Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Benjamin Kollenda, Enes Goktas, Tim Blazytko, Philipp Koppe, Robert Gawlik, R. K. Konoth, Cristiano Giuffrida, Herbert Bos, Thorsten Holz

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

50 Downloads (Pure)

Abstract

Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few 'hidden' application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.

Original languageEnglish
Title of host publication47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Subtitle of host publication[Proceedings]
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1-12
Number of pages12
ISBN (Electronic)9781538605417
ISBN (Print)9781538605431
DOIs
Publication statusPublished - 2017
Event47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 - Denver, United States
Duration: 26 Jun 201729 Jun 2017

Conference

Conference47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
Country/TerritoryUnited States
CityDenver
Period26/06/1729/06/17

Funding

We thank the anonymous reviewers for their valuable comments. This work was supported by the European Commission through the projects H2020 ICT-32-2014“SHARCS” under Grant Agreement No. 644571, H2020 MSCA-RISE-2015 “PROTASIS” under Grant Agreement No. 690972 and ERC Starting Grant No. 640110 “BASTION”, and by the Netherlands Organisation for Scientific Research through the NWO 639.023.309 VICI “Dowsing” project.

FundersFunder number
ERC Starting
NWO 639.023.309 VICI
Horizon 2020 Framework Programme640110
European CommissionH2020 MSCA-RISE-2015, 644571, 690972, H2020 ICT-32-2014
Nederlandse Organisatie voor Wetenschappelijk Onderzoek

    Fingerprint

    Dive into the research topics of 'Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables'. Together they form a unique fingerprint.

    Cite this