Buer overow: Introduction, Defense and ASLR

Jie Cui Gjvik University College

Modern computers are designed with the foundation of Von Neumann architecture and C/C++ language, which contributes to the buer overow vulnerability threatening computer security. Though many memory defensive mechanisms have been introduced by security personnel, this vulnerability is still seriously exploited with malicious purpose. This paper endeavors to present a general introduction to buer overow vulnerabliity and corresponding defensive mechenisms. In the later part of the paper, we focus on ASLR and the relevant bypassing techniques which compromise the protection. Categories and Subject Descriptors: Computer Science [Information Security]: Additional Key Words and Phrases: ASLR, Buer Overow, Brute-force attack,JIT spraying, Stack, Heap, Heap Spraying

Applied Information Security

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year, Pages 1??.

Buer overow: Introduction, Defense and ASLR

Contents 1 Introduction 2 Computer data structure and Buer 2.1 Stack and Heap . . . . . . . . . . . . 2.2 Buer Overow attack . . . . . . . . 2.3 Memory Protection . . . . . . . . . . overow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 4 5 7 9 9 12 13 13 14 15

3 ASLR and relevant bypassing techniques 3.1 Overview on ASLR . . . . . . . . . . . . . . . . . . 3.2 Brute force attack . . . . . . . . . . . . . . . . . . 3.3 Partial EIP overwrite . . . . . . . . . . . . . . . . . 3.4 using an address from a non-ASLR enabled module 3.5 Heap Spraying and JIT Spraying . . . . . . . . . . 4 Conclusion

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.


1. INTRODUCTION

The buer overow vulnerability was rstly reported in 1988, but such vulnerability had not been properly treated until it was seriously exploited in the late 90s. The problem may be ascribed to the C language, which allows programmers to manage memory space making the language itself incomparably powerful but also brings potential threats to the subjected issue. Modern operation system constructions are highly depending on C language, thus the subject weakness is considered to be one of the most eective ways to compromise the security level of an operation system.[Larochelle 2011] Years before, an exploitable buer overow in Microsofts Internet Information Server (IIS) was found, which leads almost every Windows NT server exposure defensively to the malicious codes. In addition, some system buer overow vulnerabilities in Windows platform enable malwares circulating via oce series especially Outlook. This kind of attack is too frequent on Windows platforms that even some computer scientists suspect whether it was intended to be built into the Windows as a backdoor.[Electron 2003] Mac OS is not able to escape from the buer overow vulnerable either. In fact, attackers can nd it very interesting when they discover the following vulnerabilities.[Corporation 2008] CVE-2011-0213 Buer overow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG le. CVE-2011-0206 Buer overow in International Components for Unicode (ICU) in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving uppercase strings. CVE-2011-0204 Heap-based buer overow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image. CVE-2011-0198 Heap-based buer overow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code via a crafted embedded TrueType font. In computer programs, it is almost inevitable to avoid such weakness, although software vendors are trying their eorts to eliminate such aws, buer overow vulnerabilities are still very common in software. Nevertheless, many defensive technologies were introduced as mitigations, well motivated attackers are able to stay in the game with more sophisticated attacks or bypassing techniques.
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

Buer overow: Introduction, Defense and ASLR

2. 2.1

COMPUTER DATA STRUCTURE AND BUFFER OVERFLOW Stack and Heap

In computer science, data structure is referring to the way computers store and retrieve data. When we create local variables in our program, the programming language we use allocates a range of memory spaces to serve the purpose of storing data. Generally, in most of the cases, the local variables are stored in stacks automatically, which is one of the typical type of computer data structure. In general, stack is the computer data structure with which has only one end of access to its storage data. Computer inserts and gets data from stack with a structure of last in rst out, which is on the other words, the rst data enters into the stack is always the last one that the computer can withdraw from the stack. During the storage procedure (Push), computer uses pointer to indicate the memory address, each time it stores a data, the pointer is moved to the next space of the stack, therefore, the current slot of the pointer is called top. In opposite, computer obtains the top data of the stack and moves the pointer to the previous address, this operation is called pop. The combination of Push and Pop enables the foundation function of data storage in stacks.

