Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure

Enes Goktas, Benjamin Kollenda, Philipp Koppe, Erik Bosman, Georgios Portokalidis, Thorsten Holz, Herbert Bos, Cristiano Giuffrida

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

126 Downloads (Pure)

Abstract

Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions 'close' to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations.

Original languageEnglish
Title of host publicationProceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages227-242
Number of pages16
ISBN (Electronic)9781538642276
DOIs
Publication statusPublished - 6 Jul 2018
Event3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018 - London, United Kingdom
Duration: 24 Apr 201826 Apr 2018

Conference

Conference3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
CountryUnited Kingdom
CityLondon
Period24/04/1826/04/18

Keywords

  • exploitation
  • security
  • vulnerability

Fingerprint

Dive into the research topics of 'Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure'. Together they form a unique fingerprint.

Cite this