Cryptography Reference
In-Depth Information
it is possible to find the needed gadgets from various programs as shown in
Table 4, we believe that our attack can be generalized to be applied on other
vulnerable programs. We leave this as our future work.
4.4 Discussions of Our Attack
What we propose is a more general attack which works even when the order of
library functions is randomized, which is different from a previously proposed
attack [13].
Other considerations of our attack.
Inthediscussionsabove,wehavenotconsid-
ered a level of indirection address space randomization might have introduced,
namely converting direct function calls to indirect ones with function pointers.
Our attack works in the same way when function pointers are used; in fact, the
attack could even be simplified in some cases because offsets might not be used
in indirect calls.
Limitations of our attack.
There are a few limitations of our attack. First, we
assume that the control flow of the vulnerable program can be subverted. This
might not be true as address space randomization could make such subverting
very dicult. However, this assumption does not hinder our analysis less impor-
tant because a security system should not rely on the single point of protection
and should try to make attacks dicult even when the first line of defense fails.
Second, we assume that the attacker has access to the vulnerable program to
do static analysis and position independent code is not in use. Our attack relies
on this assumption because we wouldn't be able to locate the
instruction
should this assumption be invalid. Third, we might not be able to find enough
useful gadgets from the vulnerable program. Although we have shown programs
meeting our attack requirement, it remains future work to study other ways of
finding useful gadgets to generalize our attack.
call
Extension of our attack.
The idea of our attack could be extended to make stack
randomization ineffective, if instructions like
could be found by
using return-oriented programming. We tried using the Galileo algorithm [14]
to search for it, but could not find one in our experiments. Theoretically, this
is possible especially when searching on various sections that are marked ex-
ecutable, e.g.,
mov eax, esp
,
,
,
,
,and
.
.plt
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
We leave this as future work.
5 Possible Mitigation Techniques and Discussions
Roglia et al. proposed a few mitigation techniques to defend against attacks that
dereference and overwrite GOT [13], which include using position independent
code, self-randomization of the program, and encrypting GOT. Although such
techniques could defend against our attack presented as well, we try to ask a
Search WWH ::
Custom Search