The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

@inproceedings{Shacham2007TheGO,
  title={The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)},
  author={Hovav Shacham},
  booktitle={Conference on Computer and Communications Security},
  year={2007},
  url={https://api.semanticscholar.org/CorpusID:11639591}
}
A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.
View on ACM
classes.soe.ucsc.edu
1,554 Citations
Highly Influential Citations
226
Background Citations
854
Methods Citations
272
Results Citations
5

Figures from this paper

1,554 Citations

Return-oriented programming without returns

We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction

Escape From Return-Oriented Programming : Return-oriented Programming without Returns ( on the x 86 )

It is shown that on the x86 it is possible to mount a return-oriented programming attack without using any return instructions, and a new attack is proposed that makes use of certain instruction sequences that behave like a return.

On the Expressiveness of Return-into-libc Attacks

This paper presents a generalized R ILC attack called Turing complete RILC (TC-RILC) that allows for arbitrary computations and demonstrates that TC-R ILC satisfies formal requirements of Turing-completeness.

Challenges of Return-Oriented-Programming on the Xtensa Hardware Architecture

This paper shows how the Xtensa architecture can be attacked with Return-Oriented-Programming (ROP) and how the properties of the architecture itself can be exploited to chain gadgets and not on specific attacks or a gadget catalog.

When good instructions go bad: generalizing return-oriented programming to RISC

It is argued that the threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code.

RUHR-UNIVERSIT ¨AT BOCHUM

It is shown that this attack is Turing-complete and can induce arbitrary change of behavior in running programs without any code injection, and can induce arbitrary change of behavior in running programs without any code injection.

Return-Oriented Programming Gadget Catalog for the Xtensa Architecture

The modern high customizable Xtensa architecture for embedded devices is exploitable by Return-Oriented Programming (ROP) attacks and the presented gadget catalog provides Turing completeness, which allows an arbitrary computation of any exploit program.

Return-Oriented Programming in RISC-V

It is shown that RISC-V ROP can be used to perform Turing complete calculation and arbitrary function calls by leveraging gadgets found in a version of the GNU libc library.

Return-Oriented Programming in RISC-V

It is shown that RISC-V ROP can be used to perform Turing complete calculation and arbitrary function calls by leveraging gadgets found in a version of the GNU libc library.

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

This work shows how to build chains that can withstand popular static and dynamic deobfuscation approaches, evaluating the robustness and overheads of the design over common programs.
...

41 References

Smashing the stack for fun and prot

On many C implementations it is possible to corrupt the execution stack by writing past the end of an array declared auto in a routine, and code that does this is said to smash the stack, and can cause return from the routine to jump to a random address.

Evaluating SFI for a CISC Architecture

This work presents a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB and describes an implementation which provides a robust security guarantee and has low runtime overheads.

Where's the FEEB? The Effectiveness of Instruction Set Randomization

This paper investigates the possibility of a remote attacker successfully determining an ISR key using an incremental attack, introduces a strategy for attacking ISR-protected servers, develops and analyze two types of attack, and presents a technique for packaging the worm with a miniature virtual machine that reduces the number of key bytes an attacker must acquire to 128.

On the effectiveness of address-space randomization

Aderandomization attack is demonstrated that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization, and it is concluded that, on 32-bit architectures, the only benefit of PaX-like address- space randomization is a small slowdown in worm propagation speed.

Automating Mimicry Attacks Using Static Binary Analysis

A novel technique to evade the extended detection features of state-of-the-art intrusion detection systems and reduce the task of the intruder to a traditional mimicry attack is presented.

Randomized instruction set emulation

The paper describes and analyzes RISE, describing a proof-of-concept implementation built on the open-source Valgrind IA32-to-IA32 translator that effectively disrupts binary code injection attacks, without requiring recompilation, linking, or access to application source code.

Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities

The Epsilon-Gamma-Pi model is proposed to describe control data attacks in a way that is useful towards understanding polymorphic techniques and will quantify the polymorphism available to an attacker for γ and π.

Secure Programming for Linux and Unix HOWTO

This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems, including application programs used as viewers of remote data, web applications, network servers, and setuid/setgid programs.

Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server

This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows, and engineered two similar methods that rely on structured exception handling that can be used generically to defeat stack protection.

IA-32 Intel Architecture Software Developers Manual

NOTE: The IA-32 Intel Architecture Software Developer's Manual consists of five volumes: Basic Architecture, Order Number 253665; Instruction Set Reference A-M, Order Number 253666; Instruction Set