Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessin - Description

This makes it possible to hack proprietary closedbinary services or opensource servers manually compiled and installed from source where the binary remains unknown to the attacker Tra ditional techniques are usually paired against a particular binar ID: 5079 Download Pdf

Similar presentations

Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessi
Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessi

This makes it possible to hack proprietary closedbinary services or opensource servers manually compiled and installed from source where the binary remains unknown to the attacker Tra ditional techniques are usually paired against a particular binar

David Mazi eres Associate Professor of Computer Science Stanford University Serra Mall Room httpwww
David Mazi eres Associate Professor of Computer Science Stanford University Serra Mall Room httpwww

scsstanfordedu dm Stanford CA 94305 Education Massachusetts Institute of Technology Cambridge MA PhD in Electrical Engineering and Computer Science September 2000 Thesis title Selfcertifying F

An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal Elie Bursztein Stanford University Collin Jackson CMU Dan Boneh Stanford University Abstract We study the security and privacy
An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal Elie Bursztein Stanford University Collin Jackson CMU Dan Boneh Stanford University Abstract We study the security and privacy

We 64257rst pro pose a clean de64257nition of the goals of private browsing and survey its implementation in different browsers We conduct a measurement study to determine how often it is used and on what categories of sites Our results suggest that

Gyrophone Recognizing Speech From Gyroscope Signals Yan Michalevsky Dan Boneh Computer Science Department Stanford University Gabi Nakibly National Research Simulation Center Rafael Ltd
Gyrophone Recognizing Speech From Gyroscope Signals Yan Michalevsky Dan Boneh Computer Science Department Stanford University Gabi Nakibly National Research Simulation Center Rafael Ltd

Abstract We show that the MEMS gyroscopes found on mod ern smart phones are suf64257ciently sensitive to measure acoustic signals in the vicinity of the phone The re sulting signals contain only very lowfrequency infor mation 200Hz Nevertheless we

Have fun learning by hacking!
Have fun learning by hacking!

Trausti Saemundsson, . Reykjavik University. Introduction. I am Trausti Saemundsson, a MSc student at Reykjavik University in Iceland . My supervisor is Ymir Vigfusson . I´m here in London doing research with Gregory Chockler on a multitenant cache algorithm .

Buffer overflows and exploits
Buffer overflows and exploits

C memory layout. We talked about the heap and stack last time.. Heap: dynamically allocated data (so grows and shrinks depending on objects created). Stack: grows and shrinks as functions are called and return.

Location Privacy via Private Proximity Testing Arvind Narayanan Narendran Thiagarajan Mugdha Lakhani Michael Hamburg Dan Boneh Stanford University Abstract We study privacypreserving tests for proxim
Location Privacy via Private Proximity Testing Arvind Narayanan Narendran Thiagarajan Mugdha Lakhani Michael Hamburg Dan Boneh Stanford University Abstract We study privacypreserving tests for proxim

We describe several secure protocols that support private proximity test ing at various levels of granularity We study the use of location tags generated from the physical environment in order to strengthen the security of proximity testing We imple

How Slow is the Means Method David Arthur Stanford University Stanford CA darthu
How Slow is the Means Method David Arthur Stanford University Stanford CA darthu

stanfordedu Sergei Vassilvitskii Stanford University Stanford CA sergeicsstanfordedu ABSTRACT The kmeans method is an old but popular clustering algo rithm known for its observed speed and its simplicity Until recently however no meaningful theoretic

Beware of FinerGrained Origins Collin Jackson Stanford University collinjcs
Beware of FinerGrained Origins Collin Jackson Stanford University collinjcs

stanfordedu Adam Barth Stanford University abarthcsstanfordedu Abstract The security policy of browsers provides no isolation be tween documents from the same origin scheme host and port even if those documents have different security char acteristic

Stanford Tech Report CTSR Digital Video Stabilization and Rolling Shutter Correction using Gyroscopes Alexandre Karpenko Stanford University David Jacobs Stanford University Jongmin Baek Stanford Un
Stanford Tech Report CTSR Digital Video Stabilization and Rolling Shutter Correction using Gyroscopes Alexandre Karpenko Stanford University David Jacobs Stanford University Jongmin Baek Stanford Un

b The rolling shutter used by sensors in these cameras also produces warping in the output frames we have exagerrated the effect for illustrative purposes c We use gyroscopes to measure the cameras rotations during video capture d We use the measure

229K - views

Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessin

Published bydanika-pritchard

This makes it possible to hack proprietary closedbinary services or opensource servers manually compiled and installed from source where the binary remains unknown to the attacker Tra ditional techniques are usually paired against a particular binar

Tags : This makes possible
Embed :
Pdf Download Link

Download Pdf - The PPT/PDF document "Hacking Blind Andrea Bittau Adam Belay A..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessin






