Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessin - PDF document

Presentation on theme: "Hacking Blind Andrea Bittau Adam Belay Ali Mashtizadeh David Mazi eres Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overow exploits without possessin"— Presentation transcript

astackvulnerabilityandonemayspeculatethatitisbeingusedbyaproprietaryservice.3)Hackinganopen-sourceserverforwhichthebinaryisunknown.Thisappliestomanuallycompiledinstal-lationsorsource-baseddistributionssuchasGentoo.Weevaluateallthreescenarios.Ideally,fortherstsce-nariowewouldtestourtechniquesagainstproductionservicesforwhichweholdnoinformationaboutthesoftware,butweareconstrainedforobviouslegalreasons.Tosimulatesuchascenario,wetestedagainstatoyproprietaryserviceacolleagueofourswroteforwhichwehadnoinformationaboutsource,binary,orfunctionality.Forthesecondscenario,wetargetarealvulnerabilityintheyaSSLlibrary[3].ThislibrarywasusedbyMySQLinpastandweusethatasthehostapplication.Forthethirdscenario,wetargetarecent(2013)vulnerabilityinnginx[2]andwriteagenericexploitthatdoesnotdependonaparticularbinary.Thisisparticularlyusefulastheexploitwillworkonanydistributionandvulnerablenginxversionwithoutrequiringanattackertowriteaspecicexploitforeachdistributionandversioncombination(asisdonetoday).Weimplementedanewsecuritytool,Braille,thatmakesBROPattackshighlyautomated.Braillecanyieldashellonavulnerableserverinapproximately4,000requests,aprocessthatcompletesinunder20minutesand,insomesituations,injustafewminutes.AnattackerneedonlyprovideafunctionthatconstructsarequestofaminimumlengthtocrashtheserverandappendastringprovidedbyBraille.Thefunctionmustalsoreturnasinglebitbasedonwhethertheservercrashesornot.Ourcontributionsare:1)AtechniquetodefeatASLRonservers(generalizedstackreading).2)AtechniquetoremotelyndROPgadgets(BROP)sothatsoftwarecanbeattackedwhenthebinaryisunknown.3)Braille:atoolthatautomaticallyconstructsanexploitgiveninputonhowtotriggerastackoverowonaserver.4)Therst(toourknowledge)publicexploitforng-inx'srecentvulnerability,thatisgeneric,64-bit,anddefeats(full/PIE)ASLR,canariesandNX.5)SuggestionsfordefendingagainstBROPattacks.Insummary,ASLRmustbeappliedtoallexecutablesegments(PIE)andre-randomizationmustoccuraftereachcrash(atoddswithfork-onlyservers).Holdingthebinaryfromtheattackerorpurposefullyalteringitmaynotbeaneffectivesecuritycountermeasure.II.BRIEFHISTORYOFBUFFEROVERFLOWSBufferoverowsareaclassicvulnerabilitywithalonghistoryofexploits[4].Conceptually,theyarerelativelyeasytoattack.Forinstance,avulnerableprogrammightreaddatafromthenetworkintoabuffer.Then,assumingtheprogramlackssufcientboundscheckstolimitthesizeoftheincomingdata,anattackercouldoverwritememorybeyondtheendofthebuffer.Asaresult,criticalcontrol-owstate,suchasreturnaddressesorfunctionpointers,couldbemanipulated.Stackbufferoverowstendtobeespeciallydangerousbecausereturnaddressesareimplicitlynearbyinmemoryduetofunctioncallingconventions.However,attacksthattargetbuffersontheheaparealsoviable[5].Intheearlydaysofstackbufferoverows,itwascommonforanattackertoincludemaliciouscodeaspartofthepayloadusedtooverowthebuffer.Asaresult,theattackercouldsimplysetthereturnaddresstoaknownlocationonthestackandexecutetheinstructionsthatwereprovidedinthebuffer.Such“codeinjection”attacksarenolongerpossibleoncontemporarymachinesbecausemodernprocessorsandoperatingsystemsnowhavetheabilitytomarkdatamemorypagesasnon-executable(e.