Skip to main content

Software Security—Exploits and Privilege Escalation

  • 1088 Accesses

Part of the Information Security and Cryptography book series (ISC)

Abstract

Here we consider common methods that exploit vulnerabilities in (typically non-security) software programs, through abuse of features in programming languages, system architectures, and supporting functionality.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-83411-1_6
  • Chapter length: 28 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-83411-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   79.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. Abadi, M. Budiu, Ú . Erlingsson, and J. Ligatti. Control-flow integrity. In ACM Comp. & Comm. Security (CCS), pages 340–353, 2005. Journal version: ACM TISSEC, 2009.

    Google Scholar 

  2. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symp. Security and Privacy, pages 263–277, 2008.

    Google Scholar 

  3. Aleph One (Elias Levy). Smashing the stack for fun and profit. In Phrack Magazine. 8 Nov 1996, vol. 7 no. 49, file 14 of 16, http://www.phrack.org.

  4. C. Anley, J. Heasman, F. Lindner, and G. Richarte. The Shellcoder’s Handbook: Discovering and Exploiting Security Holes (2nd edition). Wiley, 2007.

    Google Scholar 

  5. anonymous. Once upon a free()... In Phrack Magazine. 11 Aug 2001, vol. 11 no. 57, file 9 of 18, http://www.phrack.org (for summaries see: Dowd [25, p. 184–186], Aycock [7, p. 119–123]).

  6. K. Ashcraft and D. R. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symp. Security and Privacy, pages 143–159, 2002.

    Google Scholar 

  7. J. Aycock. Computer Viruses and Malware. Springer Science+Business Media, 2006.

    Google Scholar 

  8. A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Gros, A. Kamsky, S. McPeak, and D. R. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Comm. ACM, 53(2):66–75, 2010.

    Google Scholar 

  9. M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2):131–152, 1996.

    Google Scholar 

  10. D. Brumley, D. X. Song, T. Chiueh, R. Johnson, and H. Lin. RICH: Automatically protecting against integer-based vulnerabilities. In Netw. Dist. Sys. Security (NDSS), 2007.

    Google Scholar 

  11. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In ACM Comp. & Comm. Security (CCS), pages 27–38, 2008.

    Google Scholar 

  12. N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. Control-flow integrity: Precision, security, and performance. ACM Computing Surveys, 50(1):16:1–16:33, 2017.

    Google Scholar 

  13. J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Int’l Symp. Soft. Testing & Anal. (ISSTA), pages 133–143, 2012.

    Google Scholar 

  14. X. Cai, Y. Gui, and R. Johnson. Exploiting Unix file-system races via algorithmic complexity attacks. In IEEE Symp. Security and Privacy, pages 27–44, 2009.

    Google Scholar 

  15. S. Chari, S. Halevi, and W. Z. Venema. Where do you want to go today? Escalating privileges by pathname manipulation. In Netw. Dist. Sys. Security (NDSS), 2010.

    Google Scholar 

  16. H. Chen, D. Dean, and D. A. Wagner. Model checking one million lines of C code. In Netw. Dist. Sys. Security (NDSS), 2004.

    Google Scholar 

  17. H. Chen and D. A. Wagner. MOPS: An infrastructure for examining security properties of software. In ACM Comp. & Comm. Security (CCS), pages 235–244, 2002. See also [16], [48].

    Google Scholar 

  18. M. Conover and w00w00 Security Development (WSD). w00w00 on Heap Overflows. January 1999, http://www.w00w00.org/articles.htmlhttp://www.w00w00.org/articles.html.

  19. C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In USENIX Security, 2001.

    Google Scholar 

  20. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In USENIX Security, 2003.

    Google Scholar 

  21. C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security, 1998.

    Google Scholar 

  22. C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Info. Survivability Conf. and Expo (DISCEX), Jan. 2000.

    Google Scholar 

  23. C. Curtsinger, B. Livshits, B. G. Zorn, and C. Seifert. ZOZZLE: Fast and precise in-browser JavaScript malware detection. In USENIX Security, 2011.

    Google Scholar 

  24. W. Dietz, P. Li, J. Regehr, and V. S. Adve. Understanding integer overflow in C/C++. ACM Trans. Softw. Eng. Methodol., 25(1):2:1–2:29, 2015. Shorter conference version: ICSE 2012.

    Google Scholar 

  25. M. Dowd, J. McDonald, and J. Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley, 2006.

    Google Scholar 

  26. D. R. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Operating Sys. Design & Impl. (OSDI), pages 1–16, 2000.

    Google Scholar 

  27. M. E. Fagan. Design and code inspections to reduce errors in program development. IBM Systems Journal, 15(3):182–211, 1976.

    Google Scholar 

  28. S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In IEEE HotOS, 1997.

    Google Scholar 

  29. S. E. Hallyn and A. G. Morgan. Linux capabilities: making them work. In Linux Symp., July 2008.

    Google Scholar 

  30. V. C. Hamacher, Z. G. Vranesic, and S. G. Zaky. Computer Organization. McGraw-Hill, 1978.

    Google Scholar 

  31. G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, 2004.

    Google Scholar 

  32. M. Howard and D. LeBlanc. Writing Secure Code (2nd edition). Microsoft Press, 2002.

    Google Scholar 

  33. M. Howard, D. LeBlanc, and J. Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, 2009.

    Google Scholar 

  34. T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conf., pages 275–288, 2002.

    Google Scholar 

  35. R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Third International Workshop on Automated Debugging, 1995. Original July 1995 announcement “Bounds Checking for C”, https://www.doc.ic.ac.uk/~phjk/BoundsChecking.html.