Presentation on theme: "Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessin"— Presentation transcript:

astackvulnerabilityandonemayspeculatethatitisbeingusedbyaproprietaryservice.3)Hackinganopen-sourceserverforwhichthebinaryisunknown.Thisappliestomanuallycompiledinstal-lationsorsource-baseddistributionssuchasGentoo.Weevaluateallthreescenarios.Ideally,fortherstsce-nariowewouldtestourtechniquesagainstproductionservicesforwhichweholdnoinformationaboutthesoftware,butweareconstrainedforobviouslegalreasons.Tosimulatesuchascenario,wetestedagainstatoyproprietaryserviceacolleagueofourswroteforwhichwehadnoinformationaboutsource,binary,orfunctionality.Forthesecondscenario,wetargetarealvulnerabilityintheyaSSLlibrary[3].ThislibrarywasusedbyMySQLinpastandweusethatasthehostapplication.Forthethirdscenario,wetargetarecent(2013)vulnerabilityinnginx[2]andwriteagenericexploitthatdoesnotdependonaparticularbinary.Thisisparticularlyusefulastheexploitwillworkonanydistributionandvulnerablenginxversionwithoutrequiringanattackertowriteaspecicexploitforeachdistributionandversioncombination(asisdonetoday).Weimplementedanewsecuritytool,Braille,thatmakesBROPattackshighlyautomated.Braillecanyieldashellonavulnerableserverinapproximately4,000requests,aprocessthatcompletesinunder20minutesand,insomesituations,injustafewminutes.AnattackerneedonlyprovideafunctionthatconstructsarequestofaminimumlengthtocrashtheserverandappendastringprovidedbyBraille.Thefunctionmustalsoreturnasinglebitbasedonwhethertheservercrashesornot.Ourcontributionsare:1)AtechniquetodefeatASLRonservers(generalizedstackreading).2)AtechniquetoremotelyndROPgadgets(BROP)sothatsoftwarecanbeattackedwhenthebinaryisunknown.3)Braille:atoolthatautomaticallyconstructsanexploitgiveninputonhowtotriggerastackoverowonaserver.4)Therst(toourknowledge)publicexploitforng-inx'srecentvulnerability,thatisgeneric,64-bit,anddefeats(full/PIE)ASLR,canariesandNX.5)SuggestionsfordefendingagainstBROPattacks.Insummary,ASLRmustbeappliedtoallexecutablesegments(PIE)andre-randomizationmustoccuraftereachcrash(atoddswithfork-onlyservers).Holdingthebinaryfromtheattackerorpurposefullyalteringitmaynotbeaneffectivesecuritycountermeasure.II.BRIEFHISTORYOFBUFFEROVERFLOWSBufferoverowsareaclassicvulnerabilitywithalonghistoryofexploits[4].Conceptually,theyarerelativelyeasytoattack.Forinstance,avulnerableprogrammightreaddatafromthenetworkintoabuffer.Then,assumingtheprogramlackssufcientboundscheckstolimitthesizeoftheincomingdata,anattackercouldoverwritememorybeyondtheendofthebuffer.Asaresult,criticalcontrol-owstate,suchasreturnaddressesorfunctionpointers,couldbemanipulated.Stackbufferoverowstendtobeespeciallydangerousbecausereturnaddressesareimplicitlynearbyinmemoryduetofunctioncallingconventions.However,attacksthattargetbuffersontheheaparealsoviable[5].Intheearlydaysofstackbufferoverows,itwascommonforanattackertoincludemaliciouscodeaspartofthepayloadusedtooverowthebuffer.Asaresult,theattackercouldsimplysetthereturnaddresstoaknownlocationonthestackandexecutetheinstructionsthatwereprovidedinthebuffer.Such“codeinjection”attacksarenolongerpossibleoncontemporarymachinesbecausemodernprocessorsandoperatingsystemsnowhavetheabilitytomarkdatamemorypagesasnon-executable(e.g.,NXonx86).Asaresult,ifanattackertriestoruncodeonthestack,itwouldonlycauseanexception.Aninnovativetechnique,knownasreturn-orientedpro-gramming(ROP)[1],wasdevelopedtodefeatdefensesbasedonnon-executablememory.Itworksbylinkingtogethershortcodesnippetsalreadypresentintheprogram'saddressspace.Suchcodesnippets,calledgadgets,canbecombinedtoformarbitrarycomputation.Asaresult,attackerscanuseROPtogaincontrolofprogramswithoutanydependenceoncodeinjection.SimplervariationsofROParesometimespossible.Forexample,withreturn-to-libcattacks,ahigh-levellibraryfunctioncanbeusedasthereturnaddress.Inparticular,thesystem()functionisusefulforattackersbecauseitcanrunarbitraryshellcodewithonlyasingleargument[6].Theseattackswereveryeffectiveon32-bitsystemswhereargumentswerepassedonthestack,alreadyundercontroloftheattacker.On64-bitsystems,argumentsarepassedinregisters,soadditionalgadgetsareneededtopopulateregisters.Addressspacelayoutrandomization(ASLR)[7],[8]wasintroducedasanadditionaldefenseagainstbufferoverowattacks.Itworksbyrandomizingthelocationofcodeanddatamemorysegmentsintheprocessaddressspace.Inmanyim-plementationscodesegmentrandomizationisonlyappliedtolibraries,butfulladdressspacerandomizationisalsopossible.ASLRcreatesamajorchallengeforattackersbecauseitmakestheaddresslocationsofcode(oreventhestack)impossibletopredictinadvance.Unfortunately,on32-bitplatforms,ASLRisconstrainedbythenumberofavailablebits(usually16)forrandomization.Asaresult,brute-forceattackscanbequiteeffective[9].However,on64-bitplatformstherearetypicallytoomanyrandombitsforbrute-forcingtobefeasible.Insuchcases,ASLRcanstillbecircumvented,butonlywhencombinedwithavulnerabilitythatleaksinformationabouttheaddressspacelayout,suchasaformatstring[10].InadditiontothelargeraddressspaceforASLRandtheneedtolocateadditionalgadgetstollargumentregisters,64-bitsystemspresentathirdcomplicationforattackers.Becausethearchitecturelimitsvirtualaddressesto48-bits,user-levelmemorypointersarerequiredtocontainzero-valuedbytes.Thesezeroscauseearlyterminationofoverowsrelyingonstringoperationssuchasstrcpy().Canaries[11]areanothercommondefenseagainstbufferoverowattacks.Canariescannotpreventbufferoverows,buttheycandetectthemretroactivelyandterminatetheprogrambeforeanattackercaninuencecontrolow.Forexample,withstackcanaries,asecretvaluethatwasdeterminedinadvanceisplacedjustbeforeeachsavedframepointerandreturnaddress.Then,whenafunctionreturns,thesecret versionoftheattackthatreliesneitherontheBROPgad-getnorthePLT.TheattackndsallthegadgetslistedinSectionVIII-A,namelytheregisterpopsandsyscall.Theattackoutlineis:1)Findallpopx;retgadgets.2)Findasyscallgadget.3)Identifythepopgadgetspreviouslyfound.Theattackerstartsbyndingastopgadgetandallpopx;retinstructions.Thedifcultyisnowinidentifyingthepopinstructionsandndingasyscallgadget.Theideaistoidentifythepopinstructionsbasedonsystemcallbehavioraftertweakingsystemcallarguments,inasimilarwayastohowstrcmpwasfoundintheoptimizedattack.Thereisabootstrapproblem,however,becausetondsyscallonemustcontrolthesystemcallnumber(rax),soonemusthaveaprioriidentiedpoprax;ret.Thesolutionistochainallpopinstructionsfoundbytheattacker,poppingthedesiredsystemcallnumber,andoneofthemwilllikelyberax.Thesystemcalltouseispause()whichtakesnoargumentsandsoignoresallotherregisters.Italsostopsprogramexecutionuntilasignalisraisedandsoitactsasastopgadget,makingitidentiable.Theattackercannowappendtheprobeaddressforsyscalltothepopchaintondasystemcallgadget.Onceanaddressthatmakestheprogrampauseisfound,theattackercaneliminatethepopsonebyonetondwhichonecontrolsrax.Atthispointtheattackerhastheaddressofasyscallgadgetandapoprax;retgadget.Theattackeralsoholdsalistofunidentiedpops.Theseareidentiedbyusingthefollowingsystemcalls:1)Firstargument(poprdi):nanosleep(len,rem).Thiswillcauseasleepoflennanoseconds(nocrash).remispopulatedifthesleepisinter-rupted,anditcanbeaninvalidaddressasitischeckedonlyafterthesleep.2)Secondargument(poprsi):kill(pid,sig).Ifsigiszero,nosignalissent,otherwiseoneissent(causingacrash).Thepidneednotbeknown:itcanbezerowhichsendsthesignaltoalltheprocessesintheprocessgroup.Toverifywhetherthesignalissent,theattackercanopenmultipleconnections(goingtodifferentworkerprocesses)toseeifthoseconnectionsarekilledornot.3)Thirdargument(poprdx):clock_nano-sleep(clock,flags,len,rem).Similartonanosleepbuttakestwoadditionalarguments,makingthethirdargumentcontrolthesleeplength.Onecannowcallwriteandcontinuetheattackbydumpingthe.textsegmentandndingmoregadgets.Whilethisattackismoregeneral,itismorecomplextoperformbecauseitrequirestwoscansofthe.textsegment:onetondalistofpopgadgets,andonetondasyscallgadget.Asignicantoptimizationisthatallpoprax;retgad-getswefoundweremisalignedparsesofaddrsp,0x58;ret.Thisinformationcanbeusedtoclassifypopraxgadgetsindependentlyofsyscallgadgetsandsignicantlyspeeduptheattack—onenolongerneedstoscantheentire.textsegmenttwice.Onecanscanfortheaddrsp,0x58gadgetbysettingupthestackwith11trapsfollowedbythestopgadget.Toverifythegadget,theattackerjumpstothemisalignedparsethatyieldspoprax,verifyingthatonlyonewordispopped,whichcanbedonebysettingupthestackwithasingletrapfollowedbythestopgadget.J.Otherlow-leveldetailsInthissectionwelistanumberofnotsoobviouslow-levelattackdetails,manyofwhichaddedtotheattack'sstability.a)Stackreadingwithzeros:Wefoundthataneffectivewaytostackreadisplacingzerosinwordslikethesavedframepointer.Itislikelytondaninstructionpointerthatdoesnotcrashtheprogramregardlessoftheframepointer.Italsomakesstackreadingmorerobustwhendifferentworkerprocessesarebeingused,eachwithaslightlydifferentframepointer.Itmaybeimpossibletonishreadingapartiallyreadframepointerwhenbeingsenttoadifferentworkerprocesssinceallvalueswillcauseacrash.Forcingazerowordinthiscasewilleliminatethisproblem.b)Furtherstrcmpverication:Tofurtherverifystrcmp,werunitagainstthelastbyteofthevsyscallpage,whichismappedatastaticlocation.strcmpwillterminatepriortoreachingtheendofvsyscall,notcausingacrash.Mostotherfunctionsinsteadwillattempttoreadpastthevsyscallpagecausingacrash.Thiswillprunefunctionsthatdonotnormallycrashwhensuppliedtworeadablearguments.c)Dealingwithsmallbuffers:SometimesattackersmustminimizethelengthofROPchainsandbeabletoexploitsmallbuffers.Thissituationoccurs,forexample,duetoshortreadsorhavingtokeepsomememoryintact(e.g.,nottouchingacanary),whichlimitsthelengthoftheoverowandthebufferspaceavailable.TheyaSSL+MySQLexploitrequiresthisoptimizationinordertoavoidcorruptingacanary.ThisisachecklistforconductingBROPwithshortROPchainsofatmost8words(64bytes):FindactualPLTentriesbasedontheiraddress,notbasedontheirpushnumberandslowpath.ThiswillmakePLTinvocationashorterROPchain.DumpthebinarywithaminimalROPchain:strcmpaddresstodump,donotsetrsiagain(alreadysetforstrcmp),andcallwrite.Ifzeroisread,thedumpedaddresscontainedazero.Otherwiseasmallamountofthebinary(uptoazero)willberead.Continuethisuntilapoprdxisfound.Afterthatusepoprdxtocontrolthelengthratherthanstrcmp(shorterROPchain).Createtheshellcodeenvironmentinmultiplestages:oneconnectiontoduptheattacker'ssocket,onetoread“/bin/sh”intomemory,andonetoexecve.Alltheseconnections(apartfromexecve)mustterminatetheROPchainwithastopgadgettopreventacrashsincetheworkerprocessisbeingpreparedincrementally.d)Dealingwithfewevent-basedworkers:Therearesit-uationswhereanapplicationisconguredwithveryfewevent-basedworkerswhichcanallbecomeunresponsiveduringthe TABLEIII.BROPGADGETFREQUENCY. Binary BROPcount expectedscanlength(density) proprietaryservice 194 154 MySQL 639 501 nginx 130 566 Apache 65 860 OpenSSH 78 972 Figure15.Attackcomplexityfornginx.Thenumberofrequestsneededforeachphaseareshown.Broadlyspeaking,theattack'scomplexityissplitinfourparts:stackreading,ndingthePLT,ndingtheBROPgadget,anddumpingthebinarytonishtheattack.ThedatashowsthenumberofBROPgadgetspresent,andtheirdensity::textsize 