SeBROP: blind ROP attacks without returns

Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like Return-oriented Programming(ROP) attacks. Moreover, in...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Frontiers of Computer Science Ročník 16; číslo 4; s. 164818
Hlavní autoři: ZHANG, Tianning, CAI, Miao, ZHANG, Diming, HUANG, Hao
Médium: Journal Article
Jazyk:angličtina
Vydáno: Beijing Higher Education Press 01.08.2022
Springer Nature B.V
Témata:
code-reuse attack
Computer Science
Exploitation
Flow control
Libraries
Research Article
ROP
Servers
signal
Software
System effectiveness
code-reuse attack
signal
ROP
ISSN:2095-2228, 2095-2236
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like Return-oriented Programming(ROP) attacks. Moreover, in these victim programs, most syscall instructions lack the following ret instructions, which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell. Lacking this kind of gadget greatly constrains the capability of code-reuse attacks. This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming(SeBROP) to address these challenges. Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability. By leveraging a side-channel that exists in the victim program, we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment. Then, we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent. Our technique can stitch a number of system calls without returns, which is more superior to conventional ROP attacks. Finally, the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set. SeBROP attack can defeat almost all state-of-the-art defense techniques. The SeBROP attack is compatible with both modern 64-bit and 32-bit systems. To validate its effectiveness, We craft three exploits of the SeBROP attack for three real-world applications, i.e., 32-bit Apache 1.3.49, 32-bit ProFTPD 1.3.0, and 64-bit Nginx 1.4.0. Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx, ProFTPD, and Apache with less than 8500/4300/2100 requests, respectively.
Bibliografie:Document received on :2020-07-14
ROP
code-reuse attack
Document accepted on :2021-01-20
signal
ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2095-2228
2095-2236
DOI:10.1007/s11704-021-0342-8