Abstract
Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions 'close' to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018 |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Pages | 227-242 |
| Number of pages | 16 |
| ISBN (Electronic) | 9781538642276 |
| DOIs | |
| Publication status | Published - 6 Jul 2018 |
| Event | 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018 - London, United Kingdom Duration: 24 Apr 2018 → 26 Apr 2018 |
Conference
| Conference | 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018 |
|---|---|
| Country/Territory | United Kingdom |
| City | London |
| Period | 24/04/18 → 26/04/18 |
Funding
We would like to thank the anonymous reviewers for their valuable feedback. This work is based upon research supported in part by the European Commission through project H2020 MSCA-RISE-2015 “PROTASIS” under Grant Agreement No. 690972 and H2020 “BASTION” under Grant Agreement No. 640110, in part by the U.S. Office of Naval Research under award numbers N00014-16-1-2261, N00014-17-1-2788, and N00014-17-1-2782, and in part by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI “Dowsing” and NWO 639.021.753 VENI “PantaRhei”.
| Funders | Funder number |
|---|---|
| H2020 “BASTION | |
| U.S. Office of Naval Research | N00014-17-1-2782, N00014-17-1-2788, N00014-16-1-2261 |
| Horizon 2020 Framework Programme | 640110 |
| European Commission | H2020 MSCA-RISE-2015, 690972 |
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek | 639.023.309 |
Keywords
- exploitation
- security
- vulnerability
