SeBROP: blind ROP attacks without returns

Tianning ZHANG; Miao CAI; Diming ZHANG; Hao HUANG

doi:10.1007/s11704-021-0342-8

Front. Comput. Sci. ›› 2022, Vol. 16 ›› Issue (4) : 164818 DOI: 10.1007/s11704-021-0342-8

Information Security

RESEARCH ARTICLE

SeBROP: blind ROP attacks without returns

Author information +

History +

PDF (9694KB)

Abstract

Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like Return-oriented Programming(ROP) attacks. Moreover, in these victim programs, most syscall instructions lack the following ret instructions, which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell. Lacking this kind of gadget greatly constrains the capability of code-reuse attacks. This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming(SeBROP) to address these challenges. Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability. By leveraging a side-channel that exists in the victim program, we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment. Then, we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent. Our technique can stitch a number of system calls without returns, which is more superior to conventional ROP attacks. Finally, the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set. SeBROP attack can defeat almost all state-of-the-art defense techniques. The SeBROP attack is compatible with both modern 64-bit and 32-bit systems. To validate its effectiveness, We craft three exploits of the SeBROP attack for three real-world applications, i.e., 32-bit Apache 1.3.49, 32-bit ProFTPD 1.3.0, and 64-bit Nginx 1.4.0. Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx, ProFTPD, and Apache with less than 8500/4300/2100 requests, respectively.

Graphical abstract

Keywords

code-reuse attack / ROP / signal

Cite this article

Download citation ▾

Tianning ZHANG, Miao CAI, Diming ZHANG, Hao HUANG. SeBROP: blind ROP attacks without returns. Front. Comput. Sci., 2022, 16(4): 164818 DOI:10.1007/s11704-021-0342-8

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	Roemer R , Buchanan E , Shacham H , Savage S . Return-oriented programming: systems, languages, and applications. ACM Transactions on Information and System Security, 2012, 15( 1): 2:1– 2:34

[2]	Whitehouse . An analysis of address space layout randomization on windows vista. Symantec Advanced Threat Research, 2007, 1– 14

[3]	Lie D, Thekkath C A, Mitchell M, Lincoln P, Boneh D, Mitchell J C, Horowitz M. Architectural support for copy and tamper resistant software. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems. 2000, 168– 177

[4]	Bittau A, Belay A, Mashtizadeh A J, Mazières D, Boneh D. Hacking blind. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 227– 242

[5]	Lu K, Song C, Lee B, Chung S P, Kim T, Lee W. Aslr-guard: Stopping address space leakage for code reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 280– 291

[6]	Bosman E, Bos H. Framing signals - a return to portable shellcode. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 243– 258

[7]	Cowan C, Pu C, Maier D. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of USENIX Security Symposium. 1998, 98: 63− 78

[8]	Kil C, Jun J, Bookholt C, Xu J, Ning P. Address space layout permutation aslp: Towards fine-grained randomization of commodity software. In: Proceedings of Annual Computer Security Applications Conference. 2006, 339– 348

[9]	Crane S, Liebchen C, Homescu A, Davi L, Larsen P, Sadeghi A, Brunthaler S, Franz M. Readactor: practical code randomization resilient to memory disclosure. In: Proceedings of IEEE Symposium on Security and Privacy. 2015, 763– 780

[10]	Crane S J, Volckaert S, Schuster F, Liebchen C, Larsen P, Davi L, Sadeghi A, Holz T, Sutter B D, Franz M. It’s a trap: table randomization and protection against function-reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 243– 255

[11]	Snow K Z, Monrose F, Davi L, Dmitrienko A, Liebchen C, Sadeghi A. Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2013, 574– 588

[12]	Maisuradze G, Backes M, Rossow C. What cannot be read, cannot be leveraged? revisiting assumptions of jit-rop defenses. In: Proceedings of USENIX Security Symposium. 2016, 139– 156

[13]	Bhatkar S, DuVarney D C, Sekar R. Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of USENIX Security Symposium. 2005, 255– 270

[14]	Davi L V, Dmitrienko A, Nürnberger S, Sadeghi A. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In: Proceedings of ACM Symposium on Information, Computer and Communications Security. 2013, 299– 310

