TY - GEN
T1 - Dynamic loader oriented programming on Linux
AU - Kirsch, Julian
AU - Bierbaumer, Bruno
AU - Kittel, Thomas
AU - Eckert, Claudia
N1 - Publisher Copyright:
© 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery.
PY - 2017/11/16
Y1 - 2017/11/16
N2 - Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiedergänger1-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386/x86-64 Linux. Wiedergänger-attacks abuse determinism in Linux ASLR implementation combined with the fact that (even with protection mechanisms such as relro and glibc's pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences. To show the relevance of Wiedergänger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86-64/i386 Linux to date. We believe Wiedergänger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP).
AB - Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiedergänger1-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386/x86-64 Linux. Wiedergänger-attacks abuse determinism in Linux ASLR implementation combined with the fact that (even with protection mechanisms such as relro and glibc's pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences. To show the relevance of Wiedergänger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86-64/i386 Linux to date. We believe Wiedergänger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP).
KW - Address Space Layout Randomization Determinism
KW - Dynamic Loader
KW - Glibc
KW - Linux
KW - Loader Oriented Programming
KW - Software Exploitation
KW - Software Security
KW - Software Vulnerability
UR - https://www.scopus.com/pages/publications/85041845196
U2 - 10.1145/3150376.3150381
DO - 10.1145/3150376.3150381
M3 - Conference contribution
AN - SCOPUS:85041845196
T3 - ACM International Conference Proceeding Series
BT - ROOTS 2017 - Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium 2017, Co-Located with DEEPSEC
PB - Association for Computing Machinery
T2 - 1st Reversing and Offensive-Oriented Trends Symposium, ROOTS 2017
Y2 - 16 November 2017 through 17 November 2017
ER -