The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
A domain-specific language for manipulation of binary data in Dylan
Proceedings of the 2007 International Lisp Conference
A fistful of red-pills: how to automatically generate procedures to detect CPU emulators
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
A framework for automated architecture-independent gadget search
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Exploiting the hard-working DWARF: trojan and exploit techniques with no native executable code
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
A library for processing ad hoc data in Haskell: embedding a data description language
IFL'08 Proceedings of the 20th international conference on Implementation and application of functional languages
RockSalt: better, faster, stronger SFI for the x86
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
Hi-index | 0.00 |
Trust Analysis, i.e. determining that a system will not execute some class of computations, typically assumes that all computation is captured by an instruction trace. We show that powerful computation on ×86 processors is possible without executing any CPU instructions. We demonstrate a Turing-complete execution environment driven solely by the IA32 architecture's interrupt handling and memory translation tables, in which the processor is trapped in a series of page faults and double faults, without ever successfully dispatching any instructions. The "hard-wired" logic of handling these faults is used to perform arithmetic and logic primitives, as well as memory reads and writes. This mechanism can also perform branches and loops if the memory is set up and mapped just right. We discuss the lessons of this execution model for future trustworthy architectures.