Abstract
Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few 'hidden' application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.
Original language | English |
---|---|
Title of host publication | 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) |
Subtitle of host publication | [Proceedings] |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 1-12 |
Number of pages | 12 |
ISBN (Electronic) | 9781538605417 |
ISBN (Print) | 9781538605431 |
DOIs | |
Publication status | Published - 2017 |
Event | 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 - Denver, United States Duration: 26 Jun 2017 → 29 Jun 2017 |
Conference
Conference | 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 |
---|---|
Country/Territory | United States |
City | Denver |
Period | 26/06/17 → 29/06/17 |
Funding
We thank the anonymous reviewers for their valuable comments. This work was supported by the European Commission through the projects H2020 ICT-32-2014“SHARCS” under Grant Agreement No. 644571, H2020 MSCA-RISE-2015 “PROTASIS” under Grant Agreement No. 690972 and ERC Starting Grant No. 640110 “BASTION”, and by the Netherlands Organisation for Scientific Research through the NWO 639.023.309 VICI “Dowsing” project.
Funders | Funder number |
---|---|
ERC Starting | |
NWO 639.023.309 VICI | |
Horizon 2020 Framework Programme | 640110 |
European Commission | H2020 MSCA-RISE-2015, 644571, 690972, H2020 ICT-32-2014 |
Nederlandse Organisatie voor Wetenschappelijk Onderzoek |