ROP GADGETS HIDING TECHNIQUES IN OPEN SOURCE PROJECTS

Today there are many techniques that allows to exploit vulnerabilities of an application; there are also many techniques that are designed to stop these exploit attacks. This thesis wants to highlight how a specific type of attack, based on a technique called Return Oriented Programming (ROP), can be easily applied to binaries with particular characteristics. A new method that allows the injection of “useful” code in an Open Source projects without arousing suspicions is presented; this is possible because of the harmless aspects of the injected code. This useful code facilitate a ROP attack against an executable that contains vulnerable bugs. The injection process can be visualized in environment where an user can contribute with own code to a particular Open Source project. This thesis also highlights how current software protections are not correctly applied to Open Source project, thus enabling the proposed approach.

[1]  Dave Aitel,et al.  The Shellcoder's Handbook: Discovering and Exploiting Security Holes , 2004 .

[2]  Sung-Min Jung,et al.  Jump Oriented Programming on Windows Platform (on the x86) , 2012, ICCSA.

[3]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[4]  Chris McNab Network security assessment, 2nd edition , 2007 .

[5]  Frederic T. Chong,et al.  Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities , 2005, DIMVA.

[6]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[7]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[8]  Non eXcutable PAYLOAD ALREADY INSIDE : DATA REUSE FOR ROP EXPLOITS , 2010 .

[9]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[10]  Ding Yuan,et al.  How do fixes become bugs? , 2011, ESEC/FSE '11.

[11]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[12]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[13]  Debin Gao,et al.  Launching Return-Oriented Programming Attacks against Randomized Relocatable Executables , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[14]  Christian Payne,et al.  On the security of open source software , 2002, Inf. Syst. J..

[15]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[16]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[17]  David Litchfield Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server , 2003 .

[18]  W. M. McKeeman,et al.  Peephole optimization , 1965, CACM.

[19]  Mathias Payer Too much PIE is bad for performance , 2012 .

[20]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[21]  Angelos D. Keromytis,et al.  ROP payload detection using speculative code execution , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[22]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[23]  Hovav Shacham,et al.  Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage , 2009, EVT/WOTE.

[24]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[25]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[26]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[27]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[28]  Debin Gao,et al.  deRop: removing return-oriented programming from malware , 2011, ACSAC '11.

[29]  Ryan Roemer,et al.  Finding the Bad in Good Code , 2009 .

[30]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.