在二进制可执行文件中自动发现抗崩溃原语

2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2017-08-30 DOI:10.1109/DSN.2017.58

B. Kollenda, Enes Göktas, Tim Blazytko, Philipp Koppe, R. Gawlik, Radhesh Krishnan Konoth, Cristiano Giuffrida, H. Bos, Thorsten Holz

{"title":"在二进制可执行文件中自动发现抗崩溃原语","authors":"B. Kollenda, Enes Göktas, Tim Blazytko, Philipp Koppe, R. Gawlik, Radhesh Krishnan Konoth, Cristiano Giuffrida, H. Bos, Thorsten Holz","doi":"10.1109/DSN.2017.58","DOIUrl":null,"url":null,"abstract":"Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few \"hidden\" application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.","PeriodicalId":426928,"journal":{"name":"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"44 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":"{\"title\":\"Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables\",\"authors\":\"B. Kollenda, Enes Göktas, Tim Blazytko, Philipp Koppe, R. Gawlik, Radhesh Krishnan Konoth, Cristiano Giuffrida, H. Bos, Thorsten Holz\",\"doi\":\"10.1109/DSN.2017.58\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few \\\"hidden\\\" application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.\",\"PeriodicalId\":426928,\"journal\":{\"name\":\"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)\",\"volume\":\"44 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-08-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"13\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSN.2017.58\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2017.58","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 13

摘要

许多现代防御依赖于地址空间布局随机化(ASLR)来有效地隐藏地址空间中的安全敏感元数据。如果没有实现缺陷，攻击者只能通过反复探测映射(安全敏感)区域的地址空间来绕过这些防御，从而导致任何错误猜测导致嘈杂的应用程序崩溃。最近的工作表明，现代应用程序包含允许构造抗崩溃代码原语的习惯用法，允许攻击者有效地探测地址空间，而不会造成任何可见的崩溃。在本文中，我们对不同的抗碰撞原语进行了分类，并表明这个问题比以前假设的要突出得多。更具体地说，我们表明，攻击者可以在二进制级别上，在现实世界的许多程序类中，半自动地找到这些原语，而不是依靠劳动密集型的源代码检查来找到一些“隐藏的”特定于应用程序的原语。为了支持我们的说法，我们开发了在真实二进制文件中定位这些原语的方法。我们成功地确定了29个新的潜在原语，并为其中的4个构建了概念验证漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few "hidden" application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量