Cryptography Reference
In-Depth Information
-
Analyze limitations of the previously proposed attack mitigation technique
of encrypting GOT.
-
Discuss on the effectiveness of randomizing the base and order of functions
and location and order of entries in PLT and GOT.
The rest of the paper is organized as follows. In Section 2, we outline the back-
ground and discuss some related work in this area. Section 3 presents an overview
and intuition of our attack. We detail the implementation of our attack in Sec-
tion 4. Section 5 discusses the limitation of a previously proposed attack mitiga-
tion technique and our experimental results on it, and discusses the implications.
We conclude in Section 6.
2 Background and Related Work
There are many code and data objects that can be randomized [2,3,4]. Ta-
ble 1 presents a summary of the important ones and the specific data to be
randomized.
Table 1.
Code and data objects to be randomized
Code and data objects
What to randomize
Base of stack
Gaps between stack frames
Stack-resident variables
Base of heap
Gaps between heap allocations
Heap-resident variables
Static variables
Order of static variables
Addresses of function call targets
Position independent code
Program code
Base of library
Order of functions in library
Gaps between functions in library
Functions in library
Locations of PLT and GOT
Order of entries in PLT and GOT
Entries in PLT and GOT
Randomizing these code and data objects is effective in stopping some partic-
ular types of attacks or steps in some attacks. In this paper, we try to analyze the
effectiveness of randomizing some of these data in making attacks dicult. In
particular, our analysis shows that randomizing functions in library and entries
in PLT and GOT is ineffective. We support this by presenting our general attack
on an address space randomization system and analyzing an attack mitigation
technique previously proposed.
To understand how these randomization helps in making attacks dicult, we
briefly describe the two steps an attack usually needs to perform. First, it needs
to find a way to exploit the vulnerability to subvert the program's control flow.
Second, it needs to cause the program to execute in a manner of his choosing.
Traditionally, the first step could be done by overflowing a buffer on the stack
and overwriting a return address, although many other techniques, e.g., heap [8]
and integer overflows [18] and format string vulnerabilities [16], could be used.
Search WWH ::
Custom Search