Proceedings ArticleDOI
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Hovav Shacham
- pp 552-561
Reads0
Chats0
TLDR
A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.Abstract:
We present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the properties of the x86 instruction set.read more
Citations
More filters
Proceedings ArticleDOI
Spectre Attacks: Exploiting Speculative Execution
Paul C. Kocher,Jann Horn,Anders Fogh,Daniel Genkin,Daniel Gruss,Werner Haas,Mike Hamburg,Moritz Lipp,Stefan Mangard,Thomas Prescher,Michael Schwarz,Yuval Yarom +11 more
TL;DR: Spectre as mentioned in this paper is a side channel attack that can leak the victim's confidential information via side channel to the adversary. And it can read arbitrary memory from a victim's process.
Proceedings ArticleDOI
SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis
Yan Shoshitaishvili,Ruoyu Wang,Christopher Salls,Nick Stephens,Mario Polino,Andrew Dutcher,John Grosen,Siji Feng,Christophe Hauser,Christopher Kruegel,Giovanni Vigna +10 more
TL;DR: This paper presents a binary analysis framework that implements a number of analysis techniques that have been proposed in the past and implements these techniques in a unifying framework, which allows other researchers to compose them and develop new approaches.
Proceedings ArticleDOI
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
TL;DR: A tiny hypervisor that ensures code integrity for commodity OS kernels, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime, which protects the kernel against code injection attacks, such as kernel rootkits.
Proceedings ArticleDOI
SoK: Eternal War in Memory
TL;DR: The current knowledge about various protection techniques are systematized by setting up a general model for memory corruption attacks, and what policies can stop which attacks are shown, to analyze the reasons why protection mechanisms implementing stricter polices are not deployed.
Proceedings ArticleDOI
Return-oriented programming without returns
Stephen Checkoway,Lucas Davi,Alexandra Dmitrienko,Ahmad-Reza Sadeghi,Hovav Shacham,Marcel Winandy +5 more
TL;DR: It is shown that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions, and these attacks instead make use of certain instruction sequences that behave like a return.
References
More filters
Proceedings ArticleDOI
On the effectiveness of address-space randomization
TL;DR: Aderandomization attack is demonstrated that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization, and it is concluded that, on 32-bit architectures, the only benefit of PaX-like address- space randomization is a small slowdown in worm propagation speed.
Proceedings Article
Evaluating SFI for a CISC architecture
Stephen McCamant,Greg Morrisett +1 more
TL;DR: This work presents a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB and describes an implementation which provides a robust security guarantee and has low runtime overheads.
Proceedings Article
Automating mimicry attacks using static binary analysis
TL;DR: A novel technique to evade the extended detection features of state-of-the-art intrusion detection systems and reduce the task of the intruder to a traditional mimicry attack is presented.
Proceedings Article
Where's the FEEB? the effectiveness of instruction set randomization
TL;DR: This paper investigates the possibility of a remote attacker successfully determining an ISR key using an incremental attack, introduces a strategy for attacking ISR-protected servers, develops and analyze two types of attack, and presents a technique for packaging the worm with a miniature virtual machine that reduces the number of key bytes an attacker must acquire to 128.