On the Expressiveness of Return-into-libc Attacks

Return-into-libc (RILC) is one of the most common forms of code-reuse attacks. In this attack, an intruder uses a buffer overflow or other exploit to redirect control flow through existing (libc) functions within the legitimate program. While dangerous, it is generally considered limited in its expressive power since it only allows the attacker to execute straight-line code. In other words, RILC attacks are believed to be incapable of arbitrary computation--they are not Turing complete. Consequently, to address this limitation, researchers have developed other code-reuse techniques, such as return-oriented programming (ROP). In this paper, we make the counterargument and demonstrate that the original RILC technique is indeed Turing complete. Specifically, we present a generalized RILC attack called Turing complete RILC (TC-RILC) that allows for arbitrary computations. We demonstrate that TC-RILC satisfies formal requirements of Turing-completeness. In addition, because it depends on the well-defined semantics of libc functions, we also show that a TC-RILC attack can be portable between different versions (or even different families) of operating systems and naturally has negative implications for some existing anti-ROP defenses. The development of TC-RILC on both Linux and Windows platforms demonstrates the expressiveness and practicality of the generalized RILC attack.

[1]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[2]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[3]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[4]  Stephen Checkoway Escape From Return-Oriented Programming : Return-oriented Programming without Returns ( on the x 86 ) , 2010 .

[5]  Ahmad-Reza Sadeghi,et al.  Return-Oriented Programming without Returns on ARM , 2010 .

[6]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[7]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[8]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[9]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[10]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[11]  Hovav Shacham,et al.  Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage , 2009, EVT/WOTE.

[12]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[13]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[14]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[15]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[16]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[17]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[18]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[19]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[20]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[21]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[22]  Keith J. Jones,et al.  10th USENIX Security Symposium , 2001, login Usenix Mag..

[23]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[24]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[25]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[26]  Claudio Soriente,et al.  On the difficulty of software-based attestation of embedded devices , 2009, CCS.