Interpreter exploitation

Authors:
Dionysus Blazakis
Affiliations:
Independent Security Evaluators, Baltimore, MD
Venue:
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Year:
2010

Citing 2
Cited 7

On the effectiveness of address-space randomization

Proceedings of the 11th ACM conference on Computer and communications security
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

Proceedings of the 14th ACM conference on Computer and communications security

Q: exploit hardening made easy

SEC'11 Proceedings of the 20th USENIX conference on Security
Return-Oriented Programming: Systems, Languages, and Applications

ACM Transactions on Information and System Security (TISSEC) - Special Issue on Computer and Communications Security
Dymo: tracking dynamic code identity

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Memory errors: the past, the present, and the future

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Using memory management to detect and extract illegitimate code for malware analysis

Proceedings of the 28th Annual Computer Security Applications Conference
Fuzzing the ActionScript virtual machine

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Librando: transparent code randomization for just-in-time compilers

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

As remote exploits further dwindle and perimeter defenses become the standard, remote client-side attacks are becoming the standard vector for attackers. Modern operating systems have quelled the explosion of client-side vulnerabilities using mitigation techniques such as data execution prevention (DEP) and address space layout randomization (ASLR). This work illustrates two novel techniques to bypass these mitigations. The two techniques leverage the attack surface exposed by the script interpreters commonly accessible within the browser. The first technique, pointer inference, is used to find the memory address of a string of shellcode within the Adobe Flash Player's ActionScript interpreter despite ASLR. The second technique, JIT spraying, is used to write shellcode to executable memory, bypassing DEP protections, by leveraging predictable behaviors of the ActionScript JIT compiler. Previous attacks are examined and future research directions are discussed.