Return-to-libc attack

Abstract: A method includes stalling a call to a critical operating system (OS) function, looking up a value at the previous top of stack, and determining whether the value is equivalent to an address of the critical OS function being called If the value at the previous top of stack is equivalent to the address of the critical OS function being called, the method further includes taking protective action to protect a computer system

Abstract: Exploiting software vulnerabilities, such as stack overflow, heap overflow, and format string exploits, enables attackers to break into victim machines Moreover, attackers tend to use obfuscation techniques, such as encryption, to evade intrusion detection systems In this paper, we show that a common stack-overflow attack, namely the return-to-libc attack, coupled with a common defense, namely the Address Space Layout Randomization (ASLR), together allow for constructing a key-agreement protocol that allows two entities (eg, a Trojan and a controller) to agree on a shared key, whereas the shared key can then be used to encrypt further communication We have developed a prototype of our key-agreement protocol to evaluate its feasibility and performance Our results show that both time and message overhead of our protocol are linear in key length Although our key-agreement protocol can be used by attackers for malicious purposes, it has low computation overhead, making it a candidate for adoption in CPU-constrained platforms

Abstract: The authenticity of a piece of data or an instruction is crucial in mitigating threats from various forms of software attacks. In spite of various features against malicious attacks exploiting spurious data, adversaries have been successful in circumventing such protections. This paper proposes a memory access validation scheme that manages information on spurious data at the granularity of cache line size. A validation unit based on the proposed scheme answers queries from other components in the processor so that spurious data can be blocked before control flow diversion. We describe the design of this validation unit as well as its integration into the memory hierarchy of a modern processor and assess its memory requirement and performance impact with two simulators. The experimental results show that our scheme is able to detect the synthesized payload injection attacks and to manage taint information with moderate memory overhead under acceptable performance impact.

Abstract: The authenticity of a piece of data or an instruction is crucial in mitigating threats from various forms of software attack. In spite of the various forms of protection against malicious attacks exploiting spurious data, adversaries have been successful in circumventing such protection. This paper proposes a memory-access validation scheme that manages information on spurious data at the granularity of the cache line size. A validation unit based on the proposed scheme answers queries from other components in the processor so that spurious data can be blocked before control flow diversion. We describe the design of this validation unit as well as its integration into the memory hierarchy of a modern processor and assess its memory requirement and performance impact with two simulators. The experimental results show that our scheme is able to detect synthesized payload injection attacks and to manage taint information with a moderate memory overhead under an acceptable performance impact.