On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Code injection attacks on harvard-architecture devices
Proceedings of the 15th ACM conference on Computer and communications security
Tampering with motes: real-world physical attacks on wireless sensor networks
SPC'06 Proceedings of the Third international conference on Security in Pervasive Computing
| Hi-index | 0.00 |
This paper presents a non-invasive, half-blind firmware extraction technique that subverts a mask ROM boot-loader in order to recover the firmware of a microcontroller. A stack based buffer overflow is used to forcibly enter the bootloader. Further, a practical method of blind return-oriented programming is presented in which a gadget's entry point is brute forced, being unknown a priori. In this paper we show that when a software vulnerability has been found (e.g. by fuzzing), the attacker can locate by brute force the sequences of instructions, gadgets, required for bypassing the protections present in a bootloader. In a half-blind attack, the presence of a bootloader in mask ROM helps the attacker in that, while he must still discover blindly a vulnerability in unknown firmware and the appropriate gadgets, he knows the exact contents of the bootloader.