Advertisement

A Survey of Code Reuse Attack and Defense

  • Bingbing LuoEmail author
  • Yimin Yang
  • Changhe Zhang
  • Yi Wang
  • Baoying Zhang
Conference paper
  • 426 Downloads
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 885)

Abstract

Code reuse attack is a devastating way of attack. It has great threat and can bypass many kinds of existing security measures and become the mainstream attack mode of attackers. For this reason, research in the field of code reuse attacks is also increasing. This paper briefly describes the origin of code reuse attacks, the way to attack the implementation, systematically summarizes the existing defense mechanisms and evaluates these defense mechanisms. The basic reasons for the code reuse attack are briefly analyzed.

Keywords

Code reuse attacks ROP ASLR 

References

  1. 1.
    Common Weakness Enumeration—Top Software Vulnerabilities. http://cwe.mitre.org/top25/index.html
  2. 2.
    Nergal, : The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 11, 4–14 (2001)Google Scholar
  3. 3.
    Designer, S.: Getting around non-executable stack (and fix) (1997). http://seclists.org/bugtraq/1997/Aug/63
  4. 4.
  5. 5.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM SIGSAC Conference on Computer and Communications Security CCS (2007)Google Scholar
  6. 6.
    Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15, 2 (2012)CrossRefGoogle Scholar
  7. 7.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing returnoriented programming to RISC. In: ACM SIGSAC Conference on Computer and Communications Security CCS (2008)Google Scholar
  8. 8.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: ACM SIGSAC Conference on Computer and Communications Security CCS (2008)Google Scholar
  9. 9.
    Iozzo, V., Miller, C.: Fun and games with Mac OS X and iPhone payloads. Black Hat Europe (2009)Google Scholar
  10. 10.
    Kornau, T.: Return oriented programming for the ARM architecture. Master’s thesis, Ruhr-University Bochum (2009)Google Scholar
  11. 11.
    Lindner, F.: Cisco IOS router exploitation. Black Hat USA (2009)Google Scholar
  12. 12.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: 1st ACM WORKSHOP on Secure Execution of Untrusted Code, SecuCode 2009 (2009)Google Scholar
  13. 13.
    Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programing attacks. Technical Report TR-2010-001 (2010)Google Scholar
  14. 14.
    Chen, P., Xiao, H., Shen, X., et al.: DROP: detecting return oriented programming mallicious code. In: The Proceedings of the International Conference on Information Systems Security ICISS (2009)Google Scholar
  15. 15.
    Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: The Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, ACM STC (2009)Google Scholar
  16. 16.
    Checkoway, S., Davi, L., Dmitrienko, A., et al.: Return-oriented programming without returns. In: ACM SIGSAC Conference on Computer and Communications Security CCS (2010)Google Scholar
  17. 17.
    Bletsch, T.K., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: 6th ACM Symposium on Information, computer and communications Security ASIACCS (2011)Google Scholar
  18. 18.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: 34th IEEE symposium on security and privacy S&P (2013)Google Scholar
  19. 19.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium (2014)Google Scholar
  20. 20.
    Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: 22nd annual network and distributed system security symposium, NDSS (2015)Google Scholar
  21. 21.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: 36th IEEE Symposium on Security and Privacy, S&P (2015)Google Scholar
  22. 22.
    PAX TEAM: PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt
  23. 23.
    Liu, L., Han, J., Gao, D., Jing, J., Zha, D.: Launching return-oriented programming attacks against randomized relocatable executables. In: IEEE International Conference on Trust, Security and Privacy in Computing and Communications, IEEE TrustCom (2011)Google Scholar
  24. 24.
    Shacham, H., Jin Goh, E., Modadugu, N., Pfaff, B., Boneh, D.: On the effectiveness of addressspace randomization. In: ACM SIGSAC Conference on Computer and Communications Security CCS (2004)Google Scholar
  25. 25.
    Serna, F.J.: The info leak era on software exploitation. Black Hat USA (2012)Google Scholar
  26. 26.
    Sotirov, A., Dowd, M.: Bypassing browser memory protections in Windows Vista (2008). http://www.phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections.pdf
  27. 27.
    Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In: 22nd Annual Computer Security Applications Conference ACSAC (2006)Google Scholar
  28. 28.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 33rd IEEE Symposium on Security and Privacy S&P (2012)Google Scholar
  29. 29.
    Hiser, J.D., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go? In: 33rd IEEE Symposium on Security and Privacy S&P (2012)Google Scholar
  30. 30.
    Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM SIGSAC Conference on Computer and Communications Security CCS (2012)Google Scholar
  31. 31.
    Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: 21st USENIX Security Symposium (2012)Google Scholar
  32. 32.
    Backes, M., Nurnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: 23rd USENIX Security Symposium (2014)Google Scholar
  33. 33.
    Crane, S., Liebchen, C., Homescu, A., Davi, L., et al.: Readactor: practical code randomization resilient to memory disclosure. In: 36th IEEE Symposium on Security and Privacy S&P (2015)Google Scholar
  34. 34.
    Lu, K., Song, C., Lee, B., Chung, S.P., Kim, T., Lee, W.: ASLR-Guard: stopping address space leakage for code reuse attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015)Google Scholar
  35. 35.
    Liu, Y., Zhou, T., Chen, K., Chen, H., Xia, Y.: Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015)Google Scholar
  36. 36.
    Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Proceedings of the 22nd Network and Distributed Systems Security Sym (NDSS) (2015)Google Scholar
  37. 37.
    Bigelow, D., Hobson, T., Rudd, R., Streilein, W., Okhravi, H.: Timely rerandomization for mitigating memory disclosures. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015)Google Scholar
  38. 38.
    Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015)Google Scholar
  39. 39.
    Wartell, R., Zhou, Y., Hamlen, K.W., Kantarcioglu, M., Thuraisingham, B.: Differentiating code from data in x86 binaries. In: Machine Learning and Knowledge Discovery in Databases, pp. 522–536. Springer (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Bingbing Luo
    • 1
    Email author
  • Yimin Yang
    • 1
  • Changhe Zhang
    • 1
  • Yi Wang
    • 1
  • Baoying Zhang
    • 1
  1. 1.ZhangJiaKou Electric Power Co., Ltd.ZhangjiakouChina

Personalised recommendations