Fig. 1.

The principle of stack is similar to a pile of books [orionwell ]

Stack is more than a storage structure, it handles call and return function in programs. Its characteristics provide possibilities for computer programmers to call functions from one to another. When a function is nished, the computer will go to the next execution, as the result of the return operation. For example, in
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

structural programming languages such as C language, when a function is called, the C passes the data and arguments to a set of memory addresses which can be also called stack. With the purpose of successive execution, return address is also stored in the stack, once the function is done, the program gets back to the caller via the return address. On the other hand, a heap is a specialized tree-based data structure. It is represented as a binary tree structure which compiles to the property that the parent node should be always greater than its children nodes. In addition, it brings exibility with dynamic memory allocation. As stacks allocate and initialize variables before runtime, this may cause problems because of the pre-allocated memory. In contract to stack, heap is more exible on this point of view, through some specic functions (such as malloc(),)programmers can manipulate memory space for variables. Moreover, in Java for instance, the garbage collector is designed to release the heap memory address thus makes efcient memory usage. To summarize, the dynamic memory allocation in heap makes heap more ecient and exible than stack from the point of memory usage view, however, and which at the same time compromise the read/write speed in comparison with stack.

Fig. 2.

Heap data structure examples [Bin 2006]

2.2

Buer Overow attack

As the biggest victim of the vulnerability Microsoft Corporation denes the buer overow attack as follows: A buer overow attack is an attack in which a malicious user exploits an unchecked buer in a program and overwrites the program code with their-own data. If the program code is overwritten with new executable code, the eect is to change the programs operation as dictated by the attacker. If overwritten with other data, the likely eect is to cause the program to crash.
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

Buer overow: Introduction, Defense and ASLR

In comparison to our real world, we can assume that stack is a glass container, while data is more like beer in this case. Buer overow is somehow like when you are pouring 500ml beer into a 300ml glass, the beer leaks out and causes a mess. As a consequence of such program aws, malicious users can approach buer overow attacks to crash the programme, additionally, in a more sophisticated way, malicious users can manipulate the control ow to launch his shell code for more detailed vicious purpose. Attacker can approach malicious intents via exploitations buer overow vulnerabilities with a series of simple but eective operations. First, the attacker identies the stack which is subject to the overow weak point, this process was a relatively dicult task in the past, but with development of hacking technologies and rapidly shared hacking resources, it becomes a favor amoung malicious users. After that he lls the stack with arbitrary data until the data overows. At this stage, the extra data goes to the adjacent or the next memory slot which enables the attacker to overwrite the return address and serves the purpose of malware execution. For instance, in order to gain access to sensitive data, users are required to input the correct user name and password, however, the careless programmer may not have designed the code with the function of password size checking, in this aspect, it leaves opportunities to the malicious codes. Attacker can therefore input a long enough password, make the buer overow, and then manipulate on return address with his piece of script, eventually approaches to his intents.[Pickard 2005]

Fig. 3.

Buer overow attack from the view of stack layout

Heap can be simply corrupted if a programmer did not check the chunk size properly. Without internal controls on the allocated memory boundaries, malicious users can overwrite the neighbor chunk and create corruption in the heap. Meanwhile, with similar method, when function pointers are allocated in the subjected heap, therefore it is possible for a attacker to manipulate the execution code ow and performs malicious attack with his own code. One example for heap overow attack is to use the Doug Lea malloc. The Doug Leas Malloc was designed for eective memory utilities. It groups unallocated memory in doubly linked lists and when additional chunks are freed, a forward or
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

backward consolidation with adjacent memory space is attempted. In the ongoing free chunk process, the chunk will be combined with an adjacent chunk from the list. If a attacker overows the adjacent chunk, an overwrite of arbitrary memory could occur.[Forest 2004] 2.3 Memory Protection