g.,NXonx86).Asaresult,ifanattackertriestoruncodeonthestack,itwouldonlycauseanexception.Aninnovativetechnique,knownasreturn-orientedpro-gramming(ROP)[1],wasdevelopedtodefeatdefensesbasedonnon-executablememory.Itworksbylinkingtogethershortcodesnippetsalreadypresentintheprogram'saddressspace.Suchcodesnippets,calledgadgets,canbecombinedtoformarbitrarycomputation.Asaresult,attackerscanuseROPtogaincontrolofprogramswithoutanydependenceoncodeinjection.SimplervariationsofROParesometimespossible.Forexample,withreturn-to-libcattacks,ahigh-levellibraryfunctioncanbeusedasthereturnaddress.Inparticular,thesystem()functionisusefulforattackersbecauseitcanrunarbitraryshellcodewithonlyasingleargument[6].Theseattackswereveryeffectiveon32-bitsystemswhereargumentswerepassedonthestack,alreadyundercontroloftheattacker.On64-bitsystems,argumentsarepassedinregisters,soadditionalgadgetsareneededtopopulateregisters.Addressspacelayoutrandomization(ASLR)[7],[8]wasintroducedasanadditionaldefenseagainstbufferoverowattacks.Itworksbyrandomizingthelocationofcodeanddatamemorysegmentsintheprocessaddressspace.Inmanyim-plementationscodesegmentrandomizationisonlyappliedtolibraries,butfulladdressspacerandomizationisalsopossible.ASLRcreatesamajorchallengeforattackersbecauseitmakestheaddresslocationsofcode(oreventhestack)impossibletopredictinadvance.Unfortunately,on32-bitplatforms,ASLRisconstrainedbythenumberofavailablebits(usually16)forrandomization.Asaresult,brute-forceattackscanbequiteeffective[9].However,on64-bitplatformstherearetypicallytoomanyrandombitsforbrute-forcingtobefeasible.Insuchcases,ASLRcanstillbecircumvented,butonlywhencombinedwithavulnerabilitythatleaksinformationabouttheaddressspacelayout,suchasaformatstring[10].InadditiontothelargeraddressspaceforASLRandtheneedtolocateadditionalgadgetstollargumentregisters,64-bitsystemspresentathirdcomplicationforattackers.Becausethearchitecturelimitsvirtualaddressesto48-bits,user-levelmemorypointersarerequiredtocontainzero-valuedbytes.Thesezeroscauseearlyterminationofoverowsrelyingonstringoperationssuchasstrcpy().Canaries[11]areanothercommondefenseagainstbufferoverowattacks.Canariescannotpreventbufferoverows,buttheycandetectthemretroactivelyandterminatetheprogrambeforeanattackercaninuencecontrolow.Forexample,withstackcanaries,asecretvaluethatwasdeterminedinadvanceisplacedjustbeforeeachsavedframepointerandreturnaddress.Then,whenafunctionreturns,thesecret versionoftheattackthatreliesneitherontheBROPgad-getnorthePLT.TheattackndsallthegadgetslistedinSectionVIII-A,namelytheregisterpopsandsyscall.Theattackoutlineis:1)Findallpopx;retgadgets.2)Findasyscallgadget.3)Identifythepopgadgetspreviouslyfound.Theattackerstartsbyndingastopgadgetandallpopx;retinstructions.Thedifcultyisnowinidentifyingthepopinstructionsandndingasyscallgadget.Theideaistoidentifythepopinstructionsbasedonsystemcallbehavioraftertweakingsystemcallarguments,inasimilarwayastohowstrcmpwasfoundintheoptimizedattack.Thereisabootstrapproblem,however,becausetondsyscallonemustcontrolthesystemcallnumber(rax),soonemusthaveaprioriidentiedpoprax;ret.Thesolutionistochainallpopinstructionsfoundbytheattacker,poppingthedesiredsystemcallnumber,andoneofthemwilllikelyberax.Thesystemcalltouseispause()whichtakesnoargumentsandsoignoresallotherregisters.Italsostopsprogramexecutionuntilasignalisraisedandsoitactsasastopgadget,makingitidentiable.Theattackercannowappendtheprobeaddressforsyscalltothepopchaintondasystemcallgadget.Onceanaddressthatmakestheprogrampauseisfound,theattackercaneliminatethepopsonebyonetondwhichonecontrolsrax.Atthispointtheattackerhastheaddressofasyscallgadgetandapoprax;retgadget.Theattackeralsoholdsalistofunidentiedpops.Theseareidentiedbyusingthefollowingsystemcalls:1)Firstargument(poprdi):nanosleep(len,rem).Thiswillcauseasleepoflennanoseconds(nocrash).remispopulatedifthesleepisinter-rupted,anditcanbeaninvalidaddressasitischeckedonlyafterthesleep.2)Secondargument(poprsi):kill(pid,sig).Ifsigiszero,nosignalissent,otherwiseoneissent(causingacrash).Thepidneednotbeknown:itcanbezerowhichsendsthesignaltoalltheprocessesintheprocessgroup.Toverifywhetherthesignalissent,theattackercanopenmultipleconnections(goingtodifferentworkerprocesses)toseeifthoseconnectionsarekilledornot.3)Thirdargument(poprdx):clock_nano-sleep(clock,flags,len,rem).Similartonanosleepbuttakestwoadditionalarguments,makingthethirdargumentcontrolthesleeplength.Onecannowcallwriteandcontinuetheattackbydumpingthe.textsegmentandndingmoregadgets.Whilethisattackismoregeneral,itismorecomplextoperformbecauseitrequirestwoscansofthe.textsegment:onetondalistofpopgadgets,andonetondasyscallgadget.Asignicantoptimizationisthatallpoprax;retgad-getswefoundweremisalignedparsesofaddrsp,0x58;ret.Thisinformationcanbeusedtoclassifypopraxgadgetsindependentlyofsyscallgadgetsandsignicantlyspeeduptheattack—onenolongerneedstoscantheentire.textsegmenttwice.Onecanscanfortheaddrsp,0x58gadgetbysettingupthestackwith11trapsfollowedbythestopgadget.Toverifythegadget,theattackerjumpstothemisalignedparsethatyieldspoprax,verifyingthatonlyonewordispopped,whichcanbedonebysettingupthestackwithasingletrapfollowedbythestopgadget.J.Otherlow-leveldetailsInthissectionwelistanumberofnotsoobviouslow-levelattackdetails,manyofwhichaddedtotheattack'sstability.a)Stackreadingwithzeros:Wefoundthataneffectivewaytostackreadisplacingzerosinwordslikethesavedframepointer.Itislikelytondaninstructionpointerthatdoesnotcrashtheprogramregardlessoftheframepointer.Italsomakesstackreadingmorerobustwhendifferentworkerprocessesarebeingused,eachwithaslightlydifferentframepointer.Itmaybeimpossibletonishreadingapartiallyreadframepointerwhenbeingsenttoadifferentworkerprocesssinceallvalueswillcauseacrash.Forcingazerowordinthiscasewilleliminatethisproblem.b)Furtherstrcmpverication:Tofurtherverifystrcmp,werunitagainstthelastbyteofthevsyscallpage,whichismappedatastaticlocation.strcmpwillterminatepriortoreachingtheendofvsyscall,notcausingacrash.Mostotherfunctionsinsteadwillattempttoreadpastthevsyscallpagecausingacrash.Thiswillprunefunctionsthatdonotnormallycrashwhensuppliedtworeadablearguments.c)Dealingwithsmallbuffers:SometimesattackersmustminimizethelengthofROPchainsandbeabletoexploitsmallbuffers.Thissituationoccurs,forexample,duetoshortreadsorhavingtokeepsomememoryintact(e.g.,nottouchingacanary),whichlimitsthelengthoftheoverowandthebufferspaceavailable.TheyaSSL+MySQLexploitrequiresthisoptimizationinordertoavoidcorruptingacanary.ThisisachecklistforconductingBROPwithshortROPchainsofatmost8words(64bytes):FindactualPLTentriesbasedontheiraddress,notbasedontheirpushnumberandslowpath.ThiswillmakePLTinvocationashorterROPchain.DumpthebinarywithaminimalROPchain:strcmpaddresstodump,donotsetrsiagain(alreadysetforstrcmp),andcallwrite.Ifzeroisread,thedumpedaddresscontainedazero.Otherwiseasmallamountofthebinary(uptoazero)willberead.Continuethisuntilapoprdxisfound.Afterthatusepoprdxtocontrolthelengthratherthanstrcmp(shorterROPchain).Createtheshellcodeenvironmentinmultiplestages:oneconnectiontoduptheattacker'ssocket,onetoread“/bin/sh”intomemory,andonetoexecve.Alltheseconnections(apartfromexecve)mustterminatetheROPchainwithastopgadgettopreventacrashsincetheworkerprocessisbeingpreparedincrementally.d)Dealingwithfewevent-basedworkers:Therearesit-uationswhereanapplicationisconguredwithveryfewevent-basedworkerswhichcanallbecomeunresponsiveduringthe TABLEIII.BROPGADGETFREQUENCY. Binary BROPcount expectedscanlength(density) proprietaryservice 194 154 MySQL 639 501 nginx 130 566 Apache 65 860 OpenSSH 78 972 Figure15.Attackcomplexityfornginx.Thenumberofrequestsneededforeachphaseareshown.Broadlyspeaking,theattack'scomplexityissplitinfourparts:stackreading,ndingthePLT,ndingtheBROPgadget,anddumpingthebinarytonishtheattack.ThedatashowsthenumberofBROPgadgetspresent,andtheirdensity::textsize 7BROPcount(recallthat7bytescanbeskippedperprobeduetothesizeofthegadget).TheBROPgadgetsappearsverypopularandcanbefoundinunder1,000addressprobes.Notethatinpracticemorerequestswillneededtoverifythegadgetandweedoutfalsepositives.AftertheBROPgadgetisfound,ndingwritetakesonlyafewadditionalrequests,andcanusuallybefoundinapproximately2,000requeststotal.Atthispointtheattackisalmostcomplete.Onemaychoosetomanuallywriteveryspecicpartsofthebinarytominimizethenumberofrequestsbasedontheinformationlearned.Otherwise,ourBrailletoolstartsdumpingthebinaryfromitsstart,untiltheentiresymboltableisdumpedsothatashellcodecanbeconstructed.Theattacktypicallycompleteswithin500additionalrequests(about2,500total).InthecaseofyaSSL,ittookmanymorerequeststodumpthebinarybecausethebufferbeingoverowedwasveryshortandsoBraillewaslimitedinhowlongtheROPchaincouldbe.Braillewasforcedtodumpthebinaryinsmallchunkstondapoprdx;ret(araregadget)beforetherestofthebinarycouldbedownloadedinlargerchunks.Figure15showsthecomplexityoftheattackfornginx.Theattack'soverheadcanbesplitintofourparts:stackreading(35%),ndingthePLT(29%),ndingtheBROPgadget(20%)andnishingoff(16%).Notethatifcanariesarenotused(orcanbebypassed,likeinyaSSL)andthePIEagisnotused(thedefault)thenstackreadingcanbeavoidedaltogether.FindingthePLTlargelydependsonthesizeoftheexecutableandhowmanyPLTentriesareskippedduringascan.TheBROPgadgetscanwilldependonitsfrequency,aspreviouslymentioned.Theattackcancompletewithin20minutes.MySQLtookalongtimebecauseittookawhileforittorestartaftereachcrash.nginxwasfastest(onlyoneminute)becauseanon-timebasedstopgadgetwasused.AnHTTPkeep-aliveconnectionwasusedandsoaftertheexploitrequest,anormalrequestwassenttocheckiftheconnectionwasstillalive.Intheproprietaryservercaseinstead,atimeouthadtobeusedtodetermineiftheserverwasstillalivewhichmadetheattackslower.Theattackclearlyisnoisybutwearguethatifitexecutesfastenough,theattackermaybeabletoperformwhateveractivityheneedstodobeforegettingcaught.nginxforexamplelogseachcrash,inaleownedbyroot.Theserverrunsasnobodysotheattackerwouldnotbeabletoerasethelogs.Wenotice,however,thattheworkerprocesseskeepledescriptorstothelogsopen,makingitpossibletowriteashellcodetocallftruncatetoerasetracesoftheattack.B.StabilityThethreeserversuseworkerprocessesverydifferently,exercisingBROPindifferentways.InallcasestheBROPattackwasreliableandcompletedunassistedwithouthangingorcausingdenial-of-service.MySQLis(typically)singleprocess,multi-threaded.Onacrash,ascript(mysqld