized lib(c)
asshowninapreviouswork[13].Besides the attack we propose here being
more general, i.e., we consider a system where the order of library functions
are also randomized, we strive to study the effectiveness of randomizing various
code and data objects rather than proposing a particular attack. We analyze the
root cause of attacks using return-oriented programming, point out weaknesses of
mitigation techniques in the previous work [13], and argue that randomizing such
code and data objects are just ineffective and no simple fix exists. To support
our analysis, we evaluate a number of commonly used application programs and
show that encrypting GOT is, in fact, not effective in stopping the attack, since
there are enough gadgets found in the binary program itself to exercise the attack
and returning to libc is not needed.
We caution the readers from drawing from our analysis more than what it
deserves. We are not trying to show that address space randomization is not
effective in general. On the other hand, since there are many code and data ob-
jects that can be randomized, our analysis shows that randomizing some of these
does not necessarily improve the system security because of the new attacking
technique. Address space randomization is certainly effectively in, e.g., making it
dicult for an attack to exploit a vulnerability to subvert the program's control
flow. What we show in this paper is that after an attack manages to subvert
the program's control flow, the diculty of causing the program to execute in a
manner of his choosing using return-oriented programming is not much affected
by randomizing the base and order of functions or location and order of PLT
and GOT.
In summary, the paper makes the following contributions.
-
Propose and implement a general attack on an address space randomization
system where the base and order of library functions and location and order
of entries in PLT and GOT are randomized.
-
Propose a few improvements to the return-oriented programming to make
our attack more effective.
Search WWH ::
Custom Search