Shacham_Return_Oriented_Programming.pdf

发布时间：2022-06-06 发布人：admin 分类：说明书资料大小：4.05M 资料格式：pdf 举报版权申诉

iextract-9825929-4744302543374933130.pdf-第1页.png

第1页 / 共53页

iextract-9825929-4744302543374933130.pdf-第2页.png

第2页 / 共53页

iextract-9825929-4744302543374933130.pdf-第3页.png

第3页 / 共53页

iextract-9825929-4744302543374933130.pdf-第4页.png

第4页 / 共53页

iextract-9825929-4744302543374933130.pdf-第5页.png

第5页 / 共53页

iextract-9825929-4744302543374933130.pdf-第6页.png

第6页 / 共53页

iextract-9825929-4744302543374933130.pdf-第7页.png

第7页 / 共53页

iextract-9825929-4744302543374933130.pdf-第8页.png

第8页 / 共53页

文本预览

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego

Bad code versus bad behavior Bad code versus bad behavior “Bad” Bad behavior “Good” Good behavior Attacker d code Application d code Problem: this implication is false!

The Return-oriented programming thesis The Return oriented programming thesis any sufficiently large program codebase any sufficiently large program codebase arbitrary attacker computation and behavior, arbitrary attacker computation and behavior, without code injection (in the absence of control-flow integrity)

Security systems endangered: Security systems endangered: W-xor-X aka DEP Linux OpenBSD Windows XP SP2 MacOS X Linux, OpenBSD, Windows XP SP2, MacOS X Hardware support: AMD NX bit, Intel XD bit p Trusted computing g Code signing: Xbox Binary hashing: Tripwire, etc. … and others

Return-into-libc and W^X

W-xor-X W xor X Industry response to code injection exploits Marks all writeable locations in a process’ address Marks all writeable locations in a process address space as nonexecutable Deployment: Linux (via PaX patches); OpenBSD; p y ; Windows (since XP SP2); OS X (since 10.5); … ); p ( p Hardware support: Intel “XD” bit, AMD “NX” bit (and many RISC processors)

Return-into-libc Return into libc Divert control flow of exploited program into libc code system() printf() system(), printf(), … No code injection required Perception of return-into-libc: limited, easy to defeat Attacker cannot execute arbitrary code Attacker relies on contents of libc — remove system()? We show: this perception is false.

The Return-oriented programming thesis: return-into-libc special case return into libc special case attacker control of stack attacker control of stack arbitrary attacker computation and behavior arbitrary attacker computation and behavior via return-into-libc techniques (given any sufficiently large codebase to draw on)

分享到：

赞收藏

资料库

Shacham_Return_Oriented_Programming.pdf

相关推荐

安全技术

热门标签

最新资料