safe)reexecutestheserver.TheBROPattackworksunderthedefaultconguration(noPIE,butcanaries)despitethere-executionbecausethecanaryisneverhitthankstohowthebugisbeingexercised.IfcompiledwiththePIEag,theattackwouldnotworkasonecouldn'treada(changing)returnaddressfromthestacktodefeatASLR.Thisdoesnotapplytonginxandthetoyproprietaryservicewhereduetotheirforkingnature,theattackwouldsucceedevenwhenPIEisused.nginxhasmultipleworkerprocessesandhasasingle-threaded,event-basedarchitecture.Mostdistributionscong-urefourworkerprocessesbydefault.Thismakesitatrickyscenariobecauseaninniteloopbasedstopgadgetwouldhogtheworkercompletely,andonegetsonlyfourshotsbydefault.Thestopgadgetherewasreturningtoahigherstackframe,whichavoidedanyblocking.Withaspecializedexploit,weareabletoexploitnginxevenwhenconguredtouseasingleworker.Theproprietaryserverforkedonceperconnection.Thismakestheattackveryreliableasthereisavirtuallyinnitenumberofworkerprocessesavailable.Wedidnotknowaprioriaboutthedetailsoftheserverbutitcontainedafewuniquethings.Thestackoverowwasonestackframeabovetheactualbugastherewasafunctionthatwrappedthereadsystemcall.Theserveralsocontainedasingleloop,dependentonavariableusedtoexittheloopwhenshuttingtheservicedown.Thiscreatedtheadditionalchallengethattheloopwasnoteasilyusableasaninniteloopgadget.ThestopgadgetsforyaSSL+MySQL,nginxandthepro-prietaryserverrespectivelywere:futex,returningtoahighercallframe,andsleep.TheyaSSL+MySQLscenarioofferedaverysmalloverowbufferandshowsthatBROPcanworkevenwithsmallbuffers(64bytesaresufcient).ThekeytothesuccessandstabilityoftheBROPattackisthattheattackerneedstoscanforasingleitematanygiven TABLEIV.CODEDIVERSITYWHENTHESAMEVERSIONOFNGINX(1.4.0)ISCOMPILEDWITHDIFFERENTDEBIANLINUXVERSIONS. TextSize TextStart #ofGadgets Squeeze 0x5fc58 0x4031e0 206 Wheezy 0x61f0c 0x4032f0 255 Jessie(testing) 0x5fbd2 0x402ee0 323 C.Client-sidevs.server-sideItmaybepossibletolaunchaBROP-likeattackonclients.BrowserslikeChrome,forexample,launchpluginsinaseparateprocessforrobustness.JavaScriptcanbeusedtocreatemultiplevulnerablepluginobjects,attemptanexploit,anddetectwhethertheyhavecrashedornotwithoutuserinteraction.Wenote,however,thatthereistypicallylowerhangingfruitontheclient-side.HavingtheexecutionpowerofJavaScriptavailablecanoffermoresignalingmechanismstotheattackercomparedtoacoarse-grainedcrash/no-crashasusedinserver-sideBROP.Aninterestingdistinctionbetweenclient-sideandserver-sideisthatoftenclient-sideattacksarelesstargeted.Forexample,anattackermaywanttoownanygivennumberofclientstostealinformationorconstructabotnet.Thismakesexploitsforoldertargetswithfewerprotections(e.g.,WindowsXP)stillvaluable,astherestillarepeoplerunningthosecongurations.Server-sideattacksinsteadareoftentargetedasonewantstoattackaparticularsite.Relyingon32-bittargetsorspecicbinaryinstallations,orsimplymovingontothenextvictimmaynotbeanoption.ThismakesBROPveryvaluableontheserver-sideasitgivesanattackeralargerhammerwhenneeded.D.VarianceinbinariesCounterintuitively,closed-sourcesystems(thoughopen-binary)makewritingexploitssimpler.ManyexploitsthattargetWindowsareveryrobustastheybuildROPchainsonDLLsthatseldomchange,andsoonlyafewversionsexist.Inanopen-sourcesetting,therearemultiplebinaryvariantsandtheattackermustbuildadifferentROPchainforeach.TableIVshowsthesizeandstartaddressofdifferentdistributionsoftheexactsamenginxversion.Asweseethereisalotofvariabilitybasedonthebuildenvironment,theversionofthelibrariesitwaslinkedagainst,andthecompilerversion,eventhoughthesameLinuxdistributionwasbeingused.EvenasinglebytedifferenceoroffsetwilldefeatastaticallyprecomputedROPchain.Worsefortheattacker,asystemmaybemanuallycompiledbytheenduser,makingitimpossiblefortheattackertobuildaROPchainofineasthebinaryisunknown.InsuchcasesBROPisanecessity.Evenifaserverusesaprecompiledbinary,itcanbedifculttodeterminewhichparticularoneisbeingused:remoteOSngerprintingrevealsanapproximatekernelversion,notadistribution.BROPinfactcanbeusedtongerprintdistributionsandapplications(e.g.,basedonwhethercanariesarepresent,vsyscallbehavior,etc.).E.RemotefuzztestingTheBROPattackcouldbeapowerfultoolforhackingproprietaryclosed-binaryserviceswhencoupledwitharemotefuzztester.Wenotethatintwooftheexampleapplicationswetargeted,theoverowoccurredbecausealengthwasspeciedinthepacketbutalargervaluewassent.Itcertainlyispossibletowriteafuzztesterthathasknowledgeaboutaprotocolandattemptstooverowbysupplyingincorrectlengths[17].Interestingly,prettymuchthesamechunkedencodingvulnerabilitythatappearedinnginxhasalreadyappearedinApacheinthepast[18].Itmaybepossibletowritefuzztestersforparticularprotocolconditionsthatareknowntobehardtoimplementcorrectly,orthathavebeenknowntobeexploitedinthepast.XIII.BROPPREVENTIONThefollowingisadiscussionofdefensemechanismsthatwillpreventtheBROPattack,includingtwoprecautionswesuggestserverdevelopersuse.ThereisalotofpriorresearchinROPattackdefensemechanisms,andmanyofthosetechniquesareapplicabletodefendingagainstBROP.Thus,thislistisbynomeanscomprehensive.A.RerandomizationThemostbasicprotectionagainsttheBROPattackistorerandomizecanariesandASLRasoftenaspossible.Theseprotectionmechanismsareeffective,butserverdevelopersunderminethembynotrerandomizingwhenworkerprocessescrash.Thesimplestmethodistoforkandexectheprocessonacrashorspawn,whichrerandomizesboththecanaryandASLR.Itisimportantthatanychildprocessesforkedarerandomizedindependentlysothatanyinformationlearnedfromonechildcannotbeusedagainstanotherone.Therehasbeenresearchonrerandomizingbinariesatruntime.OnesuchtechniqueisworkbyGiuffridaetal.thatusesamodiedcompilertomigratetherunningstatebetweentwoinstances(withadifferentASLRrandomization)[19].Wealsoprototypedare-randomizationtechniquethatmovesabinary'stextsegmenttoanewlocationusingmmap/munmap,andusesapagefaulthandlertodeterminewhetherpointersshouldberewrittenastheyarefaultedon.Anevensimplerimprovementwedevelopedistoreran-domizethecanaryonaper-userorper-requestbasis.Wesuggestserverswriteanewcanarybeforeenteringaper-requestfunction.Onthereturnthroughthatfunctiontheoldcanaryshouldberestoredsothatexecutioncancontinuenormally.Whilethisprotectsagainstthebugsinnginxandourproprietaryserver,theparticularattackagainstyaSSLcanavoidthecanaryentirely.B.SleeponcrashSystemslikeNetBSD'ssegvguard[20]andgrsec'sdeter_bruteforceforLinux[21]proposedelayingaforkafterasegmentationfault.Thistechniquecanslowdownattackssuchthatanadministratorcannoticesomethingiswrongandaddresstheproblem.Thedownsideofthisapproachisthatbugsnowcanbecomeeasydenialofserviceattacks.Itisalsounclearwhatagoodvalueforthedelayis.grsecproposesa30seconddelay.Whilethisissufcientformostsetups,overnightattacksonasmallsitemightgounnoticed:ouroptimizedBROPattackfornginxcancompletein1,000requests,makingtheattacktimeroughly8hours. todefendagainstourattack,wesuggestthatsystemsshouldrerandomizeASLRandcanariesafteranycrash,andthatnolibraryorexecutableshouldbeexemptfromASLR.Brailleisavailableat:http://www.scs.stanford.edu/brop/.ACKNOWLEDGMENTSWethankouranonymousreviewersandEladEfratfortheirfeedback.WealsothankMarkHandleyandBradKarpwhohelpedshapeearlyversionsofthiswork.EricSmithsuggestedusingout-of-orderTCPsegmentsinsteadofIPfragmentation.ThisworkwasfundedbyDARPACRASHandagiftfromGoogle.REFERENCES[1]R.Roemer,E.Buchanan,H.Shacham,andS.Savage,“Return-orientedprogramming:Systems,languages,andapplications,”ACMTrans.Inf.Syst.Secur.,vol.15,no.1,pp.2:1–2:34,Mar.2012.[Online].Available:http://doi.acm.org/10.1145/2133375.2133377[2]mitre.Cve-2013-2028.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028[3]——.Cve-2008-0226.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226[4]A.One,“SmashingTheStackForFunAndProt,”Phrack,vol.7,no.49,Nov.1996.[Online].Available:http://phrack.com/issues.html?issue=49&id=14#article[5]M.Kaempf.Vudomalloctricksbymaxx.[Online].Available:http://www.phrack.org/issues.html?issue=57&id=8&mode=txt[6]S.Designer.Gettingaroundnon-executablestack(andx).[Online].Available:http://seclists.org/bugtraq/1997/Aug/63[7]P.Team.Paxaddressspacelayoutrandomization(aslr).[Online].Available:http://pax.grsecurity.net/docs/aslr.txt[8]S.Bhatkar,D.C.DuVarney,andR.Sekar,“Addressobfuscation:anefcientapproachtocombataboardrangeofmemoryerrorexploits,”inProceedingsofthe12thconferenceonUSENIXSecuritySymposium-Volume12,ser.SSYM'03.Berkeley,CA,USA:USENIXAssociation,2003,pp.8–8.[Online].Available:http://dl.acm.org/citation.cfm?id=1251353.1251361[9]H.Shacham,M.Page,B.Pfaff,E.-J.Goh,N.Modadugu,andD.Boneh,“Ontheeffectivenessofaddress-spacerandomization,”inProceedingsofthe11thACMconferenceonComputerandcommunicationssecurity,ser.CCS'04.NewYork,NY,USA:ACM,2004,pp.298–307.[Online].Available:http://doi.acm.org/10.1145/1030083.1030124[10]geraandriq.Advancesinformatstringexploitation.[Online].Available:http://www.phrack.org/archives/59/p59 0x07 Advances%20in%20format%20string%20exploitation by riq%20&%20gera.txt[11]C.Cowan,C.Pu,D.Maier,H.Hintony,J.Walpole,P.Bakke,S.Beattie,A.Grier,P.Wagle,andQ.Zhang,“Stackguard:automaticadaptivedetectionandpreventionofbuffer-overowattacks,”inProceedingsofthe7thconferenceonUSENIXSecuritySymposium-Volume7,ser.SSYM'98.Berkeley,CA,USA:USENIXAssociation,1998,pp.5–5.[Online].Available:http://dl.acm.org/citation.cfm?id=1267549.1267554[12]H.Etoh,“GCCextensionforprotectingapplicationsfromstack-smashingattacks(ProPolice),”2003,http://www.trl.ibm.com/projects/security/ssp/.[Online].Available:http://www.trl.ibm.com/projects/security/ssp/[13]BulbaandKil3r,“Bypassingstackguardandstackshield,”PhrackMagazine,May2000.[Online].Available:http://phrack.org/issues.html?issue=56&id=5#article[14]Kingcope.Aboutagenericwaytoexploitlinuxtargets.[Online].Available:http://www.exploit-db.com/wp-content/themes/exploit/docs/27074.pdf[15]G.F.Roglia,L.Martignoni,R.Paleari,andD.Bruschi,“Surgicallyreturningtorandomizedlib(c),”inProceedingsofthe2009AnnualComputerSecurityApplicationsConference,ser.ACSAC'09.Washington,DC,USA:IEEEComputerSociety,2009,pp.60–69.[Online].Available:http://dx.doi.org/10.1109/ACSAC.2009.16[16]Ubuntusecurityfeatures.[Online].Available:https://wiki.ubuntu.com/Security/Features[17]Peachfuzzer.[Online].Available:http://peachfuzzer.com/[18]mitre.Cve-2002-0392.