[15]	Wartell R, Mohan V, Hamlen K W, Lin Z. Binary stirring: selfrandomizing instruction addresses of legacy x86 binary code. In: Proceedings of the ACM Conference on Computer and Communications Security. 2012, 157– 168

[16]	Hiser J, Nguyen-Tuong A, Co M, Hall M, Davidson J W. Ilr: where’d my gadgets go? In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 571– 585

[17]	Pappas V, Polychronakis M, Keromytis A D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 601– 615

[18]	Backes M, Holz T, Kollenda B, Koppe P, Nürnberger S, Pewny J. You can run but you can’t read: preventing disclosure exploits in executable code. In: Proceedings of ACM Conference on Computer and Communications Security. 2014, 1342– 1353

[19]	Backes M, Nürnberger S. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In: Proceedings of USENIX Security Symposium. 2014, 433– 447

[20]	Zhang M, Sahita R, Liu D. executable-only-memory switch(xom-switch): Hiding your code from advanced code reuse attacks in one shot. Black Hat Asia, 2018

[21]	Pomonis M, Petsios T, Keromytis A D, Polychronakis M, Kemerlis V P. krˆx: Comprehensive kernel protection against just-in-time code reuse. In: Proceedings of European Conference on Computer Systems. 2017, 420– 436

[22]	Tang A, Sethumadhavan S, Stolfo S J. Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 256– 267

[23]	Shacham H, Page M, Pfaff B, Goh E, Modadugu N, Boneh D. On the effectiveness of address-space randomization. In: Proceedings of ACM Conference on Computer and Communications Security. 2004, 298– 307

[24]	Petsios T, Kemerlis V P, Polychronakis M, Keromytis A D. Dynaguard: Armoring canary-based protections against brute-force attacks. In: Proceedings of Annual Computer Security Applications Conference. 2015, 351– 360

[25]	Williams-King D, Gobieski G, Williams-King K, Blake J P, Yuan X, Colp P, Zheng M, Kemerlis V P, Yang J, Aiello W. Shuffler: fast and deployable continuous code re-randomization. In: Proceedings of USENIX Symposium on Operating Systems Design and Implementation. 2016, 367– 382

[26]	Wang Z, Wu C, Li J, Lai Y, Zhang X, Hsu W, Cheng Y. Reranz: A light-weight virtual machine to mitigate memory disclosure attacks. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 2017, 143– 156

[27]	Giuffrida C, Kuijsten A, Tanenbaum A S. Enhanced operating system security through efficient and fine-grained address space randomization. In: Proceedings of USENIX Security Symposium. 2012, 475– 490

[28]	Lu K, Lee W, Nürnberger S, Backes M. How to make aslr win the clone wars: runtime re-randomization. In: Proceedings of Annual Network and Distributed System Security Symposium. 2016

[29]	Abadi M, Budiu M, Erlingsson Ú, Ligatti J. Control-flow integrity. In: Proceedings of ACM Conference on Computer and Communications Security. 2005, 340– 353

[30]	Christoulakis N, Christou G, Athanasopoulos E, Ioannidis S. Hcfi: hardware-enforced control-flow integrity. In: Proceedings of ACM Conference on Data and Application Security and Privacy. 2016, 38– 49

[31]	Pappas V, Polychronakis M, Keromytis A D. Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of USENIX Security Symposium. 2013, 447– 462

[32]	Cheng Y, Zhou Z, Yu M, Ding X, Deng R H. Ropecker: A generic and practical approach for defending against rop attacks. In: Proceedings of Annual Network and Distributed System Security Symposium. 2014, 1– 14

[33]	Davi L, Sadeghi A, Lehmann D, Monrose F. Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of USENIX Security Symposium. 2014, 401– 416

[34]	Kuznetsov V, Szekeres L, Payer M, Candea G, Sekar R, Song D. Codepointer integrity. In: The Continuing Arms Race: Code-Reuse Attacks and Defenses, Code-Pointer Integrity. Association for Computing Machinery and Morgan Claypool, 2018