During the seesaw battle against buer overow attacks, computer security professionals have established several defensive measures. The followings are the most widely used combats[Adam Chapman 2003]: Secure programming Some programming languages such as C/C++ leave the memory management jobs to the programmers, by which arouses potential threats to the subject problem. Below is an example code contains buer overow design[FreeBSD 2000]: #include <stdio.h> void manipulate(char *buffer) { char newbuffer[80]; strcpy(newbuffer,buffer); } int main() { char ch,buffer[4096]; int i=0; while ((buffer[i++] = getchar()) != \n) {}; i=1; manipulate(buffer); i=2; printf("The value of i is : %d\n",i); return 0; } Even though some other programming languages provide better solutions to this problem (for example memory management and run time check), it comes with dierent problems like decreased performance, and other awkward cases, therefore the buer overow remains to be a headache to programmers. Stack guard Canary word is proposed by this method. The value locates between the frame and return address, with the implementation of the Canary value, the malicious user nds it dicult to modify the return address without changing the value. Once the value is changed, the stack guard calls a handler which terminates the oending program.[Pickard 2005] Most of the Stack guard protections are implemented with Terminator Canary, Random Canary and Random XOR Canary. There are many limitations in this defensive approach, for example, considered as a variant of buer overow attack, Format String Attack makes Stack guard
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

Buer overow: Introduction, Defense and ASLR

defenseless. Through this type of attack, an attacker can replace values used to reference instructions other than function return addresses to avoid StackGuard, and can place shellcode in areas such as the heap. Also, adding canary value during compilation can result in process overhead, hence lower the performance.

Non-Executable Stack The Non-Executable stack is so far probably one of the few best ways to solve the buer overow attack, though NX is highly demanding on hardware support, it has already been massively implemented in most of the modern computer. NX eliminates the buer overow attack from the ground of the problem. It forces the stack memory pages to be non executable which eectively takes over the malicious users. However, after Solar Designer published the rst return-tolibc attack which aims to bypass the NON-Executabale stack in 1997,many NX bypassing tricks were thereafter brought to the scene. In this aspect, the combination of NX and ASLR seems to be a better choice for the security professionals to mitigate the subject issue.

Fig. 4.

Non-Executable stack needs hardware support and the implementation of ASLR [developer Central ]

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.


3. 3.1 ASLR AND RELEVANT BYPASSING TECHNIQUES Overview on ASLR

In recent, as part of the new features in Android 4.0, ASLR has drawn peoples attention again. The introducing of ASLR in the latest Google Smartphone OS addresses to increase the security level of this fast growing mobile OS. According to Googles report, the ASLR is expected to stop malicious applications exploitations remarkably, which to be more specic protects the system from sophisticated attacks such as buer overow attacks. However, the ASLR technique is not something new in the defence of buer overow attacks. When computer scientists talk about ASLR, they are referring to a computer security technique which randomly arranges the memory address for the sensitive system or user data, which is widely acknowledged by many dierent operation systems. The main purpose for this technique is to make it rather dicult for the malicious exploitation. In the previous chapter, we have discussed the technique of Non-Executable Stack, which prohibits the malicious code to be executed, in this aspect, it sounds we have no reason to urge for ASLR. To explain this, we should start from the Return-into-libc attack. With this specic technique, the malicious users take advantage of the system library by transporting intended codes and parameters, consequently approach the attacks. Attacks are achievable, because, generally, for any system, it is considered to be legal whenever a process calls a function in the system library, thus, the Non-Executable Stack has no reason to intercept this kind of operation, as a consequence, the attackers seek a breaking point from this mechanism, instead of solving the problem, the ASLR mechanism makes attackers dicult in searching the system library address by its randomizing memory locations. As Von Neumann architecture and C/C++ language have already been wide and comprehensive adopted by modern computers, xing the buer overow vulnerability from the ground up is a mission impossible. In this aspect, rather than solving or nding software vulnerabilities, ASLR is a decent alternative. Because this technique defenses the security with a fancy pseudo randomness, if we consider this issue in the view of cryptology, we all know that, when the ASLR is properly designed, there is no way to be broken. It is theoretically correct, but unfortunately several bypassing and attacking skills were implemented aiming on reducing the eectiveness of ASLR and NX.[Ollie Whitehouse 2005] As a matter of fact, this memory protection mechanism has already gained assents among operation systems, despite that each manufacturer proposed its own version of ASLR in order to suite the corresponding products. Windows Embedded in Windows Xp sp2 and Vista, it was the rst time for Microsoft Windows series to be implemented with ASLR. Meanwhile, because of ASLR is merely an assistant enhancement to DEP (a mechanism similar to NX), DEP was also implemented in the above mentioned Windows versions. The ASLR and DEP work together in every computer boot time, eectively prevent returnto-libc and buer overow attacks. The Windows version of ASLR is said to have 8 bit of entropy, which means it has only one out of 256 possibilities for any malicious users to guess the correct data address. Any failure attempts will result
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