  36. B. Kernighan and D. Ritchie. The C Programming Language, 2/e. Prentice-Hall, 1988. (1/e 1978).

    Google Scholar 

  37. A. D. Keromytis. Randomized instruction sets and runtime environments: Past research and future directions. IEEE Security & Privacy, 7(1):18–25, 2009.

    Google Scholar 

  38. J. A. Kupsch and B. P. Miller. How to open a file and not get hacked. In Availability, Reliability and Security (ARES), pages 1196–1203, 2008. Extended version: https://research.cs.wisc.edu/mist/papers/safeopen.pdf.

  39. B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing use-after-free with dangling pointers nullification. In Netw. Dist. Sys. Security (NDSS), 2015.

    Google Scholar 

  40. J. Mason, S. Small, F. Monrose, and G. MacManus. English shellcode. In ACM Comp. & Comm. Security (CCS), pages 524–533, 2009.

    Google Scholar 

  41. S. McClure, J. Scambray, and G. Kurtz. Hacking Exposed 6: Network Security Secrets and Solutions (6th edition). McGraw-Hill, 2009.

    Google Scholar 

  42. T. C. Miller and T. de Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. In USENIX Annual Technical Conf., pages 175–178, 1999. FREENIX track.

    Google Scholar 

  43. mudge (Peiter Zatko). How to write Buffer Overflows. 20 Oct 1995, available online.

    Google Scholar 

  44. G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27(3):477–526, 2005.

    Google Scholar 

  45. M. Payer and T. R. Gross. Protecting applications against TOCTTOU races by user-space caching of file metadata. In Virtual Execution Environments (VEE), pages 215–226, 2012.

    Google Scholar 

  46. P. Ratanaworabhan, V. B. Livshits, and B. G. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In USENIX Security, pages 169–186, 2009.

    Google Scholar 

  47. R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Systems and Security, 15(1):2:1–2:34, 2012.

    Google Scholar 

  48. B. Schwarz, H. Chen, D. A. Wagner, J. Lin, W. Tu, G. Morrison, and J. West. Model checking an entire Linux distribution for security violations. In Annual Computer Security Applications Conf. (ACSAC), pages 13–22, 2005.

    Google Scholar 

  49. scut / team teso. Exploiting Format String Vulnerabilities (version 1.2). 1 Sept 2001, online; follows a Dec. 2000 Chaos Communication Congress talk, https://events.ccc.de/congress/.

  50. H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM Comp. & Comm. Security (CCS), pages 552–561, 2007.

    Google Scholar 

  51. H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of addressspace randomization. In ACM Comp. & Comm. Security (CCS), pages 298–307, 2004.

    Google Scholar 

  52. U. Shankar, K. Talwar, J. S. Foster, and D. A. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security, 2001.

    Google Scholar 

  53. S. Silvestro, H. Liu, T. Liu, Z. Lin, and T. Liu. Guarder: A tunable secure allocator. In USENIX Security, pages 117–133, 2018. See also “FreeGuard” (CCS 2017) for heap allocator background.

    Google Scholar 

  54. R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. W. Streilein. Systematic analysis of defenses against return-oriented programming. In Reseach in Attacks, Intrusions, Defenses (RAID), 2013.

    Google Scholar 

  55. Solar Designer. “return-to-libc” attack. Bugtraq, Aug. 1997.

    Google Scholar 

  56. A. Sotirov. Bypassing memory protections: The future of exploitation. USENIX Security (talk), 2009. https://www.usenix.org/legacy/events/sec09/tech/slides/sotirov.pdf, video online.

  57. L. Szekeres, M. Payer, T. Wei, and R. Sekar. Eternal war in memory. IEEE Security & Privacy, 12(3):45–53, 2014. Longer systematization (fourth author D. Song) in IEEE Symp. Sec. and Priv. 2013.

    Google Scholar 

  58. A. S. Tanenbaum. Modern Operating Systems (3rd edition). Pearson Prentice Hall, 2008.

    Google Scholar 

  59. D. Tsafrir, T. Hertz, D. Wagner, and D. D. Silva. Portably solving file TOCTTOU races with hardness amplification. In USENIX File and Storage Tech. (FAST), 2008. Also: ACM Trans. on Storage, 2008.

    Google Scholar 

  60. E. Tsyrklevich and B. Yee. Dynamic detection and prevention of race conditions in file accesses. In USENIX Security, 2003.

    Google Scholar 

  61. V. van der Veen, N. dutt-Sharma, L. Cavallaro, and H. Bos. Memory errors: The past, the present, and the future. In Reseach in Attacks, Intrusions, Defenses (RAID), pages 86–106, 2012.

    Google Scholar 

  62. J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, 2001.

    Google Scholar 

  63. H. Vijayakumar, J. Schiffman, and T. Jaeger. STING: Finding name resolution vulnerabilities in programs. In USENIX Security, pages 585–599, 2012. See also Vijayakumar, Ge, Payer, Jaeger, “JIGSAW: Protecting resource access by inferring programmer expectations”, USENIX Security 2014.

    Google Scholar 

  64. D. A. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Netw. Dist. Sys. Security (NDSS), 2000.

    Google Scholar 

  65. J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Netw. Dist. Sys. Security (NDSS), 2003.

    Google Scholar 

  66. G. Wurster and J. Ward. Towards efficient dynamic integer overflow detection on ARM processors. Technical report, BlackBerry Limited, Apr. 2016.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 The Author(s)

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

van Oorschot, P.C. (2021). Software Security—Exploits and Privilege Escalation. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-83411-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-83410-4

  • Online ISBN: 978-3-030-83411-1

  • eBook Packages: Computer ScienceComputer Science (R0)