Currently,security-critical server programs are well protected by various defense techniques,such as Address Space Layout Randomization(ASLR),eXecute Only Memory(XOM),and Data Execution Prevention(DEP),against modern ...Currently,security-critical server programs are well protected by various defense techniques,such as Address Space Layout Randomization(ASLR),eXecute Only Memory(XOM),and Data Execution Prevention(DEP),against modern code-reuse attacks like Return-oriented Programming(ROP)attacks.Moreover,in these victim programs,most syscall instructions lack the following ret instructions,which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell.Lacking this kind of gadget greatly constrains the capability of code-reuse attacks.This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming(SeBROP)to address these challenges.Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability.By leveraging a side-channel that exists in the victim program,we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment.Then,we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent.Our technique can stitch a number of system calls without returns,which is more superior to conventional ROP attacks.Finally,the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set.SeBROP attack can defeat almost all state-of-the-art defense techniques.The SeBROP attack is compatible with both modern 64-bit and 32-bit systems.To validate its effectiveness,We craft three exploits of the SeBROP attack for three real-world applications,i.e.,32-bit Apache 1.3.49,32-bit ProFTPD 1.3.0,and 64-bit Nginx 1.4.0.Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx,ProFTPD,and Apache with less than 8500/4300/2100 requests,respectively.展开更多
文摘Currently,security-critical server programs are well protected by various defense techniques,such as Address Space Layout Randomization(ASLR),eXecute Only Memory(XOM),and Data Execution Prevention(DEP),against modern code-reuse attacks like Return-oriented Programming(ROP)attacks.Moreover,in these victim programs,most syscall instructions lack the following ret instructions,which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell.Lacking this kind of gadget greatly constrains the capability of code-reuse attacks.This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming(SeBROP)to address these challenges.Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability.By leveraging a side-channel that exists in the victim program,we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment.Then,we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent.Our technique can stitch a number of system calls without returns,which is more superior to conventional ROP attacks.Finally,the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set.SeBROP attack can defeat almost all state-of-the-art defense techniques.The SeBROP attack is compatible with both modern 64-bit and 32-bit systems.To validate its effectiveness,We craft three exploits of the SeBROP attack for three real-world applications,i.e.,32-bit Apache 1.3.49,32-bit ProFTPD 1.3.0,and 64-bit Nginx 1.4.0.Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx,ProFTPD,and Apache with less than 8500/4300/2100 requests,respectively.