10

Buer overow: Introduction, Defense and ASLR

Fig. 5.

ASLR permutation [Miller 2008]

in system intervention and termination.[Hristo Bojinov 2005] Resulting to the insucient entropy, the ASLR in Vista is implemented with lower eectiveness in comparison to Linux. Nevertheless, according to a research, around 25% of the total executions turn out to choose a single address which seriously deteriorates the its reliability.

Fig. 6.

Address Space Layout Randomization in Windows Vista [Howard 2006]

Mac OS X In Leopard, libraries are loaded into random addresses when the system is installed and at any time that library prebinding is updated on the system... For any given Mac, the address of a particular library function will be xed in one of thousands of random locations between system updates, but across all Mac systems, the address is dierent.[Maynor 2005] It was clearly explained by Apples ocial document that the ASLR in Mac is designed against some basic returnto-libc attacks, and it is not the full version of ASLR due to it was not supported in code, stack and heap level.[Ruoho 2008] From this point of view, Windows has a better support than Apple OS, however, the general security evaluation is not barely judged by the ASLR. Linux Linux has enabled a weak form of ASLR by default since kernel version 2.6.12 (released June 2005). The PaX and ExecShield patchsets to the Linux kernel provide more complete implementations. Various Linux distributions including Adamantix, Alpine Linux, Hardened Gentoo, and Hardened Linux From Scratch
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

11

come with PaXs implementation of ASLR by default.[Wikipedia 2008a] Meanwhile, the ASLR version of Linux has Implementation Vulnerabilities. The weakness allows malicious code to determine the memory addressees of the system function therefore calculates the oset address. In a practical case, the malicious code manipulates together system() function and usleep(), as a result of objdump function, the oset could be possibly approached. [Gordon 2008]

Fig. 7.

3rd party application deployment of ASLR and DEP in 2008 and 2009 [Alin 2010]

Third party applications provide convenience to malicious exploitations. Lets take Windows for example, though Microsoft has decided to cope with the buer overow vulnerabilities through the combination of the ASLR and DEP, it is pretty upset to discovered that a large proportion of software vendors are not fully supporting these two mechanisms. Based on the report from Alin Rad, numbers of 3rd party Application vendors are not able to fully support the DEP and ASLR in Windows platform. Though some of the popular software have realized the importance, the progress is not satised so far. To explain this phenomenon might be complicated, rst, for some small software enterprises they may face technical obstacles to embed their application with the mentioned mechanisms with the limited resource (time and technical support). On the other hand, when we talk about the giants such as google, apple and adobe, they might consider on the cost control or eciency, therefore, the subjected issue has been neglected.[Alin 2010] Actually, some of the subjected vendors have already been exploited with the buer overow vulnerabilities in their products. As more and more attacks are intended to exploit in third-party application, we hope adequate awareness would be aroused among the vendors.
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

