Cryptography Reference
In-Depth Information
00098ae0 <geteuid>:
98ae0:
55
push
%ebp
98ae1:
89 e5
mov
%esp,%ebp
98ae3:
b8 c9 00 00 00
mov
$0xc9,%eax
98ae8:
65 ff 15 10 00 00 00
call
*%gs:0x10
98aef:
5d
pop
%ebp
98af0:
c3
ret
Fig. 6.
System call in libc
Note that in our attack, these gadgets have to be found in the vulnerable pro-
gram except in the last step after the libc function address has been found. This
makes our attack more challenging than return-oriented programming in general
where useful gadgets can be easily found in the large libc library.
Since the vulnerable program is usually relatively small when compared to the
libc library, we might not be able to locate the gadgets we want. We propose and
use a few techniques to expand the set of useful candidate gadgets. We do not
further discuss how the last step of our attack can be implemented by finding
useful gadgets in libc since it has been well discussed in the return-oriented
programming paper [14].
Alternative instructions.
There could be multiple different instructions that
serve what we need in the operations. Table 2 shows some candidate gadgets
of different instructions for the same purpose needed in our attack. Note that
they are just some examples, and each of them could have different variations,
e.g., by using different registers.
Table 2.
Useful gadgets with alternative instructions
Operations
Useful gadgets
Memory reading
<mov (%eax), %eax; ret;>
<add %ebp, %ebx; ret;>
<lea (%eax, %ecx, 1), %eax; ret;>
Addition
<pop %eax; ret;>
<xchg %eax, %edx; ret;>
Register writing
Combination of instructions.
Besides using gadgets of different instructions, we
can also combine different instructions (their corresponding gadgets) together
to realize the intended operation. For example,
's
<or (%eax), %ebx; ret;> or
the value at a memory address (specified by
) with another register (
). It
eax
ebx
serves the purpose of memory reading if
happens to be zero. Even if
is
ebx
ebx
not zero, this gadget can be combined with a register writing to set
to be
ebx
zero first. Table 3 gives some examples of such combinations.
Instructions with side-effects.
Some instructions in a gadget might have no ef-
fect in the execution context or might have side effects that can be reversed
by other gadgets. Although these instructions (and the corresponding gadgets)
Search WWH ::
Custom Search