Out of Control: Overcoming Control-Flow Integrity

Göktaş, Enes; Αθανασόπουλος, Ηλίας; Bos, Herbert; Portokalidis, Georgios

doi:10.1109/sp.2014.43

Cited by 287 publications

(193 citation statements)

References 23 publications

(43 reference statements)

Supporting

Mentioning

192

Contrasting

Order By: Relevance

“…(aslr entropy * page size)/libc size Here libc size, in our experiments, is approximately 2 21 . In other words, the estimated number of memory scans is: 2 28 * 2 12 /2 21 = 2 19 .…”

Section: B Data Collectionmentioning

confidence: 72%

“…On the other hand, experience has shown that low overhead mechanisms that trade off security guarantees for performance (e.g., approximate [48] or partial [5] memory safety) eventually get bypassed [9,52,21,11,17].…”

Section: Possible Countermeasuresmentioning

confidence: 99%

“…We note that any security mechanism that trades security guarantees for performance may be vulnerable to future attacks. This short term optimization for the sake of practicality is one reason for the numerous attacks on security systems [9,52,21,11,17]. c) Timing Side Channel Defense: One way to defeat attacks that use side channels to disclose memory is to remove execution timing differences.…”

Section: Possible Countermeasuresmentioning

confidence: 99%

“…For example, control transfer checks are relaxed to allow transfers to any valid jump targets as opposed to the correct target. Unfortunately, these implementations have been shown to be ineffective because they allow enough valid transfers to enable an attacker to build a malicious payload [21].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans

Fingeret

González

et al. 2015

2015 IEEE Symposium on Security and Privacy

113

View full text Add to dashboard Cite

Abstract-Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware; on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proofof-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.

show abstract

“…(aslr entropy * page size)/libc size Here libc size, in our experiments, is approximately 2 21 . In other words, the estimated number of memory scans is: 2 28 * 2 12 /2 21 = 2 19 .…”

Section: B Data Collectionmentioning

confidence: 72%

Section: Possible Countermeasuresmentioning

confidence: 99%

Section: Possible Countermeasuresmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans

Fingeret

González

et al. 2015

2015 IEEE Symposium on Security and Privacy

113

View full text Add to dashboard Cite

show abstract

“…For example, the increasing popularity of mobile crowdsourcing and mobile sensing projects [51] may enable an attacker to exploit various personal data such as the user location, mobility patterns or web browsing habits [52]. SDN controller hijacking: By exploiting the SDN controller implementation weaknesses, the adversary tries to divert the control ows to a controlled device [53]. Then the captured messages can be discarded preventing the data plane entities from proper operation.…”

Section: Methodsmentioning

confidence: 99%

Security Challenges of Small Cell as a Service in Virtualized Mobile Edge Computing Environments

Panaousis

Mouratidis

2016

Information Security Theory and Practice

View full text Add to dashboard Cite

Abstract. Research on next-generation 5G wireless networks is currently attracting a lot of attention in both academia and industry. While 5G development and standardization activities are still at their early stage, it is widely acknowledged that 5G systems are going to extensively rely on dense small cell deployments, which would exploit infrastructure and network functions virtualization (NFV), and push the network intelligence towards network edges by embracing the concept of mobile edge computing (MEC). As security will be a fundamental enabling factor of small cell as a service (SCaaS) in 5G networks, we present the most prominent threats and vulnerabilities against a broad range of targets. As far as the related work is concerned, to the best of our knowledge, this paper is the rst to investigate security challenges at the intersection of SCaaS, NFV, and MEC. It is also the rst paper that proposes a set of criteria to facilitate a clear and e ective taxonomy of security challenges of main elements of 5G networks. Our analysis can serve as a staring point towards the development of appropriate 5G security solutions. These will have crucial e ect on legal and regulatory frameworks as well as on decisions of businesses, governments, and end-users.

show abstract