12

Buer overow: Introduction, Defense and ASLR

The original design of ASLR was eligible to cope with the traditional attacks, but attackers are improving and developing techniques (to be extended in the next section) to conquer the protection, which therefore inspire computer security specialists to reinforce the mechanism. The Code Islands transformation is one of the variants of ASLR which addresses the chained return into libc attacks(multi-target derandomization attacks)[Haizhi Xu 2009]. In this way, the code island separates the functions in an application, then randomizes the relative distance between them, as a result, attackers can receive little information of others after locating one of these functions. Besides, the Code Island Transformation ASLR has preset with a threshold. After a number of fault attempts, it forces the program to restart which evokes a new randomization in the program. Meanwhile, Code Island Transformation ASLR has two main side eects[Haizhi Xu 2009], Program restart leads to data lost, this could be a potential threat to legitimate users. Although the designer has argued that the information could be redeemed from other storage, the risks are depending on the application and the importance of the information. System overhead is another issue to this protection. As this mechanism reserved additional system resources, the application performances decreases. Similarly, there are many dierent ASLR variants, they are designed to mitigate dierent sophisticated attacks on traditional ASLR, but none of them can be regarded as completely secured or eective so far. Thus, both computer security specialists and malicious users are striving for better techniques. 3.2 Brute force attack

In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It involves systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.[Wikipedia 2008b] The Brute force attack is found more eective in the 32bit machines as they have a relatively smaller entropy value. But as the popularity of to 64 bit operating systems, hackers will get more diculty in the success of this method. The advantage of the 64 bits systems can be reected on this point of view, 40 out of 64 bits could be used in the implementation of ASLR which results in 240 possibilities of permutation, hence the security is exponentially improved. For example, the ASLR uses 8 MB memory for randomness(referring to Linux kernel 2.6.8 ), so theoretically, if the malicious application keeps passing a long enough variable, after particular times, the hacker can approach the shellcode. Lets say if the length of the variable is 256 KB, then the success rate could be around 3.2% However, in comparison with the tradition brute force attack, it is much more eective for the attackers to utilize the memory leakage. By adopting this type of attacks, attackers gain information about the random base addresses when libraries are loaded, therefore it does not depend on the entropy of the OS. Because it can increase the success of attacks signicantly (around 68%), therefore it was called
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

13

Surgically returning to randomize lib(c) attack. As to mitigate the problem, people used the combination of ASLR and PIE (position independent executables). PIE requires recompilation during the implementation which results in system overhead, as a result, the solution is not wildly adopted in this case. As a better alternative, the encrypted GOT (Global Oset Table) mechanism can achieve the same purpose but with no need recompilations. If any attacker tries to obtain information from the encrypted GOT without the decryption key will be meaningless.[Giampaolo Fresi Roglia 2009] 3.3 Partial EIP overwrite

In Dec 20, 2006, the vulnerable of CVE-2007-0038 Windows ANI header buer overow was reported. As the Visual Studio compiler was not able to include GS check to all types of array, the attacks on USER32.DLL could possibly lead to ASLR malfunction, hence malicious users can try exploits until it successes without interventions from ASLR . The ASLR function in Windows Vista randomize the higher memory address only, while the lower address remains the same as the EIP, in addition, the original EIP is saved in the stack either. And EIP ( Extended Instruction Pointer ) is a register that points to the next instruction. It simply points to the address in which that instruction is placed...So if we overwrite this we can change the direction ow of the program and make it do what we want. The intent of using this vulnerability is to nd some useful functions within the lower range of address which can execute jmp edx or other method that can overwrite the original EIP with the overwriting EIP. With the manipulation of EIP, the malicious code will be executed.[Eeckhoutte 2009]

Fig. 8. After computer reboot, only the higher address is randomized. The same mechanism is used in Windows 7 either. [Eeckhoutte 2009]

3.4

using an address from a non-ASLR enabled module

Another eective way to bypass the ASLR mechanism is to search any non ASLR module in the system. This method could be considered as a tricky way to evade the ASLR. In nowadays computers system, we can have many dierent modules or applications which are ASLR supported, their addresses/pointers are not randomized, therefore, it is possible for hackers to exploit to jump to the shellcode.
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

14

Buer overow: Introduction, Defense and ASLR

On September 8, 2010, Adobe released a security advisory (CVE number: CVE2010-2883) on Adobe reader. It was reported that with this vulnerability, attacker is allowed to execute malicious codes and take control of the victim computer. In fact, as some researcher deeply investigated into the case, they discovered that it was a stack-based buer overow in software, and unfortunately accompanied by a module which was not ASLR supported.

