The dynamics of innocent flesh on the bone: Code reuse ten years later

Victor Vander Veen, Dennis Andriesse, Manolis Stamatogiannakis, Xi Chen, Herbert Bos, Cristiano Giuffrida

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

3 Downloads (Pure)

Abstract

In 2007, Shacham published a seminal paper on Return-Oriented Programming (ROP), the first systematic formulation of code reuse. The paper has been highly influential, profoundly shaping the way we still think about code reuse today: An attacker analyzes the "ge-ometry" of victim binary code to locate gadgets and chains these to craft an exploit. This model has spurred much research, with a rapid progression of increasingly sophisticated code reuse attacks and defenses over time. After ten years, the common perception is that state-of-the-art code reuse defenses are effective in signifi-cantly raising the bar and making attacks exceedingly hard. In this paper, we challenge this perception and show that an at-tacker going beyond "geometry" (static analysis) and considering the "dynamics" (dynamic analysis) of a victim program can easily find function call gadgets even in the presence of state-of-the-art code-reuse defenses. To support our claims, we present Newton, a run-time gadget-discovery framework based on constraint-driven dynamic taint analysis. Newton can model a broad range of de-fenses by mapping their properties into simple, stackable, reusable constraints, and automatically generate gadgets that comply with these constraints. Using Newton, we systematically map and com-pare state-of-the-art defenses, demonstrating that even simple in-teractions with popular server programs are adequate for finding gadgets for all state-of-the-art code-reuse defenses. We conclude with an nginx case study, which shows that a Newton-enabled attacker can craft attacks which comply with the restrictions of advanced defenses, such as CPI and context-sensitive CFI.

Original languageEnglish
Title of host publicationCCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1675-1689
Number of pages15
VolumePart F131467
ISBN (Electronic)9781450349468
DOIs
Publication statusPublished - 30 Oct 2017
Event24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 - Dallas, United States
Duration: 30 Oct 20173 Nov 2017

Conference

Conference24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
Country/TerritoryUnited States
CityDallas
Period30/10/173/11/17

Funding

FundersFunder number
Horizon 2020 Framework Programme644571

    Fingerprint

    Dive into the research topics of 'The dynamics of innocent flesh on the bone: Code reuse ten years later'. Together they form a unique fingerprint.

    Cite this