Title: Code-reuse attacks: new frontiers and defenses
Abstract: Code-reuse attacks are software exploits in which an attacker directs control flow through existing code with a malicious result. For example, return-oriented programming is an effective code-reuse attack in which short code sequences ending in a ret instruction are found within existing binaries and executed in arbitrary order by taking control of the stack. This allows for Turing-complete behavior in the target program without the need for injecting attack code, thus significantly negating current code injection defense efforts (e.g., W⊕X). On the other hand, its inherent characteristics, such as the reliance on the stack and the consecutive execution of return-oriented gadgets, have prompted a variety of defenses to detect or prevent it from happening.
This document introduces two novel code-reuse attacks. The first, jump-oriented programming, eliminates the reliance on the stack and ret instructions seen in return-oriented programming without sacrificing expressive power. This attack still builds and chains normal functional gadgets, each performing certain primitive operations, except these gadgets end in an indirect branch rather than ret. Without the convenience of using ret to unify them, the attack relies on a dispatcher gadget to dispatch and execute the functional gadgets. We have successfully identified the availability of these jump-oriented gadgets in the GNU libc library and demonstrated the technique on both the x86 and MIPS architectures. Our experience with an example shellcode attack demonstrates the practicality and effectiveness of this technique.
The second attack presented, Turing-complete return-into-libc , demonstrates that it is possible to attain arbitrary computation even when only chaining entire functions as opposed to short gadgets. This has negative implications for certain defenses, and more importantly corrects the record on the capabilities of the existing return-into-libc technique.
To mitigate the threats presented by the above exploits, this document proposes a novel defense technique called control flow locking, which ensures that the control flow graph of an application is deviated from at most once, and that this deviation cannot be used to craft a malicious system call. This defense thwarts the existing code-reuse attacks, and the implementation presented shows performance overhead competitive with existing techniques, achieving significant gains in several benchmarks. Control flow locking represents a general solution to the problem of code-reuse attacks with a performance penalty small enough to justify deployment in real-world situations.
Publication Year: 2011
Publication Date: 2011-01-01
Language: en
Type: article
Access and Citation
Cited By Count: 6
AI Researcher Chatbot
Get quick answers to your questions about the article from our AI researcher chatbot