Fig. 9.

icucnv36.dll is always loaded at a predictable address [swiat 2010]

What I havent mentioned yet, is that this exploit document does something that I havent seen in the wild yet. This exploit works on Windows Vista and Windows 7. Unlike the previous exploits, it is not dependent on a hardcoded Windows XP syscall. Additionally, it uses a previously unpublished technique to bypass ASLR, Metasploit researcher Joshua J. Drake said in his analysis of the exploit. The gadgets that are used for this ROP payload come from a module named icucnv36.dll. This module does not support ASLR (nor does it opt in to DEP, although that is largely irrelevant). [Fisher 2010] The remedy to this vulnerability could be either updating the Adobe reader or using Microsofts Enhanced Mitigation Experience Toolkit. The EMET could force mandatory ASLR to an application which does not support this mechanism, which serves this case properly. 3.5 Heap Spraying and JIT Spraying

The main task for an attacker to conduct a buer overow attack is to nd the correct address space of his shell code. This is dicult, because each compile of the program could result in dierent memory location for the shell code, therefore makes a dicult problem for the attacker. As a countermeasure, hackers introduce the NOP-slide with the JIT spraying attack. The NOP- slide is a sequence of nooperational instructions on intel x86 which instruct cpu s instruction ow to the nal/desirable execution address. In the case of heap spraying attack, the malicious user ll the heap with a large amount of data like NOP+ SHELLCODE, by doing this the chance of successful shell code execution would be dramatically promoted.
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

15

Fig. 10. Heap spraying [Jalayeri ]

The main principle of this technique is to take advantage of the JIT compiler. Because codes generated by JIT compiler will be stored in memory as executable, therefore, the DEP module in Windows would not hinder this process. By this way, the DEP is bypassed and leaving the ASLR protection behind. Unfortunately, the code generated by JIT allows attacker to perform a reliable prediction, thus the ASLR is no longer functional.[Bania 2010] The JIT compiles run time executable code which is greatly utilized in ash videos, so it does not oer some low level functions. To overcome this, Dion Blazakis proposed to use many XOR operations to transform the byte codes into the low level executable codes. As a result, attackers spray an amount of NOP slides, XOR commands and their shell code into memory and manage to perform the attacks. The JIT spraying attack places the malicious code on the same page where the VM executes legitimate code on, and there are two main procedures involved in JIT execution, the code compilation point and code execution point. A JIT defender against JIT spraying attacks has been proposed. The main idea is to enforce the W X protection within VM by turning the native code pages as non-executable in the rst point and change it back to executable when the JIT code is needed to be executed(the second point). After the execution, the pages will be marked as non-executable for the next compilation. Thereafter, the attends to manipulate the control ow to perform the JIT spraying attack will be prevented as the protection of non-executable function. However, the application performance would be a issue to consider when we implement the JIT defender. If a program has many function chunks, the performance overhead issue occurs in JIT VM. The proposal of this defender indicates that the net performance overhead is from 0.1% to 3.5% depending on the type of VM.[Ping Chen 2011] 4. CONCLUSION

Based on what we have discussed in the previous sections, it is clear that modern computers are massively exposured to buer overow exploitations. However, the problem is not likely to be eradicated due to the foundation of computer architecture, therefore the most feasible way is to develop eective mechanism to mitigate and prevent the problem. In fact, during the past decades, many memory protection mechanisms were developed by computer security specialists, but the performance of most of them were not satisfying. One of the factors compromises the eciency could be the technical weakness. Concluded from the surveys on the current memory protections, there is
ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.

