Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets

Biondo, Andrea; Conti, Mauro; Lain, Daniele

doi:10.14722/ndss.2018.23318

Cited by 20 publications

(10 citation statements)

References 16 publications

(31 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A main design goal of our architecture is the ability to support the encoding of arbitrary code sequences. While previous research has shown that even in the presence of advanced ROP defenses it is possible to build realistic and Turing-complete gadget sets [6], one missing element in the research landscape is a publicly available, working ROP compiler that meets the needs of real-world attackers, for which building ROP chains remains predominantly a manual task [2,13]. Conversely, in recent years we have witnessed an increase in the complexity of ROP chains, which moved from being short simple sequences that bypass DEP to inject some shellcode, to very complex behaviors encoded entirely as ROP code [18].…”

Section: Discussionmentioning

confidence: 99%

“…Albeit CallerCheck and SymExec pose severe constraints to exploit writers 6 , they may easily be bypassed when the attacker is free to craft ROP gadgets within an application. Since our approach Figure 2: A possible implementation of the online patching mechanism performed by the detonator to make the ROP chain work in the presence of ASLR.…”

Section: Design Choicesmentioning

confidence: 99%

“…For instance, when the attacker can gain control of the stack several CFI implementations cannot protect a victim [10]. Even when considering mainstream ROP mitigations shipped with the latest releases of Microsoft Windows [26], recent works (e.g., [6,11,17]) show that these countermeasures can be bypassed by an attacker, especially when cooperation occurs on the application side.…”

Section: Related Workmentioning

confidence: 99%

“…Control Flow Guard is the CFI implementation supported by Microsoft. Recent works[6,11,17] show that it can be bypassed by attackers, especially when cooperation occurs from the application side.…”

mentioning

confidence: 99%

See 3 more Smart Citations

The ROP needle

Borrello

Coppa

D’Elia

et al. 2019

Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

View full text Add to dashboard Cite

In recent years, researchers have come up with proof of concepts of seemingly benign applications such as InstaStock and Jekyll that remain dormant until triggered by an attacker-crafted condition, which activates a malicious behavior, eluding code review and signing mechanisms. In this paper, we make a step forward by describing a stealthy injection vector design approach based on Return Oriented Programming (ROP) code reuse that provides two main novel features: 1) the ability to defer the specification of the malicious behavior until the attack is struck, allowing fine-grained targeting of the malware and reuse of the same infection vector for delivering multiple payloads over time; 2) the ability to conceal the ROP chain that specifies the malicious behavior to an analyst by using encryption. We argue that such an infection vector might be a dangerous weapon in the hands of advanced persistent threat actors. As an additional contribution, we report on a preliminary experimental investigation that seems to suggest that ROP-encoded malicious payloads are likely to pass unnoticed by current security solutions, making ROP an effective malware design ingredient. CCS CONCEPTS• Security and privacy → Malware and its mitigation; Operating systems security; Intrusion detection systems.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Design Choicesmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

The ROP needle

Borrello

Coppa

D’Elia

et al. 2019

Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

View full text Add to dashboard Cite

show abstract

“…It was deployed as an effective security technique to defend against memory corruption attacks; however, Control Flow Guard fails to protect against indirect jumps. Moreover, it is fully by-passable by Back To The Epilogue (BATE) attack [74]. BATE can corrupt the control-flow and direct it to an undefined location.…”

Section: Software-based Cfimentioning

confidence: 99%

Control-Flow Integrity: Attacks and Protections

et al. 2019

View full text Add to dashboard Cite

Despite the intense efforts to prevent programmers from writing code with memory errors, memory corruption vulnerabilities are still a major security threat. Consequently, control-flow integrity has received significant attention in the research community, and software developers to combat control code execution attacks in the presence of type of faults. Control-flow Integrity (CFI) is a large family of techniques that aims to eradicate memory error exploitation by ensuring that the instruction pointer (IP) of a running process cannot be controlled by a malicious attacker. In this paper, we assess the effectiveness of 14 CFI techniques against the most popular exploitation techniques, including code reuse attacks, return-to-user, return-to-libc, and replay attacks. We also classify these techniques based on their security, robustness, and implementation complexity. Our study indicates that the majority of the CFI techniques are primarily focused on restricting indirect branch instructions and cannot prevent all forms of vulnerability exploitation. We conclude that the performance overhead introduced, jointly with the partial attack coverage, is discouraging the industry from adopting most of them.

show abstract

On the Effectiveness of Control-Flow Integrity Against Modern Attack Techniques

Sayeed

Marco-Gisbert

2019

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Memory error vulnerabilities are still widely exploited by attackers despite the various protections developed. Attackers have adopted new strategies to successfully exploit well-known memory errors bypassing mature protection techniques such us the NX, SSP, and ASLR. Those attacks compromise the execution flow to gain control over the target successfully. Control-flow Integrity (CFI) is a protection technique that aims to eradicate memory error exploitation by ensuring that the instruction pointer (IP) of a running program cannot be controlled by a malicious attacker. In this paper, we assess the effectiveness of 14 CFI techniques against the most popular exploitation techniques including code reuse attacks, return-to-user, return-to-libc and replay attacks. Surveys are conducted to classify those 14 CFI techniques based on the security robustness and implementation feasibility. Our study indicates that the majority of the CFI techniques are primarily focused on restricting indirect branch instructions and cannot prevent all forms of vulnerability exploitation. Moreover, we show that the overhead and implementation requirement make some CFI techniques impractical. We conclude that the effort required to have those techniques in real systems, the high overhead, and also the partial attack coverage is discouraging the industry from adopting CFI protections.

show abstract

Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets

Cited by 20 publications

References 16 publications

The ROP needle

The ROP needle

Control-Flow Integrity: Attacks and Protections

On the Effectiveness of Control-Flow Integrity Against Modern Attack Techniques

Contact Info

Product

Resources

About