Visible to the public Biblio

Filters: Author is Blazytko, T.  [Clear All Filters]
2017-12-12
Kollenda, B., Göktaş, E., Blazytko, T., Koppe, P., Gawlik, R., Konoth, R. K., Giuffrida, C., Bos, H., Holz, T..  2017.  Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables. 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). :189–200.

Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few "hidden" application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.