research-article

String oriented programming: when ASLR is not enough

Authors:

Thomas R. GrossAuthors Info & Claims

PPREW '13: Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop

Article No.: 2, Pages 1 - 9

https://doi.org/10.1145/2430553.2430555

Published: 26 January 2013 Publication History

Abstract

Control-data attacks are a well known attack vector; these attacks either inject new code into running applications or reuse existing code in an unintended way to execute their malicious payload.

Current software systems are protected against control-data attacks using numerous mechanisms like Data Execution Prevention (DEP), stack canaries, and Address Space Layout Randomization (ASLR). ASLR turns deterministic attacks into probabilistic attacks and reduces the probability of a successful attack. Unfortunately, the current ASLR implementation for Linux leaves some memory regions non-randomized. These static memory regions can be used to exploit applications that have ASLR, DEP, and stack canaries enabled.

Format string exploits are an often overlooked attack vector that enables attacker-controlled memory writes in an application. A format string bug exists if a user-supplied string is passed as a first argument to any printf function. The only prerequisite for a successful format string exploit is that the attacker must be able to control that format string.

This paper presents String Oriented Programming (SOP), an approach that exploits static memory regions in ASLR enabled applications. SOP uses a format string bug to exploit applications that are protected by a combination of weak ASLR, DEP, and stack canaries. Similar to return oriented programming or jump oriented programming, SOP does not rely on existing code but concatenates gadgets in the application using static program analysis.

References

[1]

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In CCS'05: Proc. 12th Conf. Computer and Communications Security (2005), pp. 340--353.

Digital Library

[2]

Aleph1. Smashing the stack for fun and profit. Phrack 7, 49 (Nov. 1996), http://phrack.com/issues.html?issue=49&id=14.

[3]

Baratloo, A., Singh, N., and Tsai, T. Transparent run-time defense against stack smashing attacks. In Proc. USENIX ATC (2000), pp. 251--262.

Digital Library

[4]

Bhatkar, E., Duvarney, D. C., and Sekar, R. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In SSYM'03: Proc. 12th USENIX Security Symp. (2003), pp. 105--120.

Digital Library

[5]

Bhatkar, S., Bhatkar, E., Sekar, R., and Duvarney, D. C. Efficient techniques for comprehensive protection from memory error exploits. In SSYM'05: Proc. 14th USENIX Security Symp. (2005), pp. 255--270.

Digital Library

[6]

blackngel. The house of lore: Reloaded. Phrack 14, 67 (Nov. 2010), http://phrack.com/issues.html?issue=67&id=8.

[7]

Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented programming: a new class of code-reuse attack. In ASIACCS'11: Proc. 6th ACM Symp. on Information, Computer and Communications Security (2011), pp. 30--40.

Digital Library

[8]

Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. Format-guard: automatic protection from printf format string vulnerabilities. In SSYM'01: Proc. 10th USENIX Security Symp. (2001).

Digital Library

[9]

Cowan, C., Beattie, S., Johansen, J., and Wagle, P. PointguardTM: protecting pointers from buffer overflow vulnerabilities. In SSYM'03: Proc. 12th USENIX Security Symp. (2003).

Digital Library

[10]

Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In SSYM'98: Proc. 7th USENIX Security Symp. (1998).

Digital Library

[11]

Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., and Necula, G. C. XFI: Software guards for system address spaces. In OSDI'06 (2006), pp. 75--88.

Digital Library

[12]

Gadaleta, F., Younan, Y., Jacobs, B., Joosen, W., De Neve, E., and Beosier, N. Instruction-level countermeasures against stack-based buffer overflow attacks. In VDTS '09: Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems (2009), ACM, pp. 7--12.

Digital Library

[13]

gera, and riq. Advances in format string exploitation. Phrack 11, 59 (2002), http://phrack.com/issues.html?issue=59&id=7.

[14]

Haas, P. Advanced format string attacks. https://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18-Haas-Adv-Format-String-Attacks.pdf, DEFCON 18 2010.

[15]

Hiroaki, E., and Kunikazu, Y. ProPolice: Improved stack-smashing attack detection. IPSJ SIG Notes (2001), 181--188.

[16]

Nergal. The advanced return-into-lib(c) exploits. Phrack 11, 58 (Nov. 2007), http://phrack.com/issues.html?issue=67&id=8.

[17]

OWASP. Definition of format string attacks. https://www.owasp.org/index.php/Format_string_attack.

[18]

PaX-Team. PaX ASLR (Address Space Layout Randomization). http://pax.grsecurity.net/docs/aslr.txt, 2003.

[19]

Payer, M., and Gross, T. R. Fine-grained user-space security through virtualization. In VEE'11: Proc. 7th Int'l Conf. Virtual Execution Environments (2011), pp. 157--168.

Digital Library

[20]

Pincus, J., and Baker, B. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2 (2004), 20--27.

