Download: Paper, View PPTX Slides, Download PPTX Slides, Video.
“A Generic Technique for Automatically Finding Defense-Aware Code Reuse Attacks” by Edward J. Schwartz, Stephanie M. Schwartz, Cory F. Cohen, and Jeffrey S. Gennari. In Proceedings of the ACM Conference on Computer and Communications Security, 2020.
Code reuse attacks have been the subject of a substantial amount of research during the past decade. This research largely resulted from early work on Return-Oriented Programming (ROP), which showed that the then newly proposed Non-Executable Memory (NX) defense could be bypassed. More recently, the research community has been simultaneously investigating new defenses that are believed to thwart code reuse attacks, such as Control Flow Integrity (CFI), and defense-aware techniques for attacking these defenses, such as Data-Oriented Programming (DOP). Unfortunately, the feasibility of defense-aware attacks are very dependent on the behaviors of the attacked program, which makes it difficult for defenders to understand how much protection a defense such as CFI may provide. To better understand this, researchers have introduced automated defense-aware code reuse attack systems. Unfortunately, the handful of existing systems implement a single fixed, defense-specific strategy that is complex and cannot be used to consider other defenses.
In this paper, we propose a generic framework for automatically discovering defense-aware code reuse attacks in executables. Unlike existing work, which utilizes hard-coded strategies for specific defenses, our framework can produce attacks for multiple defenses by analyzing the runtime behavior of the defense. The high-level insight behind our framework is that code reuse attacks can be defined as a state reachability problem, and that defenses prevent some transitions between states. We implement our framework as a tool named Limbo, which employs an existing binary concolic executor to solve the reachability problem. We evaluate Limbo and show that it excels when there is little code available for reuse, making it complementary to existing techniques. We show that, in such scenarios, Limbo outperforms existing systems that automate ROP attacks, as well as systems that automate DOP attacks in the presence of fine-grained CFI, despite having no special knowledge about ROP or DOP attacks.
Download: Paper, View PPTX Slides, Download PPTX Slides, Video.
BibTeX entry:
@inproceedings{schwartz:2020:limbo,
author = {Edward J. Schwartz and Stephanie M. Schwartz and Cory F.
Cohen and Jeffrey S. Gennari},
title = {A Generic Technique for Automatically Finding Defense-Aware
Code Reuse Attacks},
booktitle = {Proceedings of the {ACM} Conference on Computer and
Communications Security},
year = {2020}
}
(This webpage was created with bibtex2web.)
Back to publications.