Article

The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

Author:

Hovav ShachamAuthors Info & Claims

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Pages 552 - 561

https://doi.org/10.1145/1315245.1315313

Published: 28 October 2007 Publication History

Abstract

We present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the properties of the x86 instruction set.

References

[1]

Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), Nov. 1996. http://www.phrack.org/archives/49/P49-14.

[2]

Anonymous. Once upon a free(). Phrack Magazine, 57(9), Aug. 2001. http://www.phrack.org/archives/57/p57-0x09.

[3]

E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanović. Randomized instruction set emulation. ACM Trans. Info. & System Security, 8(1):3--40, Feb. 2005.

Digital Library

[4]

blexim. Basic integer overflows. Phrack Magazine, 60(10), Dec. 2002. http://www.phrack.org/archives/60/p60-0x0a.txt.

[5]

J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In K. Julisch and C. Krügel, editors, Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005, volume 3548 of LNCS, pages 32--50. Springer-Verlag, July 2005.

Digital Library

[6]

dark spyrit. Win32 buffer overflows (location, exploitation and prevention). Phrack Magazine, 55(15), Sept. 1999. http://www.phrack.org/archives/55/P55-15.

[7]

M. Garg. About ELF auxiliary vectors, Aug. 2006. Online: manugarg.googlepages.com/aboutelfauxiliaryvectors.

[8]

M. Garg. Sysenter based system call mechanism in Linux 2.6, July 2006. Online: manugarg.googlepages.com/systemcallinlinux2_6.html.

[9]

Gera. Insecure programming by example, 2002. Online: community.corest.com/~gera/InsecureProgramming/.

[10]

gera and riq. Advances in format string exploiting. Phrack Magazine, 59(7), July 2001. http://www.phrack.org/archives/59/p59-0x07.txt.

[11]

O. Horovitz. Big loop integer protection. Phrack Magazine, 60(9), Dec. 2002. http://www.phrack.org/archives/60/p60-0x09.txt.

[12]

Intel Corporation. IA-32 Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference, 2001.

[13]

M. Kaempf. Vudo malloc tricks. Phrack Magazine, 57(8), Aug. 2001. http://www.phrack.org/archives/57/p57-0x08.

[14]

klog. The frame pointer overwrite. Phrack Magazine, 55(8), Sept. 1999. http://www.phrack.org/archives/55/P55-08.

[15]

S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, Sept. 2005. Online: http://www.suse.de/~krahmer/no-nx.pdf.

[16]

C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In P. McDaniel, editor, Proc. 14th USENIX Sec. Symp., pages 161--76. USENIX, Aug. 2005.

Digital Library

[17]

D. Litchfield. Defeating the stack based buffer overflow prevention mechanism of Microsoft Windows 2003 Server, Sept. 2003. Online: http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf.

[18]

mammon_. The Bastard project: libdisasm. http://bastard.sourceforge.net/libdisasm.html.

[19]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In A. Keromytis, editor, Proc. 15th USENIX Sec. Symp., pages 209--24. USENIX, July 2006.

Digital Library

[20]

J. McDonald. Defeating Solaris/SPARC non-executable stack protection. Bugtraq, Mar. 1999.

[21]

Nergal. The advanced return-into-lib(c) exploits (PaX case study). Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/archives/58/p58-0x04.

[22]

PaX Team. PaX non-executable pages design & implementation. pax.grsecurity.net/docs/noexec.txt.

[23]

M. Riepe. GNU Libelf. http://www.mr511.de/software/.

[24]

rix. Writing ia32 alphanumeric shellcodes). Phrack Magazine, 57(15), Dec. 2001. http://www.phrack.org/archives/57/p57-0x18.

[25]

Scut/team teso. Exploiting format string vulnerabilities. http://www.team-teso.net, 2001.

[26]

H. Shacham. The geometry of innocent flesh on the bone, Oct. 2007. Online: http://hovav.net/dist/geometry.pdf.

[27]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In B. Pfitzmann and P. Liu, editors, Proc. 11th ACM Conf. Comp. and Comm. Sec. - CCS 2004, pages 298--307. ACM Press, Oct. 2004.

