skip to main content
10.1145/2714576.2737090acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?

Published: 14 April 2015 Publication History

Abstract

Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in error-prone languages such as C and C++. At the same time, modern exploits are evolving quickly and routinely incorporate sophisticated techniques such as code reuse and memory disclosure. As a result, they bypass all widely deployed countermeasures including data execution prevention (DEP) and code randomization such as address space layout randomization (ASLR).
The good news is that the security community has recently introduced several promising prototype defenses that offer a more principled response to modern exploits. Even though these solutions have improved substantially over time, they are not perfect and weaknesses that allow bypasses are continually being discovered. Moreover, it remains to be seen whether these prototype defenses can be matured and integrated into operating systems, compilers, and other systems software.
This paper provides a brief overview of current state-of-the-art exploitation and defense techniques against run-time exploits and elaborates on innovative research prototypes that may one day stem the tide of sophisticated exploits. We also provide a brief analysis and categorization of existing defensive techniques and ongoing work in the areas of code randomization and control-flow integrity, and cover both hardware and software-based solutions.

References

[1]
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In ACM Conference on Computer and Communications Security, CCS '05, pages 340--353, 2005.
[2]
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security, 13:4:1--4:40, 2009.
[3]
Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 7(49), 1996. http://www.phrack.org/issues.html?id=14&issue=49.
[4]
O. Arias, L. Davi, M. Hanreich, Y. Jin, P. Koeberl, D. Paul, A.-R. Sadeghi, and D. Sullivan. HAFIX: Hardware-assisted flow integrity extension. In Design Automation Conference, DAC '15, 2015.
[5]
M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In ACM Conference on Computer and Communications Security, CCS '14, 2014.
[6]
M. Backes and S. Nürnberger. Oxymoron - making fine-grained memory randomization practical by allowing code sharing. In USENIX Security Symposium, 2014.
[7]
S. Bhatkar, R. Sekar, and D. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security Symposium, 2005.
[8]
A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In IEEE Symposium on Security and Privacy, S&P '14, 2014.
[9]
E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In ACM Conference on Computer and Communications Security, CCS '08, 2008.
[10]
M. Budiu, U. Erlingsson, and M. Abadi. Architectural support for software-based protection. In Workshop on Architectural and System Support for Improving Software Dependability, ASID '06, 2006.
[11]
N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security Symposium, 2014.
[12]
S. Checkoway, L. V. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security, CCS '10, 2010.
[13]
Y. Cheng, Z. Zhou, Y. Miao, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In Network And Distributed System Security Symposium, NDSS '14, 2014.
[14]
C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, D. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, 1998.
[15]
S. Crane, A. Homescu, S. Brunthaler, P. Larsen, and M. Franz. Thwarting cache side-channel attacks through dynamic software diversity. In Network And Distributed System Security Symposium, NDSS '15, 2015.
[16]
S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In IEEE Symposium on Security and Privacy, S&P '15, 2015.
[17]
L. Davi, P. Koeberl, and A.-R. Sadeghi. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation. In Design Automation Conference - Special Session: Trusted Mobile Embedded Computing, DAC '14, 2014.
[18]
L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security Symposium, 2014.
[19]
L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In Network And Distributed System Security Symposium, NDSS '15, 2015.
[20]
L. V. Davi, A. Dmitrienko, S. Nürnberger, and A.-R. Sadeghi. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In ACM Symposium on Information, Computer and Communications Security, ASIACCS '13, 2013.
[21]
I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point: On the effectiveness of code pointer integrity. In IEEE Symposium on Security and Privacy, S&P '15, 2015.
[22]
A. Francillon and C. Castelluccia. Code injection attacks on Harvard-architecture devices. In ACM Conference on Computer and Communications Security, CCS '08, 2008.
[23]
I. Fratric. ROPGuard: Runtime prevention of return-oriented programming attacks. http://www.ieee.hr/_download/repository/Ivan_Fratric.pdf, 2012.
[24]
R. Gawlik and T. Holz. Towards automated integrity protection of C++ virtual function tables in binary programs. In Annual Computer Security Applications Conference, ACSAC '14, 2014.
[25]
J. Gionta, W. Enck, and P. Ning. Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In ACM Conference on Data and Application Security and Privacy, CODASPY '15, 2015.
[26]
E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy, S&P '14, 2014.
[27]
E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX Security Symposium, 2014.
[28]
J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In IEEE Symposium on Security and Privacy, S&P '12, 2012.
[29]
A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz. Profile-guided automatic software diversity. In IEEE/ACM International Symposium on Code Generation and Optimization, CGO '13, 2013.
[30]
T. Jackson, A. Homescu, S. Crane, P. Larsen, S. Brunthaler, and M. Franz. Diversifying the software stack using randomized NOP insertion. In S. Jajodia, A. K. Ghosh, V. Subrahmanian, V. Swarup, C. Wang, and X. S. Wang, editors, Moving Target Defense II, volume 100 of Advances in Information Security. Springer New York, 2013.
[31]
D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Network And Distributed System Security Symposium, NDSS '14, 2014.
[32]
C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Annual Computer Security Applications Conference, ACSAC '06, 2006.
[33]
T. Kornau. Return-oriented programming for the ARM architecture. Master's thesis, Ruhr University Bochum, Germany, 2009.
[34]
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In USENIX Symposium on Operating Systems Design and Implementation, OSDI '14, 2014.
[35]
F. Lindner. Router exploitation. http://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf, 2009.
[36]
Microsoft. Enhanced Mitigation Experience Toolkit. https://www.microsoft.com/emet.
[37]
V. Mohan, P. Larsen, S. Brunthaler, K. Hamlen, and M. Franz. Opaque control-flow integrity. In Network And Distributed System Security Symposium, NDSS '15, 2015.
[38]
Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 11(58), 2001. http://www.phrack.org/issues.html?issue=58&id=4.
[39]
V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In IEEE Symposium on Security and Privacy, S&P '12, 2012.
[40]
V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX Security Symposium, 2013.
[41]
PaX. Homepage of The PaX Team, 2001. http://pax.grsecurity.net.
[42]
J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security & Privacy, pages 20--27, 2004.
[43]
A. Prakash, X. Hu, and H. Yin. vfGuard: Strict protection for virtual function calls in COTS C++ binaries. In Network and Distributed System Security Symposium, NDSS '15, 2015.
[44]
The redmonk programming language rankings, 2015. http://redmonk.com/sogrady/2015/01/14/language-rankings-1-15/.
[45]
F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In IEEE Symposium on Security and Privacy, S&P '15, 2015.
[46]
F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the effectiveness of current anti-ROP defenses. In International Symposium on Research in Attacks, Intrusions and Defenses, RAID '14, 2014.
[47]
F. J. Serna. The info leak era on software exploitation. In Black Hat USA, 2012.
[48]
H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM Conference on Computer and Communications Security, CCS '07, 2007.
[49]
H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In ACM Conference on Computer and Communications Security, CCS '04, 2004.
[50]
J. Siebert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In ACM Conference on Computer and Communications Security, CCS '14, 2014.
[51]
K. Z. Snow, F. Monrose, L. V. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy, S&P '13, 2013.
[52]
L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: eternal war in memory. In IEEE Symposium on Security and Privacy, S&P '13, 2013.
[53]
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in GCC & LLVM. In USENIX Security Symposium, 2014.
[54]
Tiobe programming community index, 2015. http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html.
[55]
R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In ACM Conference on Computer and Communications Security, CCS '12, pages 157--168, 2012.
[56]
C. Zhang, C. Song, K. Z. Chen, Z. Chen, and D. Song. VTint: Defending virtual function tables' integrity. In Network and Distributed System Security Symposium, NDSS '15, 2015.
[57]
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In IEEE Symposium on Security and Privacy, S&P '13, 2013.
[58]
M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security Symposium, 2013.

