Breaking the memory secrecy assumption

European Workshop on System Security Pub Date : 2009-03-31 DOI:10.1145/1519144.1519145

Raoul Strackx, Yves Younan, Pieter Philippaerts, F. Piessens, Sven Lachmund, T. Walter

{"title":"Breaking the memory secrecy assumption","authors":"Raoul Strackx, Yves Younan, Pieter Philippaerts, F. Piessens, Sven Lachmund, T. Walter","doi":"10.1145/1519144.1519145","DOIUrl":null,"url":null,"abstract":"Many countermeasures exist that attempt to protect against buffer overflow attacks on applications written in C and C++. The most widely deployed countermeasures rely on artificially introducing randomness in the memory image of the application. StackGuard and similar systems, for instance, will insert a random value before the return address on the stack, and Address Space Layout Randomization (ASLR) will make the location of stack and/or heap less predictable for an attacker.\n A critical assumption in these probabilistic countermeasures is that attackers cannot read the contents of memory. In this paper we show that this assumption is not always justified. We identify a new class of vulnerabilities -- buffer overreads -- that occur in practice and that can be exploited to read parts of the memory contents of a process running a vulnerable application. We describe in detail how to exploit an application protected by both ASLR and stack canaries, if the application contains both a buffer overread and a buffer overflow vulnerability.\n We also provide a detailed discussion of how this vulnerability affects other, less widely deployed probabilistic countermeasures such as memory obfuscation and instruction set randomization.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"189","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Workshop on System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1519144.1519145","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 189

Abstract

Many countermeasures exist that attempt to protect against buffer overflow attacks on applications written in C and C++. The most widely deployed countermeasures rely on artificially introducing randomness in the memory image of the application. StackGuard and similar systems, for instance, will insert a random value before the return address on the stack, and Address Space Layout Randomization (ASLR) will make the location of stack and/or heap less predictable for an attacker. A critical assumption in these probabilistic countermeasures is that attackers cannot read the contents of memory. In this paper we show that this assumption is not always justified. We identify a new class of vulnerabilities -- buffer overreads -- that occur in practice and that can be exploited to read parts of the memory contents of a process running a vulnerable application. We describe in detail how to exploit an application protected by both ASLR and stack canaries, if the application contains both a buffer overread and a buffer overflow vulnerability. We also provide a detailed discussion of how this vulnerability affects other, less widely deployed probabilistic countermeasures such as memory obfuscation and instruction set randomization.

查看原文本刊更多论文

打破了内存保密的假设

存在许多对策，试图防止对用C和c++编写的应用程序的缓冲区溢出攻击。最广泛部署的对策依赖于人为地在应用程序的内存映像中引入随机性。例如，StackGuard和类似的系统会在堆栈返回地址之前插入一个随机值，地址空间布局随机化(ASLR)会使堆栈和/或堆的位置对攻击者来说更不可预测。这些概率对策中的一个关键假设是攻击者无法读取内存的内容。在本文中，我们证明这种假设并不总是合理的。我们确定了一类新的漏洞——缓冲区过读——这种漏洞在实践中经常发生，并且可以被利用来读取运行易受攻击的应用程序的进程的部分内存内容。如果应用程序同时包含缓冲区过读和缓冲区溢出漏洞，我们将详细描述如何利用由ASLR和堆栈金丝雀保护的应用程序。我们还详细讨论了该漏洞如何影响其他不太广泛部署的概率对策，如内存混淆和指令集随机化。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

European Workshop on System Security

自引率

0.00%

发文量