Skip to main content
SpringerLink
Log in

eSROP Attack: Leveraging Signal Handler to Implement Turing-Complete Attack Under CFI Defense

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2022)

  • 1372 Accesses

Abstract

Signal Return Oriented Programming (SROP) is a dangerous code reuse attack method. Recently, defense techniques have been proposed to defeat SROP attacks. In this paper, we leverage the signal nesting mechanism provided by current operating systems and propose a new variant of SROP attack called enhanced SROP (eSROP) attack. eSROP provides the ability of invoking arbitrary system calls, simulating Turing-complete computation, and even bypassing the fine-grained label-based CFI defense, without modifying the return address and instruction register in the signal frame. Because the signal returns to the interrupted instruction, the shadow stack defense can hardly detect our attack. Signal has strong flexibility which can interrupt the normal control flow. We leverage such flexibility to design a new code reuse attack. To evaluate eSROP, we perform two exploits on two real-world programs, namely Proftpd and Wu-ftpd. In our attacks, adversaries can invoke arbitrary system calls and obtain a root shell. Both attacks succeed within 10 min under strict system defense such as data execution prevention, address space layout randomization, and coarse-grained control flow integrity.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inform. Syst. Secur. (TISSEC) 13(1), 1–40 (2009)

    Article  Google Scholar 

  2. Baratloo, A., Singh, N., Tsai, T.: Transparent \(\{\)Run-Time\(\}\) defense against \(\{\)Stack-Smashing\(\}\) attacks. In: 2000 USENIX Annual Technical Conference (USENIX ATC 00) (2000)

    Google Scholar 

  3. Bauer, S.: Srop mitigation: Signal cookies. Linux Mailing List: https://lwn.net/Articles/67486132 (2016)

  4. Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 353–362 (2011)

    Google Scholar 

  5. Bosman, E., Bos, H.: Framing signals-a return to portable shellcode. In: 2014 IEEE Symposium on Security and Privacy, pp. 243–258. IEEE (2014)

    Google Scholar 

  6. Burow, N., Zhang, X., Payer, M.: Sok: Shining light on shadow stacks. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 985–999. IEEE (2019)

    Google Scholar 

  7. Cai, X., Gui, Y., Johnson, R.: Exploiting unix file-system races via algorithmic complexity attacks. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 27–41. IEEE (2009)

    Google Scholar 

  8. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: On the effectiveness of control-flow integrity. In: 24th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 15), pp. 161–176 (2015)

    Google Scholar 

  9. Criswell, J., Dautenhahn, N., Adve, V.: Virtual ghost: protecting applications from hostile operating systems. ACM SIGARCH Comput. Architect. News 42(1), 81–96 (2014)

    Article  Google Scholar 

  10. Evans, I., et al.: Control jujutsu: On the weaknesses of fine-grained control flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 901–913 (2015)

    Google Scholar 

  11. Farkhani, R.M., Jafari, S., Arshad, S., Robertson, W.K., Kirda, E., Okhravi, H.: On the effectiveness of type-based control flow integrity. In: Proceedings of the 34th Annual Computer Security Applications Conference (2018)

    Google Scholar 

  12. Gao, Y.c., Zhou, A.m., Liu, L.: Data-execution prevention technology in windows system. Information Security & Communications Privacy (2013)

    Google Scholar 

  13. Gawlik, R., Kollenda, B., Koppe, P., Garmany, B., Holz, T.: Enabling client-side crash-resistance to overcome diversification and information hiding. In: NDSS (2016)

    Google Scholar 

  14. Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy, pp. 575–589. IEEE (2014)

    Google Scholar 

  15. Hu, H., et al.: Enforcing unique code target property for control-flow integrity. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1470–1486 (2018)

    Google Scholar 

  16. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: On the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)

    Google Scholar 

  17. Jeong, S., Hwang, J., Kwon, H., Shin, D.: A cfi countermeasure against got overwrite attacks. IEEE Access 8, 36267–36280 (2020). https://doi.org/10.1109/ACCESS.2020.2975037