7BROPcount(recallthat7bytescanbeskippedperprobeduetothesizeofthegadget).TheBROPgadgetsappearsverypopularandcanbefoundinunder1,000addressprobes.Notethatinpracticemorerequestswillneededtoverifythegadgetandweedoutfalsepositives.AftertheBROPgadgetisfound,ndingwritetakesonlyafewadditionalrequests,andcanusuallybefoundinapproximately2,000requeststotal.Atthispointtheattackisalmostcomplete.Onemaychoosetomanuallywriteveryspecicpartsofthebinarytominimizethenumberofrequestsbasedontheinformationlearned.Otherwise,ourBrailletoolstartsdumpingthebinaryfromitsstart,untiltheentiresymboltableisdumpedsothatashellcodecanbeconstructed.Theattacktypicallycompleteswithin500additionalrequests(about2,500total).InthecaseofyaSSL,ittookmanymorerequeststodumpthebinarybecausethebufferbeingoverowedwasveryshortandsoBraillewaslimitedinhowlongtheROPchaincouldbe.Braillewasforcedtodumpthebinaryinsmallchunkstondapoprdx;ret(araregadget)beforetherestofthebinarycouldbedownloadedinlargerchunks.Figure15showsthecomplexityoftheattackfornginx.Theattack'soverheadcanbesplitintofourparts:stackreading(35%),ndingthePLT(29%),ndingtheBROPgadget(20%)andnishingoff(16%).Notethatifcanariesarenotused(orcanbebypassed,likeinyaSSL)andthePIEagisnotused(thedefault)thenstackreadingcanbeavoidedaltogether.FindingthePLTlargelydependsonthesizeoftheexecutableandhowmanyPLTentriesareskippedduringascan.TheBROPgadgetscanwilldependonitsfrequency,aspreviouslymentioned.Theattackcancompletewithin20minutes.MySQLtookalongtimebecauseittookawhileforittorestartaftereachcrash.nginxwasfastest(onlyoneminute)becauseanon-timebasedstopgadgetwasused.AnHTTPkeep-aliveconnectionwasusedandsoaftertheexploitrequest,anormalrequestwassenttocheckiftheconnectionwasstillalive.Intheproprietaryservercaseinstead,atimeouthadtobeusedtodetermineiftheserverwasstillalivewhichmadetheattackslower.Theattackclearlyisnoisybutwearguethatifitexecutesfastenough,theattackermaybeabletoperformwhateveractivityheneedstodobeforegettingcaught.nginxforexamplelogseachcrash,inaleownedbyroot.Theserverrunsasnobodysotheattackerwouldnotbeabletoerasethelogs.Wenotice,however,thattheworkerprocesseskeepledescriptorstothelogsopen,makingitpossibletowriteashellcodetocallftruncatetoerasetracesoftheattack.B.StabilityThethreeserversuseworkerprocessesverydifferently,exercisingBROPindifferentways.InallcasestheBROPattackwasreliableandcompletedunassistedwithouthangingorcausingdenial-of-service.MySQLis(typically)singleprocess,multi-threaded.Onacrash,ascript(mysqld safe)reexecutestheserver.TheBROPattackworksunderthedefaultconguration(noPIE,butcanaries)despitethere-executionbecausethecanaryisneverhitthankstohowthebugisbeingexercised.IfcompiledwiththePIEag,theattackwouldnotworkasonecouldn'treada(changing)returnaddressfromthestacktodefeatASLR.Thisdoesnotapplytonginxandthetoyproprietaryservicewhereduetotheirforkingnature,theattackwouldsucceedevenwhenPIEisused.nginxhasmultipleworkerprocessesandhasasingle-threaded,event-basedarchitecture.Mostdistributionscong-urefourworkerprocessesbydefault.Thismakesitatrickyscenariobecauseaninniteloopbasedstopgadgetwouldhogtheworkercompletely,andonegetsonlyfourshotsbydefault.Thestopgadgetherewasreturningtoahigherstackframe,whichavoidedanyblocking.Withaspecializedexploit,weareabletoexploitnginxevenwhenconguredtouseasingleworker.Theproprietaryserverforkedonceperconnection.Thismakestheattackveryreliableasthereisavirtuallyinnitenumberofworkerprocessesavailable.Wedidnotknowaprioriaboutthedetailsoftheserverbutitcontainedafewuniquethings.Thestackoverowwasonestackframeabovetheactualbugastherewasafunctionthatwrappedthereadsystemcall.Theserveralsocontainedasingleloop,dependentonavariableusedtoexittheloopwhenshuttingtheservicedown.Thiscreatedtheadditionalchallengethattheloopwasnoteasilyusableasaninniteloopgadget.ThestopgadgetsforyaSSL+MySQL,nginxandthepro-prietaryserverrespectivelywere:futex,returningtoahighercallframe,andsleep.TheyaSSL+MySQLscenarioofferedaverysmalloverowbufferandshowsthatBROPcanworkevenwithsmallbuffers(64bytesaresufcient).ThekeytothesuccessandstabilityoftheBROPattackisthattheattackerneedstoscanforasingleitematanygiven TABLEIV.CODEDIVERSITYWHENTHESAMEVERSIONOFNGINX(1.4.0)ISCOMPILEDWITHDIFFERENTDEBIANLINUXVERSIONS. TextSize TextStart #ofGadgets Squeeze 0x5fc58 0x4031e0 206 Wheezy 0x61f0c 0x4032f0 255 Jessie(testing) 0x5fbd2 0x402ee0 323 C.Client-sidevs.server-sideItmaybepossibletolaunchaBROP-likeattackonclients.BrowserslikeChrome,forexample,launchpluginsinaseparateprocessforrobustness.JavaScriptcanbeusedtocreatemultiplevulnerablepluginobjects,attemptanexploit,anddetectwhethertheyhavecrashedornotwithoutuserinteraction.Wenote,however,thatthereistypicallylowerhangingfruitontheclient-side.HavingtheexecutionpowerofJavaScriptavailablecanoffermoresignalingmechanismstotheattackercomparedtoacoarse-grainedcrash/no-crashasusedinserver-sideBROP.Aninterestingdistinctionbetweenclient-sideandserver-sideisthatoftenclient-sideattacksarelesstargeted.Forexample,anattackermaywanttoownanygivennumberofclientstostealinformationorconstructabotnet.Thismakesexploitsforoldertargetswithfewerprotections(e.g.,WindowsXP)stillvaluable,astherestillarepeoplerunningthosecongurations.Server-sideattacksinsteadareoftentargetedasonewantstoattackaparticularsite.Relyingon32-bittargetsorspecicbinaryinstallations,orsimplymovingontothenextvictimmaynotbeanoption.ThismakesBROPveryvaluableontheserver-sideasitgivesanattackeralargerhammerwhenneeded.D.VarianceinbinariesCounterintuitively,closed-sourcesystems(thoughopen-binary)makewritingexploitssimpler.ManyexploitsthattargetWindowsareveryrobustastheybuildROPchainsonDLLsthatseldomchange,andsoonlyafewversionsexist.Inanopen-sourcesetting,therearemultiplebinaryvariantsandtheattackermustbuildadifferentROPchainforeach.TableIVshowsthesizeandstartaddressofdifferentdistributionsoftheexactsamenginxversion.Asweseethereisalotofvariabilitybasedonthebuildenvironment,theversionofthelibrariesitwaslinkedagainst,andthecompilerversion,eventhoughthesameLinuxdistributionwasbeingused.EvenasinglebytedifferenceoroffsetwilldefeatastaticallyprecomputedROPchain.Worsefortheattacker,asystemmaybemanuallycompiledbytheenduser,makingitimpossiblefortheattackertobuildaROPchainofineasthebinaryisunknown.InsuchcasesBROPisanecessity.Evenifaserverusesaprecompiledbinary,itcanbedifculttodeterminewhichparticularoneisbeingused:remoteOSngerprintingrevealsanapproximatekernelversion,notadistribution.BROPinfactcanbeusedtongerprintdistributionsandapplications(e.g.,basedonwhethercanariesarepresent,vsyscallbehavior,etc.).E.RemotefuzztestingTheBROPattackcouldbeapowerfultoolforhackingproprietaryclosed-binaryserviceswhencoupledwitharemotefuzztester.Wenotethatintwooftheexampleapplicationswetargeted,theoverowoccurredbecausealengthwasspeciedinthepacketbutalargervaluewassent.Itcertainlyispossibletowriteafuzztesterthathasknowledgeaboutaprotocolandattemptstooverowbysupplyingincorrectlengths[17].Interestingly,prettymuchthesamechunkedencodingvulnerabilitythatappearedinnginxhasalreadyappearedinApacheinthepast[18].Itmaybepossibletowritefuzztestersforparticularprotocolconditionsthatareknowntobehardtoimplementcorrectly,orthathavebeenknowntobeexploitedinthepast.XIII.BROPPREVENTIONThefollowingisadiscussionofdefensemechanismsthatwillpreventtheBROPattack,includingtwoprecautionswesuggestserverdevelopersuse.ThereisalotofpriorresearchinROPattackdefensemechanisms,andmanyofthosetechniquesareapplicabletodefendingagainstBROP.Thus,thislistisbynomeanscomprehensive.A.RerandomizationThemostbasicprotectionagainsttheBROPattackistorerandomizecanariesandASLRasoftenaspossible.Theseprotectionmechanismsareeffective,butserverdevelopersunderminethembynotrerandomizingwhenworkerprocessescrash.Thesimplestmethodistoforkandexectheprocessonacrashorspawn,whichrerandomizesboththecanaryandASLR.Itisimportantthatanychildprocessesforkedarerandomizedindependentlysothatanyinformationlearnedfromonechildcannotbeusedagainstanotherone.Therehasbeenresearchonrerandomizingbinariesatruntime.OnesuchtechniqueisworkbyGiuffridaetal.thatusesamodiedcompilertomigratetherunningstatebetweentwoinstances(withadifferentASLRrandomization)[19].Wealsoprototypedare-randomizationtechniquethatmovesabinary'stextsegmenttoanewlocationusingmmap/munmap,andusesapagefaulthandlertodeterminewhetherpointersshouldberewrittenastheyarefaultedon.Anevensimplerimprovementwedevelopedistoreran-domizethecanaryonaper-userorper-requestbasis.Wesuggestserverswriteanewcanarybeforeenteringaper-requestfunction.Onthereturnthroughthatfunctiontheoldcanaryshouldberestoredsothatexecutioncancontinuenormally.Whilethisprotectsagainstthebugsinnginxandourproprietaryserver,theparticularattackagainstyaSSLcanavoidthecanaryentirely.B.SleeponcrashSystemslikeNetBSD'ssegvguard[20]andgrsec'sdeter_bruteforceforLinux[21]proposedelayingaforkafterasegmentationfault.Thistechniquecanslowdownattackssuchthatanadministratorcannoticesomethingiswrongandaddresstheproblem.Thedownsideofthisapproachisthatbugsnowcanbecomeeasydenialofserviceattacks.Itisalsounclearwhatagoodvalueforthedelayis.grsecproposesa30seconddelay.Whilethisissufcientformostsetups,overnightattacksonasmallsitemightgounnoticed:ouroptimizedBROPattackfornginxcancompletein1,000requests,makingtheattacktimeroughly8hours. todefendagainstourattack,wesuggestthatsystemsshouldrerandomizeASLRandcanariesafteranycrash,andthatnolibraryorexecutableshouldbeexemptfromASLR.Brailleisavailableat:http://www.scs.stanford.edu/brop/.ACKNOWLEDGMENTSWethankouranonymousreviewersandEladEfratfortheirfeedback.WealsothankMarkHandleyandBradKarpwhohelpedshapeearlyversionsofthiswork.EricSmithsuggestedusingout-of-orderTCPsegmentsinsteadofIPfragmentation.ThisworkwasfundedbyDARPACRASHandagiftfromGoogle.REFERENCES[1]R.Roemer,E.Buchanan,H.Shacham,andS.Savage,“Return-orientedprogramming:Systems,languages,andapplications,”ACMTrans.Inf.Syst.Secur.,vol.15,no.1,pp.2:1–2:34,Mar.2012.[Online].Available:http://doi.acm.org/10.1145/2133375.2133377[2]mitre.Cve-2013-2028.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028[3]——.Cve-2008-0226.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226[4]A.One,“SmashingTheStackForFunAndProt,”Phrack,vol.7,no.49,Nov.1996.[Online].Available:http://phrack.com/issues.html?issue=49&id=14#article[5]M.Kaempf.Vudomalloctricksbymaxx.[Online].Available:http://www.phrack.org/issues.html?issue=57&id=8&mode=txt[6]S.Designer.Gettingaroundnon-executablestack(andx).[Online].Available:http://seclists.org/bugtraq/1997/Aug/63[7]P.Team.Paxaddressspacelayoutrandomization(aslr).[Online].Available:http://pax.grsecurity.net/docs/aslr.txt[8]S.Bhatkar,D.C.DuVarney,andR.Sekar,“Addressobfuscation:anefcientapproachtocombataboardrangeofmemoryerrorexploits,”inProceedingsofthe12thconferenceonUSENIXSecuritySymposium-Volume12,ser.SSYM'03.Berkeley,CA,USA:USENIXAssociation,2003,pp.8–8.[Online].Available:http://dl.acm.org/citation.cfm?id=1251353.1251361[9]H.Shacham,M.Page,B.Pfaff,E.-J.Goh,N.Modadugu,andD.Boneh,“Ontheeffectivenessofaddress-spacerandomization,”inProceedingsofthe11thACMconferenceonComputerandcommunicationssecurity,ser.CCS'04.NewYork,NY,USA:ACM,2004,pp.298–307.[Online].Available:http://doi.acm.org/10.1145/1030083.1030124[10]geraandriq.Advancesinformatstringexploitation.[Online].Available:http://www.phrack.org/archives/59/p59 0x07 Advances%20in%20format%20string%20exploitation by riq%20&%20gera.txt[11]C.Cowan,C.Pu,D.Maier,H.Hintony,J.Walpole,P.Bakke,S.Beattie,A.Grier,P.Wagle,andQ.Zhang,“Stackguard:automaticadaptivedetectionandpreventionofbuffer-overowattacks,”inProceedingsofthe7thconferenceonUSENIXSecuritySymposium-Volume7,ser.SSYM'98.Berkeley,CA,USA:USENIXAssociation,1998,pp.5–5.[Online].Available:http://dl.acm.org/citation.cfm?id=1267549.1267554[12]H.Etoh,“GCCextensionforprotectingapplicationsfromstack-smashingattacks(ProPolice),”2003,http://www.trl.ibm.com/projects/security/ssp/.[Online].Available:http://www.trl.ibm.com/projects/security/ssp/[13]BulbaandKil3r,“Bypassingstackguardandstackshield,”PhrackMagazine,May2000.[Online].Available:http://phrack.org/issues.html?issue=56&id=5#article[14]Kingcope.Aboutagenericwaytoexploitlinuxtargets.