Just-In-Time Code Reuse: The More Things Change, the More They Stay the Same

Presented at Black Hat USA 2013, July 31, 2013, 11:45 a.m. (60 minutes)

Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this presentation, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, which both undermines the benefits of fine-grained ASLR and greatly enhances the ease of exploit development on today's platforms that combine standard ASLR and DEP (e.g. Windows 8). Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application's memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets-- all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, show its effectiveness in Windows 8, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.

Presenters:

• Lucas Davi - ICRI-SC
  Lucas Davi is a research assistant at the Intel Collaborative Research Institute for Secure Computing (ICRI-SC) at Technische Universität Darmstadt, Germany, Germany. He received his MSc in IT-Security from Ruhr-University Bochum, Germany. His current research focuses on runtime attacks such as return-oriented programming (ROP) for ARM and Intel based systems. He is working on new attack methods and countermeasures against runtime attacks. His further research areas include mobile operating system security and Trusted Computing.
• Kevin Snow
  I am a Ph.D. candidate in the Computer Science department at the University of North Carolina at Chapel Hill under the advisement of Dr. Fabian Monrose. Prior to my studies at UNC, I spent 2 years at the Johns Hopkins Applied Physics Lab (JHU/APL) in the applied information sciences department (AISD). And before that I received Master's degrees in Computer Science and Information Security at Johns Hopkins University, and my Bachelor's at North Carolina State University. More recently (Summers of 2011 and 2012), I have had the privilege of working on the Safe Browsing Initiative with Google's Security Team. My research interests are in computer and network security. I have recently been exploring efficient methods for detecting and diagnosing so-called code-injection attacks which has resulted in the development of a custom operating system, ShellOS, that is capable of taking arbitrary inputs (e.g. network streams, buffers from process memory) and executing them as potential code to determine if they are part of a code-injection attack. I have also been involved with the analysis of information leakage in encrypted Voice-over-IP traffic, and work exploring methods for hardware virtualization introspection to support forensic analysis.

Links:

• https://www.blackhat.com/us-13/archives.html#Snow
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Just-In-Time Code Reuse - The More Things Change, the More They Stay the Same.mp4
• https://www.youtube.com/watch?v=dkZ9zdSRQYM
• https://media.blackhat.com/us-13/US-13-Snow-Just-In-Time-Code-Reuse-Slides.pdf

Similar Presentations:

• DEF CON 23 (2015) / