Revisiting Address Space Randomization - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

the read operation (and some others; see Section 4). Figure 2 shows the steps

involved in our attack.

After the control flow of the program is subverted (our assumption), our

return-oriented programming code will first read the target of a

instruction

whose address is known by static analysis of the vulnerable program. After that,

we locate the address and offset through PLT and GOT. Once the entry in

PLT and GOT is located, we read the entry to find out the corresponding libc

function, and eventually we can use the short code sequences inside libc. In the

end, the address of the libc function can be used to obtain a shell for arbitrary

computation by making a system call. Note that our attack works well when

the order of library functions is randomized, which a previously proposed attack

does not consider [13].

call

4 Attack Implementation

As discussed in Section 3.2, there are a few steps involved in a successful attack,

and each step requires some instructions to be executed. In this section, we

first explain in more details what instructions are needed in each step, and then

present a realization of executing these instructions using a few improvements to

the return-oriented programming. We demonstrate our attack with an example

on

.

apache-2.2.15

4.1

Instructions Needed to be Executed in Our Attack

The first step in our attack is to find the static address of a useful

instruction

in the code segment of the vulnerable program. There are typically many

call

instructions in the code segment, and what we need is 1) one that calls a libc

function; and 2) the corresponding libc function makes a system call. We need

the second requirement in order to make sure that we can later make use of

the system call to execute

for arbitrary computation. The one that

execve()

we choose is

at

in apache-2.2.15 (see Figure 3). Note

call geteuid

0x80b85af

that many other

instructions could be used.

call

Finding target address of the call instruction. AsshowninFigure3,thetar-

get address of the

instruction is represented as an offset (

)of

call

0xfffaff54

080b85a8 <set_group_privs>:

80b85a8:

55

push

%ebp

80b85a9:

89 e5

mov

%esp,%ebp

80b85ab:

53

push

%ebx

80b85ac:

83 ec 34

sub

$0x34,%esp

80b85af:

e8 54 ff fa ff

call

8068508 <geteuid@plt>

80b85b4:

...

Fig. 3. call instruction in the code segment

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home