Abstract
You do not understand how your program really works until it has been exploited. We believe that computer scientists and software engineers should regard the activity of modern exploitation as an applied discipline that studies both the actual computational properties and the practical computational limits of a target platform or system. Exploit developers study the computational properties of software that are not studied elsewhere, and they apply unique engineering techniques to the challenging engineering problem of dynamically patching and controlling a running system. These techniques leverage software and hardware composition mechanisms in unexpected ways to achieve such control. Although unexpected, such composition is not arbitrary, and it forms the basis of a coherent engineering workflow. This chapter contains a top-level overview of these approaches and their historical development.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
It also serves as an excellent teaching aid in advanced OS courses; see, e.g., [4].
- 2.
This fact was not well understood by most engineers or academics, who regarded below-compiler OS levels as unpredictable; Stephanie Forrest deserves credit for putting this and other misconceptions into broader scientific perspective.
- 3.
Which it pre-dates, together with other hacker descriptions of the technique, by five to seven years.
- 4.
- 5.
- 6.
References
Bratus S, Locasto ME, Patterson ML, Sassaman L, Shubina A. Exploit programming: from buffer overflows to “weird machines” and theory of computation. login: Dec 2011.
Shacham H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the \(\times 86\)). In: Proceedings of the 14th ACM conference on computer and communications security, CCS ’07. New York: ACM; p. 552–561.
Roemer R, Buchanan E, Shacham H, Savage S. Return-oriented programming: systems, languages, and applications. ACM Trans Inf Syst Secur. 2012;15(1):2:1–2:34.
Dan R. Anatomy of a remote kernel exploit. http://www.cs.dartmouth.edu/- sergey/cs108/2012/Dan-Rosenberg-lecture.pdf (2011).
Holler C, Herzig K, Zeller A. Fuzzing with code fragments. In: Proceedings of the 21st USENIX conference on security symposium, Security’12. Berkeley: USENIX Association; 2012. p. 38–38.
Caballero Juan, Song Dawn. Automatic protocol reverse-engineering: message format extraction and field semantics inference. Comput Netw. 2013;57(2):451–74.
Samuel M, Erlingsson Ú. Let’s parse to prevent pwnage invited position paper. In: Proceedings of the 5th USENIX conference on Large-scale exploits and emergent threats, LEET’12, Berkeley, USA: USENIX Association; 2012. p. 3–3.
Jana s, Shmatikov V. Abusing file processing in malware detectors for fun and profit. In: IEEE symposium on security and privacy’12; 2012. p. 80–94.
Xi W, Haogang C, Alvin C, Zhihao J, Nickolai Z, Kaashoek MF. Undefined behavior: what happened to my code? In: Proceedings of the Asia-Pacific workshop on systems, APSYS’12. New York, USA: ACM; 2012. p. 9:1–9:7.
Dullien T. Exploitation and state machines: programming the “weird machine”, revisited. In: Infiltrate conference, Apr 2011.
Sassaman L, Patterson ML, Bratus S, Locasto ME, Shubina A. Security applications of formal language theory. Dartmouth College: Technical report; 2011.
Shapiro R, Bratus S, Smith SW. “Weird machines” in ELF: a Spotlight on the underappreciated metadata. In: 7th USENIX workshop of offensive technologies. https://www.usenix.org/system/files/conference/woot13/woot13-shapiro.pdf. 2013
Cesare. S. Shared library call redirection via ELF PLT, Infection. Dec 2000.
Sd, Devik. Linux On-the-fly Kernel patching without LKM, Dec 2001.
Mayhem. Understanding Linux ELF RTLD internals. http://s.eresi-project.org/inc/articles/elf-rtld.txt (2002).
Nergal. The advanced return-into-lib(c) Exploits: PaX Case Study. Phrack Mag. 2001;58(4).
Oakley J, Sergey B. Exploiting the hard-working dwarf: Trojan and exploit techniques with no native executable code. In WOOT. 2011. p. 91–102.
Skape. Locreate: an anagram for relocate. Uninformed. 2007;6.
Sotirov A. Heap feng shui in javascript. In: Blackhat; 2007.
Redpantz. The art of exploitation: MS IIS 7.5 remote heap overflow. Phrack Mag. 68(12), Apr 2012.
Huku, Argp. The art of exploitation: exploiting VLC, a jemalloc case study. Phrack Maga. 2012;68(13).
Ferguson J. Advances in win32 aslr evasion, May 2011.
Bilar D. On callgraphs and generative mechanisms. J Comput Virol. 2007;3(4).
Richarte D. About exploits writing. Core security technologies presentation 2002.
Gera, Riq. Advances in format string exploitation. Phrack Mag. 2002;59(7).
One A. Smashing the stack for fun and profit. Phrack 1996;49:14. http://phrack.org/issues.html?issue=49&id=14.
Palmers. Sub proc\_root auando sumus (Advances in Kernel hacking). Phrack 2001;58:6. http://phrack.org/issues.html?issue=58&id=6.
Palmers. 5 Short stories about execve (advances in Kernel hacking II). Phrack 2002;59:5. http://phrack.org/issues.html?issue=59&id=5.
Rutkowski JK. Execution path analysis: finding Kernel based rootkits. Phrack 2002;59:10. http://phrack.org/issues.html?issue=59&id=10.
Cesare S. Runtime Kernel kmem patching. 1998. http://althing.cs.dartmouth.edu/local/vsc07.html.
Mayhem. IA32 advanced function hooking. Phrack 2001;58:8. http://phrack.org/issues.html?issue=58&id=8.
Klog. Backdooring binary objects. Phrack 2000;56:9. http://phrack.org/issues.html?issue=56&id=9.
The Grugq. Cheating the ELF: subversive dynamic linking to libraries, 2000.
Mayhem. Understanding Linux ELF RTLD Internals, 2002. http://s.eresi-project.org/inc/articles/elf-rtld.txt.
Grugq, Scut. Armouring the ELF: binary encryption on the UNIX platform. Phrack ; 2001;58:5. http://phrack.org/issues.html?issue=58&id=5.
Rutkowska J. Passive covert channels implementation in Linux Kernel. 21st chaos communications congress, 2004. http://events.ccc.de/congress/2004/fahrplan/files/319-passive-covert-channels-slides.pdf.
(Anonymous author). Runtime process infection. Phrack 20025;9:8. http://phrack.org/issues.html?issue=59&id=8.
Kad. Handling interrupt descriptor table for fun and profit. Phrack 2002;59:4. http://phrack.org/issues.html?issue=59&id=4.
Buffer. Hijacking Linux page fault handler exception table. Phrack 2003;61:7. http://phrack.org/issues.html?issue=61&id=7.
Desclaux F, Kortchinsky K. Skype V. REcon. http://www.recon.cx/en/f/vskype-part1.pdf (2006).
Sparks S, Butler J. “Shadow Walker”: Raising the bar for rootkit detection. BlackHat; 2005. http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf.
Bangert J, Bratus S, Rebecca S, Sean WS. The page-fault weird machine: lessons in instruction-less computation. In: 7th USENIX workshop of offensive technologies. Aug 2013. https://www.usenix.org/system/files/conference/woot13/woot13-bangert.pdf.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Bratus, S., Bangert, J., Gabrovsky, A., Shubina, A., Locasto, M.E., Bilar, D. (2014). ‘Weird Machine’ Patterns. In: Blackwell, C., Zhu, H. (eds) Cyberpatterns. Springer, Cham. https://doi.org/10.1007/978-3-319-04447-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-04447-7_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04446-0
Online ISBN: 978-3-319-04447-7
eBook Packages: Computer ScienceComputer Science (R0)