2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) 2017
DOI: 10.1109/dsn.2017.58
|View full text |Cite
|
Sign up to set email alerts
|

Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables

Abstract: General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commer… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
9
0

Year Published

2018
2018
2022
2022

Publication Types

Select...
6

Relationship

4
2

Authors

Journals

citations
Cited by 12 publications
(9 citation statements)
references
References 29 publications
0
9
0
Order By: Relevance
“…BROP blindly probes for certain types of (ROP) gadgets instead of whole functions, by observing signals like crashes, hangs and other behavior. CROP [30,54] demonstrates similar attacks on crash-resistant client programs, using arbitrary memory read/write probes. However, where such attacks only apply to crash-resistant code, we target the crash sensitive kernel.…”
Section: "Blind" Code-reuse Attacksmentioning
confidence: 94%
See 1 more Smart Citation
“…BROP blindly probes for certain types of (ROP) gadgets instead of whole functions, by observing signals like crashes, hangs and other behavior. CROP [30,54] demonstrates similar attacks on crash-resistant client programs, using arbitrary memory read/write probes. However, where such attacks only apply to crash-resistant code, we target the crash sensitive kernel.…”
Section: "Blind" Code-reuse Attacksmentioning
confidence: 94%
“…Absent additional info-leak vulnerabilities that grant attackers arbitrary memory read primitives, attackers need to resort to probing primitives to hack blind. Traditionally, such primitives are used in BROP [10] or similar attacks [7,30,54,79] to repeatedly probe the victim with controlled memory accesses. A major limitation of such attacks is that they trigger repeated, detection-prone crashes.…”
Section: Introductionmentioning
confidence: 99%
“…viz., Blind ROP (BROP) [14], remote arbitrary memory read-/write primitives [57], server-side Crash-Resistant Oriented Programming (CROP) [41], and allocation oracles [54].…”
Section: Effectivenessmentioning
confidence: 99%
“…To evaluate whether ProbeGuard can stop CROP (kernel memory read/write) probing attacks, we used such an attack described by Kollenda et al [41]. Locating the next client connection via ngx_cycle->free_connections before sending a partial HTTP GET request, the attacker exploits a kernel memory write primitive to probe a chosen memory region by controlling the connection buffer (ngx_buf_t) parameters.…”
Section: Effectivenessmentioning
confidence: 99%
“…Traditional attacks against randomization rely on memory disclosure to leak code pointers from code/data sections and bypass the protection [15], [16], [34], [106]. Other attacks demonstrate that, even in absence of memory disclosure, an attacker can bypass coarse-grained randomization (traditional ASLR) via a variety of side channels, such as control flow [107], [108], memory deduplication [109], cache [110], [111], TLB [111], crashes [19], [112], exceptions [17], [113], [114], and memory allocations [18]. Unlike all these techniques, PIROP demonstrates that information disclosure is not a fundamental precondition for modern code-reuse attacks and practical exploits are still possible even with fine-grained randomization and no disclosure capabilities.…”
Section: Related Workmentioning
confidence: 99%