TY - GEN
T1 - Position-Independent Code Reuse
T2 - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
AU - Goktas, Enes
AU - Kollenda, Benjamin
AU - Koppe, Philipp
AU - Bosman, Erik
AU - Portokalidis, Georgios
AU - Holz, Thorsten
AU - Bos, Herbert
AU - Giuffrida, Cristiano
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/6
Y1 - 2018/7/6
N2 - Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions 'close' to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations.
AB - Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions 'close' to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations.
KW - exploitation
KW - security
KW - vulnerability
UR - http://www.scopus.com/inward/record.url?scp=85050764032&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050764032&partnerID=8YFLogxK
U2 - 10.1109/EuroSP.2018.00024
DO - 10.1109/EuroSP.2018.00024
M3 - Conference contribution
AN - SCOPUS:85050764032
T3 - Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
SP - 227
EP - 242
BT - Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
Y2 - 24 April 2018 through 26 April 2018
ER -