Advertisement

Bytecode Corruption Attacks Are Real—And How to Defend Against Them

  • Taemin Park
  • Julian Lettner
  • Yeoul Na
  • Stijn Volckaert
  • Michael Franz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10885)

Abstract

In the continuous arms race between attackers and defenders, various attack vectors against script engines have been exploited and subsequently secured. This paper explores a new attack vector that has not received much academic scrutiny: bytecode and its lookup tables. Based on our study of the internals of modern bytecode interpreters, we present four distinct strategies to achieve arbitrary code execution in an interpreter. To protect interpreters from our attack we propose two separate defense strategies: bytecode pointer checksums and non-writable enforcement. To demonstrate the feasibility of our approach, we instantiate our attacks and proposed defense strategies for Python and Lua interpreters. Our evaluation shows that the proposed defenses effectively mitigate bytecode injection attacks with low overheads of less than 16% on average.

Notes

Acknowledgements

We would like to thank Stephen Crane, Bart Coppens, our shepherd Vasileios Kemerlis, and the anonymous reviewers for their valuable input.

This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the National Science Foundation under award numbers CNS-1513837 and CNS-1619211, and by the Office for Naval Research under award number N00014-17-1-2782.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA), its Contracting Agents, the National Science Foundation, the Office for Naval Research, or any other agency of the U.S. Government.

References

  1. 1.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (S&P) (2013)Google Scholar
  2. 2.
    Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and protecting dynamic code generation. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  3. 3.
    Theori: Chakra JIT CFG bypass (2016). http://theori.io/research/chakra-jit-cfg-bypass
  4. 4.
    Frassetto, T., Gens, D., Liebchen, C., Sadeghi, A.R.: JITGuard: hardening just-in-time compilers with SGX. In: ACM Conference on Computer and Communications Security (CCS) (2017)Google Scholar
  5. 5.
    Willam Forbes: The PyPI Python Package Hack (2017). https://www.bytelion.com/pypi-python-package-hack
  6. 6.
    Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Annual Computer Security Applications Conference (ACSAC) (2010)Google Scholar
  7. 7.
    Oracle Corporation: Securitymanager (java platform se 8) (2018). https://docs.oracle.com/javase/8/docs/api/java/lang/SecurityManager.html
  8. 8.
    GitBook: Lua sandbox library (1.2.7) (2017). http://mozilla-services.github.io/lua_sandbox
  9. 9.
    Google Developers: Introduction—Caja (2018). https://developers.google.com/caja/
  10. 10.
    GitHub: zopefoundation/restrictedpython: a restricted execution environment for python to run untrusted code (2018). https://github.com/zopefoundation/RestrictedPython
  11. 11.
    Google Cloud: Google app engine: build scalable web and mobile backends in any language on Google’s infrastructure. https://cloud.google.com/appengine/ (2018)
  12. 12.
    Blazakis, D.: Interpreter exploitation: pointer inference and JIT spraying. BlackHat DC (2010)Google Scholar
  13. 13.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)Google Scholar
  14. 14.
    Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security Symposium (2014)Google Scholar
  15. 15.
    Niu, B., Tan, G.: Per-input control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  16. 16.
    Lua: Lua: uses (2018). https://www.lua.org/uses.html
  17. 17.
    van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H., Giuffrida, C.: The dynamics of innocent flesh on the bone: code reuse ten years later. In: ACM Conference on Computer and Communications Security (CCS) (2017)Google Scholar
  18. 18.
    Lettner, J., Kollenda, B., Homescu, A., Larsen, P., Schuster, F., Davi, L., Sadeghi, A.R., Holz, T., Franz, M., Irvine, U.: Subversive-c: abusing and protecting dynamic message dispatch. In: USENIX Annual Technical Conference (2016)Google Scholar
  19. 19.
    Python Performance Benchmark Suite 0.6.1 Documentation: The python performance benchmark suite (2017). http://pyperformance.readthedocs.io
  20. 20.
    Alioth: The computer language benchmarks game (2017). http://benchmarksgame.alioth.debian.org
  21. 21.
    Mashtizadeh, A.J., Bittau, A., Boneh, D., Mazières, D.: CCFI: cryptographically enforced control flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  22. 22.
    Rohlf, C., Ivnitskiy, Y.: Attacking clientside JIT compilers. Black Hat USA (2011)Google Scholar
  23. 23.
    Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: bypassing defenses in browser JIT engines. In: NDSS (2015)Google Scholar
  24. 24.
    Maisuradze, G., Backes, M., Rossow, C.: What cannot be read, cannot be leveraged? Revisiting assumptions of JIT-ROP defenses. In: USENIX Security Symposium (2016)Google Scholar
  25. 25.
    Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Librando: transparent code randomization for just-in-time compilers. In: ACM Conference on Computer and Communications Security (CCS) (2013)Google Scholar
  26. 26.
    Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., Pewny, J.: You can run but you can’t read: preventing disclosure exploits in executable code. In: ACM Conference on Computer and Communications Security (CCS) (2014)Google Scholar
  27. 27.
    Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE Symposium on Security and Privacy (S&P) (2015)Google Scholar
  28. 28.
    Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  29. 29.
    Werner, J., Baltas, G., Dallara, R., Otterness, N., Snow, K.Z., Monrose, F., Polychronakis, M.: No-execute-after-read: preventing code disclosure in commodity software. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2016)Google Scholar
  30. 30.
    Snow, K.Z., Rogowski, R., Werner, J., Koo, H., Monrose, F., Polychronakis, M.: Return to the zombie gadgets: undermining destructive code reads via code inference attacks. In: IEEE Symposium on Security and Privacy (S&P) (2016)Google Scholar
  31. 31.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (S&P) (2015)Google Scholar
  32. 32.
    Crane, S., Volckaert, S., Schuster, F., Liebchen, C., Larsen, P., Davi, L., Sadeghi, A.R., Holz, T., Sutter, B.D., Franz, M.: It’s a TRaP: table randomization and protection against function reuse attacks. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Taemin Park
    • 1
  • Julian Lettner
    • 1
  • Yeoul Na
    • 1
  • Stijn Volckaert
    • 1
  • Michael Franz
    • 1
  1. 1.University of California, IrvineIrvineUSA

Personalised recommendations