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392[19]C.Giuffrida,A.Kuijsten,andA.S.Tanenbaum,“Enhancedoperatingsystemsecuritythroughefcientandne-grainedaddressspacerandomization,”inProceedingsofthe21stUSENIXconferenceonSecuritysymposium,ser.Security'12.Berkeley,CA,USA:USENIXAssociation,2012,pp.40–40.[Online].Available:http://dl.acm.org/citation.cfm?id=2362793.2362833[20]E.Efrat.Segvguard.[Online].Available:http://www.netbsd.org/elad/recent/man/security.8.html[21]grsecurity.Deterexploitbruteforcing.[Online].Avail-able:http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity and PaX Conguration Options#Deter exploit bruteforcing[22]M.Abadi,M.Budiu,U.Erlingsson,andJ.Ligatti,“Control-owintegrity,”inProceedingsofthe12thACMConferenceonComputerandCommunicationsSecurity,ser.CCS'05.NewYork,NY,USA:ACM,2005,pp.340–353.[Online].Available:http://doi.acm.org/10.1145/1102120.1102165[23]V.Pappas,M.Polychronakis,andA.D.Keromytis,“TransparentROPexploitmitigationusingindirectbranchtracing,”inProceedingsofthe22ndUSENIXconferenceonSecurity,ser.SEC'13.Berkeley,CA,USA:USENIXAssociation,2013,pp.447–462.[Online].Available:http://dl.acm.org/citation.cfm?id=2534766.2534805[24]R.Wartell,V.Mohan,K.W.Hamlen,andZ.Lin,“Binarystirring:Self-randomizinginstructionaddressesoflegacyx86binarycode,”inProceedingsofthe2012ACMConferenceonComputerandCommunicationsSecurity,ser.CCS'12.NewYork,NY,USA:ACM,2012,pp.157–168.[Online].Available:http://doi.acm.org/10.1145/2382196.2382216[25]J.Hiser,A.Nguyen-Tuong,M.Co,M.Hall,andJ.W.Davidson,“Ilr:Where'dmygadgetsgo?”inProceedingsofthe2012IEEESymposiumonSecurityandPrivacy,ser.SP'12.Washington,DC,USA:IEEEComputerSociety,2012,pp.571–585.[Online].Available:http://dx.doi.org/10.1109/SP.2012.39[26]V.Pappas,M.Polychronakis,andA.D.Keromytis,“Smashingthegadgets:Hinderingreturn-orientedprogrammingusingin-placecoderandomization,”inProceedingsofthe2012IEEESymposiumonSecurityandPrivacy,ser.SP'12.Washington,DC,USA:IEEEComputerSociety,2012,pp.601–615.[Online].Available:http://dx.doi.org/10.1109/SP.2012.41[27]K.Onarlioglu,L.Bilge,A.Lanzi,D.Balzarotti,andE.Kirda,“G-free:defeatingreturn-orientedprogrammingthroughgadget-lessbinaries,”inProceedingsofthe26thAnnualComputerSecurityApplicationsConference.ACM,2010,pp.49–58.[28]T.C.Team.Addresssanitizer-clang3.4documentation.[Online].Available:http://clang.llvm.org/docs/AddressSanitizer.html[29]D.Dhurjati,S.Kowshik,andV.Adve,“SAFECode:Enforcingaliasanalysisforweaklytypedlanguages,”inProceedingsofthe2006ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation,ser.PLDI'06.NewYork,NY,USA:ACM,2006,pp.144–157.[Online].Available:http://doi.acm.org/10.1145/1133981.1133999[30]Intel.Introductiontointelmemoryprotectionexten-sions.[Online].Available:http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions[31]T.GoodspeedandA.Francillon,“Half-BlindAttacks:MaskROMBootloadersareDangerous,”inWOOT,2009.[32]A.N.Sovarel,D.Evans,andN.Paul,“Where'sthefeeb?:Theeffectivenessofinstructionsetrandomization,”inUsenixSecurity,2005.[33]A.Zabrocki.Scrapsofnotesonremotestackoverowexploitation.[Online].Available:http://www.phrack.org/issues.html?issue=67&id=13#article[34]Kingcope.nginx1.3.9/1.4.0x86bruteforceremoteexploit.[Online].Available:http://www.exploit-db.com/exploits/26737/[35]M.Labes.Mwrlabspwn2own2013write-up-webkitexploit.[Online].Available:https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up---webkit-exploit/