16

Buer overow: Introduction, Defense and ASLR

not doubt that every mechanism has weaknesses that allow the attackers to conquer or bypass. Take the non- executable stack for instance, it was addressed to be an eective method to cope with the stack overow attacks, however it was later reported to be bypassed by some specic methods(such as return to libc). Meanwhile, peoples cognition to the problem aects the issue. Relevant programming aws could be largely mitigated by many dierent methods(run-time check for example) and tools nowadays, but due to various reasons, a large number of programs have not been carefully veried during their developments. Similarly, many of the defensive mechanisms are not properly implemented which allows such vulnerability keep threatening computer security. Among those commonly used memory protections, the ASLR together with DEP is considered as most eective countermeasure. However several corresponding bypassing techniques are given by the malicious attackers, some of them (especially JIT spraying) seriously deteriorate situation. Despite of the endeavors of the hackers, many software providers could be considered to be responsible. Microsoft has announced the combination of DEP and ASLR for years, but it is still not extensively fully supported, which leads to unintended exploitations. At the same time, most of the computer users are not experts, they might have no clues on Buer overow and the importance of defense. The DEP and ASLR is relatively unconcerned topic to general users, however, in Windows Vista, it requires users trigger make it eective, which in other words, is defaulted disable. Fortunately, many upgraded variants of ASLR have been introduced, though each of them has its own feature, they all signicantly increase the eciency of ASLR, especially in the way of mitigating specic bypassing techniques. In conclusion, before security specialists are able to come up with a better solution, DEP and ASLR are currently regarded as eective, if participants (software provider, developers and general users) can acknowledge issue properly.

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.


REFERENCES

17

2006. Binary heaps. http://cs.anu.edu.au/ Alistair.Rendell/Teaching/apacc omp3600/module2/binaryh eaps.xhtml. Adam Chapman, S. H. 2003. Anatomy of buer overow. Alin. 2010. Dep aslr implementation progress in popular third party windows applications. Bania, P. 2010. Jit spraying and mitigations. Corporation, M. 2008. The ultimate security vulnerability database. http://www.cvedetails.com/. developer Central, A. http://developer.amd.com/documentation/articles/pages/3312005143.aspx. Eeckhoutte, P. V. 2009. Exploit writing tutorial part 6 : Bypassing stack cookies, safeseh, hw dep and aslr. Electron, D. 2003. Windows buer overows: Bugs or intended backdoors. http://www.angelre.com/space/netcensus/overow.html. Fisher, D. 2010. Adobe exploit bypasses aslr and dep, drops signed malicious le. Forest, J. C. 2004. Buer overow attacks. FreeBSD. 2000. Freebsd developers handbook. Giampaolo Fresi Roglia, Lorenzo Martignoni, R. P. D. B. 2009. Surgically returning to randomized lib(c). Gordon, D. 2008. Address space layout randomization. Haizhi Xu, S. J. C. 2009. Address-space layout randomization using code islands. Howard, M. 2006. Address space layout randomization in windows vista. Hristo Bojinov, Dan Boneh, R. C. 2005. Address space randomization for mobile devices. Jalayeri, S. Heap spraying teqnique. http://www.youtube.com/watch?v=TqjD7WAHgyg. Larochelle, D. 2011. Statically detecting likely buer overow vulnerabilities. Maynor, D. 2005. Macosx leopard security. Miller, M. 2008. A brief history of exploitation techniques & mitigations on windows. Ollie Whitehouse, A. 2005. An analysis of address space layout randomization on windows vista. orionwell. http://futureperfectpublishing.com/tag/e-books-format/. Pickard, S. 2005. Buer overow detection. Ping Chen, Yi Fang, B. M. L. X. 2011. Jitdefender: A defense against jit spraying attacks. Ruoho, C. 2008. Aslr: Leopard versus vista. swiat. 2010. Use emet 2.0 to block adobe reader and acrobat 0-day exploit. Wikipedia. 2008a. Address space layout randomization. Wikipedia. 2008b. Brute-force attack.

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.