Dwarf Frankenstein is still in your memory: tiny code reuse attacks

ISC Int. J. Inf. Secur. Pub Date : 2017-01-30 DOI:10.22042/ISECURE.2017.0.0.4

AliAkbar Sadeghi, Farzane Aminmansour, H. Shahriari

{"title":"Dwarf Frankenstein is still in your memory: tiny code reuse attacks","authors":"AliAkbar Sadeghi, Farzane Aminmansour, H. Shahriari","doi":"10.22042/ISECURE.2017.0.0.4","DOIUrl":null,"url":null,"abstract":"Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. A large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. However, a usual aspect among these methods is consideration of the common behaviour of code reuse attacks, which is the construction of a gadget chain. Therefore, the implication of a gadget and the minimum size of an attack chain are a matter of controversy. Conservative or relaxed thresholds may cause false positive and false negative alarms, respectively. The main contribution of this paper is to provide a tricky aspect of code reuse techniques, called tiny code reuse attacks (Tiny-CRA) that demonstrates the ineffectiveness of the threshold based detection methods. We show that with bare minimum assumptions, Tiny-CRA can reduce the size of a gadget chain in shuch a way that no distinction can be detected between normal behavior of a program and a code-reuse execution. To do so, we exhibit our Tiny-CRA primitives and introduce a useful gadget set available in libc. We demonstrate the effectiveness of our approach by implementing nine different shell-codes and exploiting real-world buffer overflow vulnerability in HT Editor 2.0.20.","PeriodicalId":436674,"journal":{"name":"ISC Int. J. Inf. Secur.","volume":"201 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-01-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ISC Int. J. Inf. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.22042/ISECURE.2017.0.0.4","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. A large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. However, a usual aspect among these methods is consideration of the common behaviour of code reuse attacks, which is the construction of a gadget chain. Therefore, the implication of a gadget and the minimum size of an attack chain are a matter of controversy. Conservative or relaxed thresholds may cause false positive and false negative alarms, respectively. The main contribution of this paper is to provide a tricky aspect of code reuse techniques, called tiny code reuse attacks (Tiny-CRA) that demonstrates the ineffectiveness of the threshold based detection methods. We show that with bare minimum assumptions, Tiny-CRA can reduce the size of a gadget chain in shuch a way that no distinction can be detected between normal behavior of a program and a code-reuse execution. To do so, we exhibit our Tiny-CRA primitives and introduce a useful gadget set available in libc. We demonstrate the effectiveness of our approach by implementing nine different shell-codes and exploiting real-world buffer overflow vulnerability in HT Editor 2.0.20.

查看原文本刊更多论文

矮人弗兰肯斯坦仍然在你的记忆中:微小的代码重用攻击

面向返回编程和面向跳转编程等代码重用攻击是攻击者最常用的攻击方法。提出了大量实用和非实用的防御方法，它们在开销、源代码要求、检测率和实现依赖关系方面存在差异。然而，在这些方法中，一个常见的方面是考虑代码重用攻击的常见行为，即构造小部件链。因此，小工具的含义和攻击链的最小规模是一个有争议的问题。保守或宽松的阈值可能分别引起假阳性和假阴性警报。本文的主要贡献是提供了代码重用技术的一个棘手的方面，称为微小代码重用攻击(tiny - cra)，它证明了基于阈值的检测方法的有效性。我们展示了在最简单的假设下，Tiny-CRA可以减少小部件链的大小，从而在程序的正常行为和代码重用执行之间无法检测到任何区别。为此，我们展示了我们的Tiny-CRA原语，并介绍了lib中可用的一个有用的小工具集。我们通过在HT Editor 2.0.20中实现9个不同的shell代码和利用真实世界的缓冲区溢出漏洞来证明我们方法的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ISC Int. J. Inf. Secur.

自引率

0.00%

发文量