[Online].Available:http://www.exploit-db.com/wp-content/themes/exploit/docs/27074.pdf[15]G.F.Roglia,L.Martignoni,R.Paleari,andD.Bruschi,“Surgicallyreturningtorandomizedlib(c),”inProceedingsofthe2009AnnualComputerSecurityApplicationsConference,ser.ACSAC'09.Washington,DC,USA:IEEEComputerSociety,2009,pp.60–69.[Online].Available:http://dx.doi.org/10.1109/ACSAC.2009.16[16]Ubuntusecurityfeatures.[Online].Available:https://wiki.ubuntu.com/Security/Features[17]Peachfuzzer.[Online].Available:http://peachfuzzer.com/[18]mitre.Cve-2002-0392.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392[19]C.Giuffrida,A.Kuijsten,andA.S.Tanenbaum,“Enhancedoperatingsystemsecuritythroughefcientandne-grainedaddressspacerandomization,”inProceedingsofthe21stUSENIXconferenceonSecuritysymposium,ser.Security'12.Berkeley,CA,USA:USENIXAssociation,2012,pp.40–40.[Online].Available:http://dl.acm.org/citation.cfm?id=2362793.2362833[20]E.Efrat.Segvguard.[Online].Available:http://www.netbsd.org/elad/recent/man/security.8.html[21]grsecurity.Deterexploitbruteforcing.[Online].Avail-able:http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity and PaX Conguration Options#Deter exploit bruteforcing[22]M.Abadi,M.Budiu,U.Erlingsson,andJ.Ligatti,“Control-owintegrity,”inProceedingsofthe12thACMConferenceonComputerandCommunicationsSecurity,ser.CCS'05.NewYork,NY,USA:ACM,2005,pp.340–353.[Online].Available:http://doi.acm.org/10.1145/1102120.1102165[23]V.Pappas,M.Polychronakis,andA.D.Keromytis,“TransparentROPexploitmitigationusingindirectbranchtracing,”inProceedingsofthe22ndUSENIXconferenceonSecurity,ser.SEC'13.Berkeley,CA,USA:USENIXAssociation,2013,pp.447–462.[Online].Available:http://dl.acm.org/citation.cfm?id=2534766.2534805[24]R.Wartell,V.Mohan,K.W.Hamlen,andZ.Lin,“Binarystirring:Self-randomizinginstructionaddressesoflegacyx86binarycode,”inProceedingsofthe2012ACMConferenceonComputerandCommunicationsSecurity,ser.CCS'12.NewYork,NY,USA:ACM,2012,pp.157–168.[Online].Available:http://doi.acm.org/10.1145/2382196.2382216[25]J.Hiser,A.Nguyen-Tuong,M.Co,M.Hall,andJ.W.Davidson,“Ilr:Where'dmygadgetsgo?”inProceedingsofthe2012IEEESymposiumonSecurityandPrivacy,ser.SP'12.Washington,DC,USA:IEEEComputerSociety,2012,pp.571–585.[Online].Available:http://dx.doi.org/10.1109/SP.2012.39[26]V.Pappas,M.Polychronakis,andA.D.Keromytis,“Smashingthegadgets:Hinderingreturn-orientedprogrammingusingin-placecoderandomization,”inProceedingsofthe2012IEEESymposiumonSecurityandPrivacy,ser.SP'12.Washington,DC,USA:IEEEComputerSociety,2012,pp.601–615.[Online].Available:http://dx.doi.org/10.1109/SP.2012.41[27]K.Onarlioglu,L.Bilge,A.Lanzi,D.Balzarotti,andE.Kirda,“G-free:defeatingreturn-orientedprogrammingthroughgadget-lessbinaries,”inProceedingsofthe26thAnnualComputerSecurityApplicationsConference.ACM,2010,pp.49–58.[28]T.C.Team.Addresssanitizer-clang3.4documentation.[Online].Available:http://clang.llvm.org/docs/AddressSanitizer.html[29]D.Dhurjati,S.Kowshik,andV.Adve,“SAFECode:Enforcingaliasanalysisforweaklytypedlanguages,”inProceedingsofthe2006ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation,ser.PLDI'06.NewYork,NY,USA:ACM,2006,pp.144–157.[Online].Available:http://doi.acm.org/10.1145/1133981.1133999[30]Intel.Introductiontointelmemoryprotectionexten-sions.[Online].Available:http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions[31]T.GoodspeedandA.Francillon,“Half-BlindAttacks:MaskROMBootloadersareDangerous,”inWOOT,2009.[32]A.N.Sovarel,D.Evans,andN.Paul,“Where'sthefeeb?:Theeffectivenessofinstructionsetrandomization,”inUsenixSecurity,2005.[33]A.Zabrocki.Scrapsofnotesonremotestackoverowexploitation.[Online].Available:http://www.phrack.org/issues.html?issue=67&id=13#article[34]Kingcope.nginx1.3.9/1.4.0x86bruteforceremoteexploit.[Online].Available:http://www.exploit-db.com/exploits/26737/[35]M.Labes.Mwrlabspwn2own2013write-up-webkitexploit.[Online].Available:https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up---webkit-exploit/