TY - GEN
T1 - The dynamics of innocent flesh on the bone
T2 - 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
AU - Veen, Victor Vander
AU - Andriesse, Dennis
AU - Stamatogiannakis, Manolis
AU - Chen, Xi
AU - Bos, Herbert
AU - Giuffrida, Cristiano
PY - 2017/10/30
Y1 - 2017/10/30
N2 - In 2007, Shacham published a seminal paper on Return-Oriented Programming (ROP), the first systematic formulation of code reuse. The paper has been highly influential, profoundly shaping the way we still think about code reuse today: An attacker analyzes the "ge-ometry" of victim binary code to locate gadgets and chains these to craft an exploit. This model has spurred much research, with a rapid progression of increasingly sophisticated code reuse attacks and defenses over time. After ten years, the common perception is that state-of-the-art code reuse defenses are effective in signifi-cantly raising the bar and making attacks exceedingly hard. In this paper, we challenge this perception and show that an at-tacker going beyond "geometry" (static analysis) and considering the "dynamics" (dynamic analysis) of a victim program can easily find function call gadgets even in the presence of state-of-the-art code-reuse defenses. To support our claims, we present Newton, a run-time gadget-discovery framework based on constraint-driven dynamic taint analysis. Newton can model a broad range of de-fenses by mapping their properties into simple, stackable, reusable constraints, and automatically generate gadgets that comply with these constraints. Using Newton, we systematically map and com-pare state-of-the-art defenses, demonstrating that even simple in-teractions with popular server programs are adequate for finding gadgets for all state-of-the-art code-reuse defenses. We conclude with an nginx case study, which shows that a Newton-enabled attacker can craft attacks which comply with the restrictions of advanced defenses, such as CPI and context-sensitive CFI.
AB - In 2007, Shacham published a seminal paper on Return-Oriented Programming (ROP), the first systematic formulation of code reuse. The paper has been highly influential, profoundly shaping the way we still think about code reuse today: An attacker analyzes the "ge-ometry" of victim binary code to locate gadgets and chains these to craft an exploit. This model has spurred much research, with a rapid progression of increasingly sophisticated code reuse attacks and defenses over time. After ten years, the common perception is that state-of-the-art code reuse defenses are effective in signifi-cantly raising the bar and making attacks exceedingly hard. In this paper, we challenge this perception and show that an at-tacker going beyond "geometry" (static analysis) and considering the "dynamics" (dynamic analysis) of a victim program can easily find function call gadgets even in the presence of state-of-the-art code-reuse defenses. To support our claims, we present Newton, a run-time gadget-discovery framework based on constraint-driven dynamic taint analysis. Newton can model a broad range of de-fenses by mapping their properties into simple, stackable, reusable constraints, and automatically generate gadgets that comply with these constraints. Using Newton, we systematically map and com-pare state-of-the-art defenses, demonstrating that even simple in-teractions with popular server programs are adequate for finding gadgets for all state-of-the-art code-reuse defenses. We conclude with an nginx case study, which shows that a Newton-enabled attacker can craft attacks which comply with the restrictions of advanced defenses, such as CPI and context-sensitive CFI.
UR - http://www.scopus.com/inward/record.url?scp=85041449920&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85041449920&partnerID=8YFLogxK
U2 - 10.1145/3133956.3134026
DO - 10.1145/3133956.3134026
M3 - Conference contribution
AN - SCOPUS:85041449920
VL - Part F131467
SP - 1675
EP - 1689
BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 30 October 2017 through 3 November 2017
ER -