Breaking the memory secrecy assumption

Many countermeasures exist that attempt to protect against buffer overflow attacks on applications written in C and C++. The most widely deployed countermeasures rely on artificially introducing randomness in the memory image of the application. StackGuard and similar systems, for instance, will insert a random value before the return address on the stack, and Address Space Layout Randomization (ASLR) will make the location of stack and/or heap less predictable for an attacker. A critical assumption in these probabilistic countermeasures is that attackers cannot read the contents of memory. In this paper we show that this assumption is not always justified. We identify a new class of vulnerabilities -- buffer overreads -- that occur in practice and that can be exploited to read parts of the memory contents of a process running a vulnerable application. We describe in detail how to exploit an application protected by both ASLR and stack canaries, if the application contains both a buffer overread and a buffer overflow vulnerability. We also provide a detailed discussion of how this vulnerability affects other, less widely deployed probabilistic countermeasures such as memory obfuscation and instruction set randomization.

[1]  Glen McCluskey Working with C# Serialization , 2005, login Usenix Mag..

[2]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[3]  Wouter Joosen,et al.  Security of memory allocators for C and C , 2005 .

[4]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[5]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[6]  Steven Alexander,et al.  Defeating Compiler-level Buffer Overflow Protection , 2005, Login: The Usenix Magazine.

[7]  Ollie Whitehouse An Analysis of Address Space Layout Randomization on Windows Vista , 2007 .

[8]  Christopher Krügel,et al.  Run-time Detection of Heap-based Overflows , 2003, LISA.

[9]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[10]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[11]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[12]  Gerardo Richarte Four dierent tricks to bypass StackShield and StackGuard protection , 2002, WWW 2002.

[13]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[14]  David Litchfield Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server , 2003 .

[15]  Elena Gabriela Barrantes,et al.  Known/Chosen Key Attacks against Software Instruction Set Randomization , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[16]  Andreas Krennmair ContraPolice: a libc Extension for Protecting Applications from Heap-Smashing Attacks , 2003 .

[17]  Wouter Joosen,et al.  Code injection in C and C++: a survey of vulnerabilities and countermeasures , 2004 .

[18]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[19]  Yves Younan,et al.  Efficient Countermeasures for Software Vulnerabilities due to Memory Management Errors (Efficiënte tegenmaatregelen voor softwarekwetsbaarheden veroorzaakt door geheugenbeheerfouten) , 2008 .

[20]  Calton Pu,et al.  Protecting Systems from Stack Smashing Attacks with StackGuard , 1999 .

[21]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[22]  Crispin Cowan,et al.  StackGuard: Simple Stack Smash Protection for GCC , 2004 .

[23]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .