To strengthen systems against code injection attacks, the write or execute only policy (W + X) and address space layout randomization (ASLR) are typically used in combination. The former separates data and code, while the latter randomizes the layout of a process. In this paper we present a new attack to bypass W + X and ASLR. The state-of-the-art attack against this combination of protections is based on brute-force, while ours is based on the leakage of sensitive information about the memory layout of the process. Using our attack an attacker can exploit the majority of programs vulnerable to stack-based buffer overflows surgically, i.e., in a single attempt. We have estimated that our attack is feasible on 95.6% and 61.8% executables (of medium size) for Intel x86 and x86-64 architectures, respectively. We also analyze the effectiveness of other existing protections at preventing our attack. We conclude that position independent executables (PIE) are essential to complement ASLR and to prevent our attack. However, PIE requires recompilation, it is often not adopted even when supported, and it is not available on all ASLR-capable operating systems. To overcome these limitations, we propose a new protection that is as effective as PIE, does not require recompilation, and introduces only a minimal overhead.
|Titolo:||Surgically Returning to Randomized lib(c)|
|Data di pubblicazione:||2009|
|Parole Chiave:||Computer Networks and Communications; Software; Safety, Risk, Reliability and Quality|
|Settore Scientifico Disciplinare:||Settore INF/01 - Informatica|
|Enti collegati al convegno:||Applied Computer Security Associates (ACSAC)|
|Citazione:||Surgically Returning to Randomized lib(c) / G. Fresi Roglia, L. Martignoni, R. Paleari, D. Bruschi. ((Intervento presentato al 25. convegno Annual Computer Security Applications Conference tenutosi a Honolulu, Hawai nel 2009.|
|Appare nelle tipologie:||14 - Intervento a convegno non pubblicato|