Digital Library

[21]

Planet, C. A eulogy for format strings. Phrack 14, 67 (2010), http://phrack.com/issues.html?issue=67&id=8.

[22]

Schwartz, E. J., Avgerinos, T., and Brumley, D. Q: Exploit hardening made easy. In Proceedings of the USENIX Security Symposium (2011).

Digital Library

[23]

Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS'07: Proc. 14th Conf. on Computer and Communications Security (2007), pp. 552--561.

Digital Library

[24]

Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. On the effectiveness of address-space randomization. In CCS'04: Proc. 11th Conf. Computer and Communications Security (2004), pp. 298--307.

Digital Library

[25]

Ubuntu. List of programs built with PIE. https://wiki.ubuntu.com/Security/Features#pie, May 2012.

[26]

van de Ven, A., and Molnar, I. Exec shield. https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf, 2004.

Cited By

Omotosho AWelearegai GHammer CHong JBures MPark JCerny T(2022)Detecting return-oriented programming on firmware-only embedded devices using hardware performance countersProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507108(510-519)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507108
Le Bon CRohou ETronel FHiet G(2021)DAMAS: Control-Data Isolation at Runtime through Dynamic Binary Modification2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00016(86-95)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSPW54576.2021.00016
Jaloyan GMarkantonakis KAkram RRobin DMayes KNaccache DSun HShieh SGu GAteniese G(2020)Return-Oriented Programming on RISC-VProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384738(471-480)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384738
Show More Cited By

Index Terms

String oriented programming: when ASLR is not enough
1. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Software reverse engineering
  2. Software notations and tools

Recommendations

Jump-oriented programming: a new class of code-reuse attack
ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Return-oriented programming is an effective code-reuse attack in which short code sequences ending in a ret instruction are found within existing binaries and executed in arbitrary order by taking control of the stack. This allows for Turing-complete ...
Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

Code reuse attacks such as return-oriented programming (ROP) have become prevalent techniques to exploit memory corruption vulnerabilities in software programs. A variety of corresponding defenses has been proposed, of which some have already been ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PPREW '13: Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop

January 2013

50 pages

ISBN:9781450318570

DOI:10.1145/2430553

Conference Chairs:
J. Todd McDonald
University of South Alabama
,
Mila Dalla Preda
University of Bologna, Italy

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

In-Cooperation

SIGACT: ACM Special Interest Group on Algorithms and Computation Theory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 January 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

POPL '13

Sponsor:

SIGPLAN

POPL '13: The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

January 26, 2013

Rome, Italy

Acceptance Rates

Overall Acceptance Rate 21 of 36 submissions, 58%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
452
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Omotosho AWelearegai GHammer CHong JBures MPark JCerny T(2022)Detecting return-oriented programming on firmware-only embedded devices using hardware performance countersProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507108(510-519)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507108
Le Bon CRohou ETronel FHiet G(2021)DAMAS: Control-Data Isolation at Runtime through Dynamic Binary Modification2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00016(86-95)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSPW54576.2021.00016
Jaloyan GMarkantonakis KAkram RRobin DMayes KNaccache DSun HShieh SGu GAteniese G(2020)Return-Oriented Programming on RISC-VProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384738(471-480)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384738
Sayeed SMarco-Gisbert HRipoll IBirch M(2019)Control-Flow Integrity: Attacks and ProtectionsApplied Sciences10.3390/app92042299:20(4229)Online publication date: 10-Oct-2019
https://doi.org/10.3390/app9204229
Bhat PDutta K(2019)A Survey on Various Threats and Current State of Security in Android PlatformACM Computing Surveys10.1145/330128552:1(1-35)Online publication date: 13-Feb-2019
https://dl.acm.org/doi/10.1145/3301285
Petkovich JOliveira AZhang YReidemeister TFischmeister S(2016)DataMillSoftware—Practice & Experience10.1002/spe.238246:10(1411-1440)Online publication date: 1-Oct-2016
https://dl.acm.org/doi/10.1002/spe.2382
Hu HChua ZAdrian SSaxena PLiang Z(2015)Automatic generation of data-oriented exploitsProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831155(177-192)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831155
Lin JGuo YMan YZhou S(2015)Executable Program Code Segment Address Randomization2015 International Conference on Computer Science and Applications (CSA)10.1109/CSA.2015.69(345-350)Online publication date: Nov-2015
https://doi.org/10.1109/CSA.2015.69
Yuan PZeng QDing X(2015)Hardware-Assisted Fine-Grained Code-Reuse Attack DetectionProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_4(66-85)Online publication date: 2-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-319-26362-5_4
Kilic FKittel TEckert C(2015)Blind Format String AttacksInternational Conference on Security and Privacy in Communication Networks10.1007/978-3-319-23802-9_23(301-314)Online publication date: 19-Nov-2015
https://doi.org/10.1007/978-3-319-23802-9_23

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten