TY - GEN
T1 - Size does matter why using gadget-chain length to prevent code-reuse attacks is hard
AU - Göktaş, Enes
AU - Athanasopoulos, Elias
AU - Polychronakis, Michalis
AU - Bos, Herbert
AU - Portokalidis, Georgios
N1 - Publisher Copyright:
copyright © 2014 USENIX Security Symposium.All right reserved.
PY - 2014
Y1 - 2014
N2 - Code-reuse attacks based on return oriented programming are among the most popular exploitation techniques used by attackers today. Few practical defenses are able to stop such attacks on arbitrary binaries without access to source code. A notable exception are the techniques that employ new hardware, such as Intel's Last Branch Record (LBR) registers, to track all indirect branches and raise an alert when a sensitive system call is reached by means of too many indirect branches to short gadgets - under the assumption that such gadget chains would be indicative of a ROP attack. In this paper, we evaluate the implications. What is "too many" and how short is "short"? Getting the thresholds wrong has serious consequences. In this paper, we show by means of an attack on Internet Explorer that while current defenses based on these techniques raise the bar for exploitation, they can be bypassed. Conversely, tuning the thresholds to make the defenses more aggressive, may flag legitimate program behavior as an attack. We analyze the problem in detail and show that determining the right values is difficult.
AB - Code-reuse attacks based on return oriented programming are among the most popular exploitation techniques used by attackers today. Few practical defenses are able to stop such attacks on arbitrary binaries without access to source code. A notable exception are the techniques that employ new hardware, such as Intel's Last Branch Record (LBR) registers, to track all indirect branches and raise an alert when a sensitive system call is reached by means of too many indirect branches to short gadgets - under the assumption that such gadget chains would be indicative of a ROP attack. In this paper, we evaluate the implications. What is "too many" and how short is "short"? Getting the thresholds wrong has serious consequences. In this paper, we show by means of an attack on Internet Explorer that while current defenses based on these techniques raise the bar for exploitation, they can be bypassed. Conversely, tuning the thresholds to make the defenses more aggressive, may flag legitimate program behavior as an attack. We analyze the problem in detail and show that determining the right values is difficult.
UR - http://www.scopus.com/inward/record.url?scp=84977858681&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84977858681&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84977858681
T3 - Proceedings of the 23rd USENIX Security Symposium
SP - 417
EP - 432
BT - Proceedings of the 23rd USENIX Security Symposium
T2 - 23rd USENIX Security Symposium
Y2 - 20 August 2014 through 22 August 2014
ER -