Cited By

View all
  • (2019)Defeating denial-of-service attacks in a self-managing N-variant systemProceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1109/SEAMS.2019.00024(126-138)Online publication date: 25-May-2019
  • (2018)Towards Interface-Driven COTS Binary HardeningProceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3273045.3273051(20-26)Online publication date: 15-Oct-2018
  • (2017)Supplementing Modern Software Defenses with Stack-Pointer SanityProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134641(116-127)Online publication date: 4-Dec-2017
  • Show More Cited By

Index Terms

  1. Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
    April 2015
    698 pages
    ISBN:9781450332453
    DOI:10.1145/2714576
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 14 April 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. control-flow integrity
    2. fine-grained randomization
    3. software exploitation

    Qualifiers

    • Research-article

    Conference

    ASIA CCS '15
    Sponsor:
    ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security
    April 14 - March 17, 2015
    Singapore, Republic of Singapore

    Acceptance Rates

    ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;
    Overall Acceptance Rate 418 of 2,322 submissions, 18%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)8
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 15 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2019)Defeating denial-of-service attacks in a self-managing N-variant systemProceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1109/SEAMS.2019.00024(126-138)Online publication date: 25-May-2019
    • (2018)Towards Interface-Driven COTS Binary HardeningProceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3273045.3273051(20-26)Online publication date: 15-Oct-2018
    • (2017)Supplementing Modern Software Defenses with Stack-Pointer SanityProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134641(116-127)Online publication date: 4-Dec-2017
    • (2017)Object Flow IntegrityProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3133986(1909-1924)Online publication date: 30-Oct-2017
    • (2017)A Formal Model for an Ideal CFIInformation Security Practice and Experience10.1007/978-3-319-72359-4_44(707-726)Online publication date: 8-Dec-2017
    • (2016)Object injection vulnerability discovery based on latent semantic indexingProceedings of the 31st Annual ACM Symposium on Applied Computing10.1145/2851613.2851865(801-807)Online publication date: 4-Apr-2016
    • (2015)Counteracting Data-Only Malware with Code Pointer ExaminationProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_9(177-197)Online publication date: 2-Nov-2015

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media