Cryptography Reference
In-Depth Information
6Conluon
In this paper, we demonstrate our attack on randomizing the base address of
library, order of library functions, and entries in PLT and GOT with return-
oriented programming under the assumption that the attacker has a copy of the
vulnerable program for static analysis. Besides introducing this more general
attack and proposing improvements to return-oriented programming to make
the attack more effective, we also evaluate an attack mitigation technique previ-
ously proposed. Results show that dereferencing GOT is actually not a necessary
step in the attack, and therefore encrypting GOT does not make address space
randomization secure against return-oriented programming.
References
1. CVE-2008-0411, Ghostscript (8.61 and earlier) zseticcspace() Stack-based Buffer
Overflow Vulnerability
2. PaX (2001),
http://pax.grsecurity.net
3. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an ecient approach
to combat a broad range of memory error exploits. In: Proceedings of the 12th
USENIX Security Symposium (USENIX Security 2003) (2003)
4. Bhatkar, S., Sekar, R., DuVarney, D.C.: Ecient techniques for comprehensive pro-
tection from memory error exploits. In: Proceedings of the 14th USENIX Security
Symposium (USENIX Security 2005) (2005)
5. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go
bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th
ACM Conference on Computer and Communications Security, CCS 2008 (2008)
6. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy,
M.: Return-oriented programming without returns. In: Proceedings of the 17th
ACM Conference on Computer and Communications Security, CCS (2010)
7. Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W.,
Shacham, H.: Can dres provide long-lasting security? the case of return-oriented
programming and the avc advantage. In: Proceedings of the 2009 Electronic Vot-
ing Technology Workshop/Workshop on Trustworthy Elections, EVT/WOTE 2009
(2009)
8. Solar Designer. JPEG COM marker processing vulnerability (2000),
9. Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture
devices. In: Proceedings of the 15th ACM Conference on Computer and Commu-
nications Security, CCS 2008 (2008)
10. Hund, R., Holz, T., Freiling, F.C.: Returnoriented rootkits: Bypassing kernel code
integrity protection mechanisms. In: Proceedings of the 18th USENIX Security
Symposium (USENIX Security 2009) (2009)
11. Kornau, T.: Return oriented programming for the arm architecture. Master's thesis,
Ruhr-University Bochum, Germany (2009)
12. Aleph One. Smashing the stack for fun and profit. Phrack magazine (1996),
13. Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to ran-
domized lib(c). In: Proceedings of the 25th Annual Computer Security Applications
Conference, ACSAC 2009 (2009)
Search WWH ::
Custom Search