MINESTRONE: Identifying and containing
software vulnerabilities

MINESTRONE logo
 
Back to MINESTRONE
 
AFRL

Defending Against Code-Reuse Attacks

Attack prevention technologies such as non-executable pages (W^X) and Data Execution Prevention (DEP), which prevent the execution of malicious code that has been injected into a running process, are now enabled in most modern operating systems. The wide adoption of these protection mechanisms has given rise to a new type of attacks, known as code-reuse attacks, which achieve arbitrary code execution without the injection of any attacker-supplied code. In this scheme, the attacker can chain together small fragments of code, known as gadgets, that already exist in the process image of the vulnerable application, and force their execution by supplying the proper memory offsets on the stack or some other memory area. In essence, instead of injecting binary code, the attacker injects just data, which include the offsets of the existing code fragments to be executed along with the appropriate data arguments.

The attacker is able to a priori pick the right code pieces before launching the attack because, in certain cases, parts of the code image of the vulnerable application are static and remain the same across different installations. In this project, we plan to hinder code-reuse attacks by breaking the assumptions that the attacker can make about the process code image. Based on static code analysis, we will develop code transformation techniques that will alter the code image of a potentially vulnerable program. Our aim is to introduce random changes in as many of the available gadgets as possible, without changing the semantics of the program. These modifications will potentially change the behavior of some of the gadgets that the attacker may have chosen for mounting the attack, effectively breaking his code.

People:

Vasilis Pappas
Michalis Polychronakis
Prof. Angelos Keromytis, Columbia University

Related papers

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization
Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis
In the Proceedings of the 33rd IEEE Symposium on Security & Privacy (S&P), May 2012.

ROP Payload Detection Using Speculative Code Execution
Michalis Polychronakis and Angelos D. Keromytis
In the Proceedings of the 6th International Conference on Malicious and Unwanted Software (MALWARE), October 2011.

Latest News

02/01/12
Our paper "Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization" is to appear in the IEEE Symposium on Security & Privacy (S&P).
09/15/11
Our paper "ROP Payload Detection Using Speculative Code Execution" is to appear in the International Conference on Malicious and Unwanted Software (MALWARE).
This work is supported by the United States Air Force Research Laboratory (AFRL) through Contract FA8650-10-C-7024. Opinions, findings, conclusions and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Government, or the Air Force.