Dynamic loader oriented programming on Linux

Julian Kirsch, Bruno Bierbaumer, Thomas Kittel, Claudia Eckert

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiedergänger1-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386/x86-64 Linux. Wiedergänger-attacks abuse determinism in Linux ASLR implementation combined with the fact that (even with protection mechanisms such as relro and glibc's pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences. To show the relevance of Wiedergänger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86-64/i386 Linux to date. We believe Wiedergänger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP).

Original languageEnglish
Title of host publicationROOTS 2017 - Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium 2017, Co-Located with DEEPSEC
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450353212
DOIs
StatePublished - 16 Nov 2017
Externally publishedYes
Event1st Reversing and Offensive-Oriented Trends Symposium, ROOTS 2017 - Vienna, Austria
Duration: 16 Nov 201717 Nov 2017

Publication series

NameACM International Conference Proceeding Series

Conference

Conference1st Reversing and Offensive-Oriented Trends Symposium, ROOTS 2017
Country/TerritoryAustria
CityVienna
Period16/11/1717/11/17

Keywords

  • Address Space Layout Randomization Determinism
  • Dynamic Loader
  • Glibc
  • Linux
  • Loader Oriented Programming
  • Software Exploitation
  • Software Security
  • Software Vulnerability

Fingerprint

Dive into the research topics of 'Dynamic loader oriented programming on Linux'. Together they form a unique fingerprint.

Cite this