Visible to the public Finding Runtime Usable Gadgets: On the Security of Return Address Authentication

TitleFinding Runtime Usable Gadgets: On the Security of Return Address Authentication
Publication TypeConference Paper
Year of Publication2021
AuthorsXu, Qizhen, Zhang, Zhijie, Zhang, Lin, Chen, Liwei, Shi, Gang
Conference Name2021 IEEE Intl Conf on Parallel Distributed Processing with Applications, Big Data Cloud Computing, Sustainable Computing Communications, Social Computing Networking (ISPA/BDCloud/SocialCom/SustainCom)
Date Publishedsep
Keywordsauthentication, codes, compositionality, Information Reuse, memory security, message authentication, pubcrawl, Resiliency, Return address authentication, reuse attack, Runtime, security
AbstractReturn address authentication mechanisms protect return addresses by calculating and checking their message authentication codes (MACs) at runtime. However, these works only provide empirical analysis on their security, and it is still unclear whether the attacker can bypass these defenses by launching reuse attacks.In this paper, we present a solution to quantitatively analysis the security of return address authentication mechanisms against reuse attacks. Our solution utilizes some libc functions that could leakage data from memory. First, we perform reaching definition analysis to identify the source of parameters of these functions. Then we infer how many MACs could be observed at runtime by modifying these parameters. Afterward, we select the gadgets that could be exploited by reusing these observed MACs. Finally, we stitch desired gadget to craft attacks. We evaluated our solution on 5 real-word applications and successfully crafted reuse attacks on 3 of them. We find that the larger an application is, the more libc functions and gadgets can be found and reused, and furthermore, the more likely the attack is successfully crafted.
DOI10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00059
Citation Keyxu_finding_2021