Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Kollenda, Benjamin; Göktaş, Enes; Blazytko, Tim; Koppe, Philipp; Gawlik, Robert; Konoth, Radhesh Krishnan; Giuffrida, Cristiano; Bos, Herbert; Holz, Thorsten

doi:10.1109/dsn.2017.58

Cited by 12 publications

(9 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…BROP blindly probes for certain types of (ROP) gadgets instead of whole functions, by observing signals like crashes, hangs and other behavior. CROP [30,54] demonstrates similar attacks on crash-resistant client programs, using arbitrary memory read/write probes. However, where such attacks only apply to crash-resistant code, we target the crash sensitive kernel.…”

Section: "Blind" Code-reuse Attacksmentioning

confidence: 94%

“…Absent additional info-leak vulnerabilities that grant attackers arbitrary memory read primitives, attackers need to resort to probing primitives to hack blind. Traditionally, such primitives are used in BROP [10] or similar attacks [7,30,54,79] to repeatedly probe the victim with controlled memory accesses. A major limitation of such attacks is that they trigger repeated, detection-prone crashes.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Speculative Probing

Göktaş

Razavi

Portokalidis

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still hack blind and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects, but doing so is only feasible for crash-resistant programs. However, high-value targets such as the Linux kernel are not crash-resistant. Moreover, the anomalously large number of crashes is often easily detectable. In this paper, we show that the Spectre era enables an attacker armed with a single memory corruption vulnerability to hack blind without triggering any crashes. Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects. Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectrelike attacks. The key idea behind speculative probing is to break Spectre mitigations using memory corruption and resurrect Spectrestyle disclosure primitives to mount practical blind software exploits. To showcase speculative probing, we target the Linux kernel, a crash-sensitive victim that has so far been out of reach of blind attacks, mount end-to-end exploits that compromise the system with just-in-time code reuse and data-only attacks from a single memory write vulnerability, and bypass strong Spectre and strong randomization defenses. Our results show that it is crucial to consider synergies between different (Spectre vs. code reuse) threat models to fully comprehend the attack surface of modern systems. CCS CONCEPTS • Security and privacy → Operating systems security.

show abstract

Section: "Blind" Code-reuse Attacksmentioning

confidence: 94%

Section: Introductionmentioning

confidence: 99%

Speculative Probing

Göktaş

Razavi

Portokalidis

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…viz., Blind ROP (BROP) [14], remote arbitrary memory read-/write primitives [57], server-side Crash-Resistant Oriented Programming (CROP) [41], and allocation oracles [54].…”

Section: Effectivenessmentioning

confidence: 99%

“…To evaluate whether ProbeGuard can stop CROP (kernel memory read/write) probing attacks, we used such an attack described by Kollenda et al [41]. Locating the next client connection via ngx_cycle->free_connections before sending a partial HTTP GET request, the attacker exploits a kernel memory write primitive to probe a chosen memory region by controlling the connection buffer (ngx_buf_t) parameters.…”

Section: Effectivenessmentioning

confidence: 99%

ProbeGuard

Bhat

Kouwe

Bos

et al. 2019

Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Syst

Self Cite

View full text Add to dashboard Cite

Many modern defenses against code reuse rely on hiding sensitive data such as shadow stacks in a huge memory address space. While much more efficient than traditional integritybased defenses, these solutions are vulnerable to probing attacks which quickly locate the hidden data and compromise security. This has led researchers to question the value of information hiding in real-world software security. Instead, we argue that such a limitation is not fundamental and that information hiding and integrity-based defenses are two extremes of a continuous spectrum of solutions. We propose a solution, ProbeGuard, that automatically balances performance and security by deploying an existing information hiding based baseline defense and then incrementally moving to more powerful integrity-based defenses by hotpatching when probing attacks occur. ProbeGuard is efficient, provides strong security, and gracefully trades off performance upon encountering more probing primitives. CCS Concepts • Security and privacy → Systems security; Software security engineering.

show abstract

“…Traditional attacks against randomization rely on memory disclosure to leak code pointers from code/data sections and bypass the protection [15], [16], [34], [106]. Other attacks demonstrate that, even in absence of memory disclosure, an attacker can bypass coarse-grained randomization (traditional ASLR) via a variety of side channels, such as control flow [107], [108], memory deduplication [109], cache [110], [111], TLB [111], crashes [19], [112], exceptions [17], [113], [114], and memory allocations [18]. Unlike all these techniques, PIROP demonstrates that information disclosure is not a fundamental precondition for modern code-reuse attacks and practical exploits are still possible even with fine-grained randomization and no disclosure capabilities.…”

Section: Related Workmentioning

confidence: 99%

Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure

Göktaş

Kollenda

Koppe

et al. 2018

2018 IEEE European Symposium on Security and Privacy (EuroS&P)

Self Cite

View full text Add to dashboard Cite

Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions "close" to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations.

show abstract

Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Cited by 12 publications

References 29 publications

Speculative Probing

Speculative Probing

ProbeGuard

Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure

Contact Info

Product

Resources

About