Baseline Is Fragile: On the Effectiveness of Stack Pivot Defense

Return-Oriented Programming (ROP) has become a widespread technique in recent software exploits. Various defenses have been proposed to thwart ROP, including randomization, Control-Flow Integrity (CFI), etc. However, ROP attacks have not been eliminated completely yet. Recently, ROP defenses based on stack pivot detection are put forward. In this paper, we investigate the checking mechanism in existing stack pivot defenses, including ROPGuard, Microsoft EMET, PBlocker and a detecting device design. They check validity of stack pointer with stack boundary information stored in system structure, e.g., Thread Information Block (TIB) in Windows. These stack pivot checkers are effective to detect ROP attacks on the premise that the baseline is safely stored. However, we find this assumption is unreliable because users have read-write access to TIB structure, which means stack range information can be tampered in user mode by an attacker, while existing solutions don't mention how to protect these baseline data. In this paper, we propose an attack method to bypass stack pivot checks through corrupting stack border value in TIB and prove that our attack can overcome current solutions indeed through case studies. Further, we discuss possible countermeasures to enhance security of current stack pivot defenses.

[1]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[2]  Charlie Miller,et al.  Fun and Games with Mac OS X and iPhone Payloads , 2009 .

[3]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[4]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[5]  Jared D. DeMott,et al.  Bypassing EMET 4.1 , 2015, IEEE Security & Privacy.

[6]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[7]  G. Carleton,et al.  PROFILE-GUIDED OPTIMIZATIONS , 1998 .

[8]  Thorsten Holz,et al.  Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding , 2016, NDSS.

[9]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[10]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[11]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[12]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[13]  Ahmad-Reza Sadeghi,et al.  Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM , 2013, ASIA CCS '13.

[14]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[15]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[16]  Heng Yin,et al.  Defeating ROP Through Denial of Stack Pivot , 2015, ACSAC 2015.