Digital Library

[28]

Solar Designer. "return-to-libc" attack. Bugtraq, Aug. 1997.

[29]

Solar Designer. JPEG COM marker processing vulnerability in Netscape browsers, July 2000. Online: www.openwall.com/advisories/OW-002-netscape-jpeg/.

[30]

N. Sovarel, D. Evans, and N. Paul. Where's the FEEB? the effectiveness of instruction set randomization. In P. McDaniel, editor, Proc. 14th USENIX Sec. Symp., pages 145--60. USENIX, Aug. 2005.

Digital Library

[31]

The Metasploit Project. Shellcode archive. Online: http://www.metasploit.com/shellcode.html.

[32]

The Santa Cruz Operation. System V Application Binary Interface: Intel386 Architecture Processor Supplement, fourth edition, 1996.

[33]

D. Wheeler. Secure Programming for Linux and Unix HOWTO. Linux Documentation Project, 2003. Online: http://www.dwheeler.com/secure-programs/.

[34]

M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. Online: http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm.

Cited By

Sha ZShepherd CRafi AMarkantonakis K(2025)Control-flow attestation: Concepts, solutions, and open challengesComputers & Security10.1016/j.cose.2024.104254150(104254)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104254
Christou GVasiliadis GZarras AIoannidis S(2025)iVault: Architectural Code Concealing Techniques to Protect Cryptographic KeysEmbedded Computer Systems: Architectures, Modeling, and Simulation10.1007/978-3-031-78380-7_13(152-164)Online publication date: 28-Jan-2025
https://doi.org/10.1007/978-3-031-78380-7_13
Keromytis A(2025)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_502(309-312)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_502
Show More Cited By

Index Terms

The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

In 2007, Shacham published a seminal paper on Return-Oriented Programming (ROP), the first systematic formulation of code reuse. The paper has been highly influential, profoundly shaping the way we still think about code reuse today: an attacker analyzes ...
When good instructions go bad: generalizing return-oriented programming to RISC
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

This paper reconsiders the threat posed by Shacham's "return-oriented programming" -- a technique by which W-xor-X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

October 2007

628 pages

ISBN:9781595937032

DOI:10.1145/1315245

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Sabrina De Capitani di Vimercati
University of Milan, Italy
,
Paul Syverson
Naval Research Laboratory, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2 - October 31, 2007

Virginia, Alexandria, USA

Acceptance Rates

CCS '07 Paper Acceptance Rate 55 of 302 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

832
Total Citations
View Citations
9,689
Total Downloads

Downloads (Last 12 months)630
Downloads (Last 6 weeks)61

Reflects downloads up to 24 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sha ZShepherd CRafi AMarkantonakis K(2025)Control-flow attestation: Concepts, solutions, and open challengesComputers & Security10.1016/j.cose.2024.104254150(104254)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104254
Christou GVasiliadis GZarras AIoannidis S(2025)iVault: Architectural Code Concealing Techniques to Protect Cryptographic KeysEmbedded Computer Systems: Architectures, Modeling, and Simulation10.1007/978-3-031-78380-7_13(152-164)Online publication date: 28-Jan-2025
https://doi.org/10.1007/978-3-031-78380-7_13
Keromytis A(2025)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_502(309-312)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_502
Gruss D(2025)SpectreEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1687(2497-2503)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1687
Xia THu HWu DBalzarotti DXu W(2024)DEEPTYPEProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699229(5877-5894)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699229
Bognar MMagnus CPiessens FVan Bulck JBalzarotti DXu W(2024)Intellectual property exposureProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699021(2155-2172)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699021
Loughry JRasmussen KDoupé AMilburn A(2024)BasiliskProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696950(245-261)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696950
Sah PHicks MDoupé AMilburn A(2024)RIPencapsulationProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696943(117-132)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696943
Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
CHEN CWAN HZHAO X(2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
https://doi.org/10.1360/SSI-2024-0042
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten