Cryptography Reference
In-Depth Information
Perhaps the work to surgically return to randomized libc [13] is the closest
to our work in this paper. In this work, Roglia et al. introduced an attack on
address space randomization assuming the base of the libc library is randomized.
The attack surgically finds the address of a libc function by reading entries in
PLT and GOT using return-oriented programming. The attack we present in
this paper uses the same strategy, but differs in that it also assumes that the
order of library functions are randomized. Roglia et al. also proposed an attack
mitigation technique of encrypting the GOT. In this paper, we argue that such
a technique might not work on programs where enough gadgets are found in
the program binary itself and libc is not needed for the attack. We demonstrate
this by analyzing a few commonly used application programs and show that an
attack on them indeed does not require the use of libc. In general, this paper
is not just about introducing an attack on address space randomization, but
to study the effectiveness of randomizing certain code and data objects, and
to argue that randomizing them is ineffective to defend against attacks using
return-oriented programming, and a simple fix does not exist.
The effectiveness of address space randomization on 32-bit architectures has
been analyzed previously [15]. In this work, a brute force attack is proposed to
guess the libc text segment offset in order to perform a return-to-libc attack.
Experiments show that such an attack is effective on a 32-bit system where the
vulnerable service automatically restarts after crashing. Our attack is different
from this attack in that we derandomize the addresses in an ecient way without
brute forcing. Therefore, our attack has a wider application on systems where
counter-measures are in place to fight against brute force attacks.
3 Attack on Address Space Randomization
As shown in Section 2, there are many code and data objects that can be random-
ized to make different attacks or attack steps dicult. Although return-oriented
programming [14] has made attacks without injected code more powerful, in
many cases able to perform arbitrary computation, intuitively it does not work
well on address space randomization systems because the locations of gadgets
are randomized and hard to be found.
In this section, however, we show that randomizing the base of the library,
order of library functions, entries in PLT and GOT is ineffective in defending
against attacks using return-oriented programming. We show this by presenting
an attack on an address space randomization system where we assume that
position independent code is not in use in the binary program. This assumption
is valid in most existing computing systems because recompilation is needed to
generate position independent code. We show that our attack is able to execute
arbitrary computation after subverting the control flow of the program. This
attack uses the same strategy of the one presented by Roglia et al. [13]. However,
here we assume that the order of library functions is randomized whereas Roglia
et al. only considers the randomized base address.
In the rest of this section, we first give an intuition of the attack we propose
and an overview of the steps involved. In Section 4, we detail the implementation
 
Search WWH ::




Custom Search