On the expressiveness of return-into-libc attacks

Authors:
Minh Tran;Mark Etheridge;Tyler Bletsch;Xuxian Jiang;Vincent Freeh;Peng Ning
Affiliations:
Department of Computer Science, North Carolina State University, Raleigh, NC;Department of Computer Science, North Carolina State University, Raleigh, NC;Department of Computer Science, North Carolina State University, Raleigh, NC;Department of Computer Science, North Carolina State University, Raleigh, NC;Department of Computer Science, North Carolina State University, Raleigh, NC;Department of Computer Science, North Carolina State University, Raleigh, NC
Venue:
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Year:
2011

Citing 19
Cited 3

Secure Execution via Program Shepherding

Proceedings of the 11th USENIX Security Symposium
RAD: A Compile-Time Solution to Buffer Overflow Attacks

ICDCS '01 Proceedings of the The 21st International Conference on Distributed Computing Systems
Countering code-injection attacks with instruction-set randomization

Proceedings of the 10th ACM conference on Computer and communications security
Randomized instruction set emulation to disrupt binary code injection attacks

Proceedings of the 10th ACM conference on Computer and communications security
Control-flow integrity

Proceedings of the 12th ACM conference on Computer and communications security
StackGhost: Hardware facilitated stack protection

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Efficient techniques for comprehensive protection from memory error exploits

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Securing software by enforcing data-flow integrity

OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

Proceedings of the 14th ACM conference on Computer and communications security
When good instructions go bad: generalizing return-oriented programming to RISC

Proceedings of the 15th ACM conference on Computer and communications security
On the difficulty of software-based attestation of embedded devices

Proceedings of the 16th ACM conference on Computer and communications security
Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks

Proceedings of the 2009 ACM workshop on Scalable trusted computing
DROP: Detecting Return-Oriented Programming Malicious Code

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Surgically Returning to Randomized lib(c)

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Defeating return-oriented rootkits with "Return-Less" kernels

Proceedings of the 5th European conference on Computer systems
Can DREs provide long-lasting security? the case of return-oriented programming and the AVC advantage

EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Return-oriented programming without returns

Proceedings of the 17th ACM conference on Computer and communications security
G-Free: defeating return-oriented programming through gadget-less binaries

Proceedings of the 26th Annual Computer Security Applications Conference

Microgadgets: size does matter in turing-complete return-oriented programming

WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Control flow integrity for COTS binaries

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Return-into-libc (RILC) is one of the most common forms of code-reuse attacks. In this attack, an intruder uses a buffer overflow or other exploit to redirect control flow through existing (libc) functions within the legitimate program. While dangerous, it is generally considered limited in its expressive power since it only allows the attacker to execute straight-line code. In other words, RILC attacks are believed to be incapable of arbitrary computation--they are not Turing complete. Consequently, to address this limitation, researchers have developed other code-reuse techniques, such as return-oriented programming (ROP). In this paper, we make the counterargument and demonstrate that the original RILC technique is indeed Turing complete. Specifically, we present a generalized RILC attack called Turing complete RILC (TC-RILC) that allows for arbitrary computations. We demonstrate that TC-RILC satisfies formal requirements of Turing-completeness. In addition, because it depends on the well-defined semantics of libc functions, we also show that a TC-RILC attack can be portable between different versions (or even different families) of operating systems and naturally has negative implications for some existing anti-ROP defenses. The development of TC-RILC on both Linux and Windows platforms demonstrates the expressiveness and practicality of the generalized RILC attack.