    Article  Google Scholar 

  18. Kuznetzov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: The Continuing Arms Race: Code-Reuse Attacks and Defenses, pp. 81–116 (2018)

    Google Scholar 

  19. Liljestrand, H., Nyman, T., Gunn, L.J., Ekberg, J.E., Asokan, N.: \(\{\)PACStack\(\}\): an authenticated call stack. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 357–374 (2021)

    Google Scholar 

  20. Marco-Gisbert, H., Ripoll Ripoll, I.: Address space layout randomization next generation. Appl. Sci. 9(14), 2928 (2019)

    Article  Google Scholar 

  21. Mashtizadeh, A.J., Bittau, A., Boneh, D., Mazières, D.: CCFI: Cryptographically enforced control flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 941–951 (2015)

    Google Scholar 

  22. Maunero, N., Prinetto, P., Roascio, G.: CFI: Control flow integrity or control flow interruption? In: 2019 IEEE East-West Design & Test Symposium (EWDTS), pp. 1–6. IEEE (2019)

    Google Scholar 

  23. Niu, B., Tan, G.: Modular control-flow integrity. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 577–587 (2014)

    Google Scholar 

  24. Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 914–926 (2015)

    Google Scholar 

  25. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inform. Syst. Security (TISSEC) 15(1), 1–34 (2012)

    Article  Google Scholar 

  26. Rohlf, C.: Cross dso cfi-llvm and android (2020)

    Google Scholar 

  27. Rudd, R., et al.: Address oblivious code reuse: On the effectiveness of leakage resilient diversity. In: NDSS (2017)

    Google Scholar 

  28. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A., Holz, T.: Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy, pp. 745–762

    Google Scholar 

  29. Sidhpurwala, H.: Hardening elf binaries using relocation read-only (relro). Red Hat-We make open source technologies for the enterprise (2019)

    Google Scholar 

  30. Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy, pp. 559–573. IEEE (2013)

    Google Scholar 

  31. Zhang, M., Sekar, R.: Control flow integrity for \(\{\)COTS\(\}\) binaries. In: 22nd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 13), pp. 337–352 (2013)

    Google Scholar 

  32. Zhou, J., Vigna, G.: Detecting attacks that exploit application-logic errors through application-level auditing. In: 20th Annual Computer Security Applications Conference, pp. 168–178. IEEE (2004)

    Google Scholar 

Download references

Acknowledgement

This paper is supported by Fundamental Research Funds for the Central Universities (No. B220202073), Natural Science Foundation of Jiangsu Province (No. BK20220973), CCF-Huawei Innovation Research Plan (No. CCF2021-admin-270-202101), China Postdoctoral Science Foundation (No. 2022M711014), Jiangsu Planned Projects for Postdoctoral Research Funds (No. 2021K635C).

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, Nanjing University, Nanjing, China

    Tianning Zhang & Hao Huang

  2. State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China

    Tianning Zhang, Miao Cai & Hao Huang

  3. Key Laboratory of Water Big Data Technology of Ministry of Water Resources, Hohai University, Nanjing, China

    Miao Cai

  4. School of Computer and Information, Hohai University, Nanjing, China

    Miao Cai

  5. College of Computer Engineering, Jiangsu University of Science and Technology, Nanjing, China

    Diming Zhang

Authors
  1. Tianning Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Miao Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Diming Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hao Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tianning Zhang .

Editor information

Editors and Affiliations

  1. University of Kansas, Lawrence, KS, USA

    Fengjun Li

  2. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  3. The Ohio State University, Columbus, OH, USA

    Zhiqiang Lin

  4. Norwegian University of Science and Tech, Gjøvik, Norway

    Sokratis K. Katsikas

Rights and permissions

Reprints and permissions

Copyright information

© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, T., Cai, M., Zhang, D., Huang, H. (2023). eSROP Attack: Leveraging Signal Handler to Implement Turing-Complete Attack Under CFI Defense. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds) Security and Privacy in Communication Networks. SecureComm 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 462. Springer, Cham. https://doi.org/10.1007/978-3-031-25538-0_39

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25538-0_39

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25537-3

  • Online ISBN: 978-3-031-25538-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation