Currently,security-critical server programs are well protected by various defense techniques,such as Address Space Layout Randomization(ASLR),eXecute Only Memory(XOM),and Data Execution Prevention(DEP),against modern code-reuse attacks like Return-oriented Programming(ROP)attacks.Moreover,in these victim programs,most syscall instructions lack the following ret instructions,which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell.Lacking this kind of gadget greatly constrains the capability of code-reuse attacks.This paper proposes a novel code-reuse attack method cal-led Signal Enhanced Blind Return Oriented Programming(SeBROP)to address these challenges.Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability.By leveraging a side-channel that exists in the victim program,we show how to find a variety of gadgets blindly without any pre-knowledges or reading/dis-assembling the code segment.Then,we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent.Our technique can stitch a number of system calls without returns,which is more superior to conventional ROP attacks.Finally,the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set.SeBROP attack can defeat almost all state-of-the-art defense techniques.The SeBROP attack is compatible with both modern 64-bit and 32-bit systems.To validate its effectiveness,We craft three exploits of the SeBROP attack for three real-world applications,i.e.,32-bit Apache 1.3.49,32-bit ProFTPD 1.3.0,and 64-bit Nginx 1.4.0.Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx,ProFTPD,and Apache with less than 8500/4300/2100 requests,respectively.

Tianning ZHANG;Miao CAI;Diming ZHANG;Hao HUANG

Department of Computer Science and Technology,Nanjing University,Nanjing 210023,China;School of Computer and Information,Hohai University,Nanjing 211106,China;College of Computer Engineering,Jiangsu University of Science and Technology,Zhenjiang 212008,China

计算机科学前沿

[1]Tianning ZHANG;Miao CAI;Diming ZHANG;Hao HUANG-.SeBROP:blind ROP attacks without returns)[J].计算机科学前沿,2022(04):179-196

SeBROP,Randomization,eXecute,XOM,syscall,Lacking,knowledges,ProFTPD

attacks,without,returns,Currently,security,critical,server,programs,are,well,protected,by,various,defense,techniques,such,Address,Space,Layout,ASLR,Only,Memory,Data,Execution,Prevention,DEP,against,modern,code,reuse,like,Return,oriented,Programming,Moreover,these,victim,instructions,lack,following,which,prevents,stitch,multiple,calls,implement,advanced,behaviors,launching,remote,shell,this,kind,greatly,constrains,capability,This,paper,proposes,novel,method,Signal,Enhanced,Blind,Oriented,address,challenges,Our,can,initiate,side,using,only,stack,overflow,vulnerability,By,leveraging,channel,that,exists,show,find,variety,gadgets,blindly,reading,dis,assembling,segment,Then,exploits,current,vulnerable,signal,checking,mechanism,realize,execution,control,when,absent,number,more,superior,conventional,Finally,precisely,identifies,many,useful,constitute,Turing,complete,set,defeat,almost,state,art,compatible,both,bit,systems,To,validate,effectiveness,We,craft,three,world,applications,Apache,Nginx,Experimental,results,demonstrate,successfully,spawn,less,than,requests,respectively

0.520297