Name
Abstract | ||
|---|---|---|
Return-Oriented Programming (ROP) has become a widespread technique in recent software exploits. Various defenses have been proposed to thwart ROP, including randomization, Control-Flow Integrity (CFI), etc. However, ROP attacks have not been eliminated completely yet. Recently, ROP defenses based on stack pivot detection are put forward. In this paper, we investigate the checking mechanism in existing stack pivot defenses, including ROPGuard, Microsoft EMET, PBlocker and a detecting device design. They check validity of stack pointer with stack boundary information stored in system structure, e.g., Thread Information Block (TIB) in Windows. These stack pivot checkers are effective to detect ROP attacks on the premise that the baseline is safely stored. However, we find this assumption is unreliable because users have read-write access to TIB structure, which means stack range information can be tampered in user mode by an attacker, while existing solutions don't mention how to protect these baseline data. In this paper, we propose an attack method to bypass stack pivot checks through corrupting stack border value in TIB and prove that our attack can overcome current solutions indeed through case studies. Further, we discuss possible countermeasures to enhance security of current stack pivot defenses. |
Year | DOI | Venue |
|---|---|---|
2016 | 10.1109/ICPADS.2016.0062 | 2016 IEEE 22nd International Conference on Parallel and Distributed Systems (ICPADS) |
Keywords | Field | DocType |
Code reuse attack,Return-Oriented Programming,Stack pivot,Thread Information Block,Enhanced Mitigation Experience Toolkit | System structure,Computer science,Computer security,Call stack,Exploit,Thread (computing),Software,Return-oriented programming,Distributed computing | Conference |
ISSN | ISBN | Citations |
1521-9097 | 978-1-5090-5382-7 | 0 |
PageRank | References | Authors |
0.34 | 8 | 5 |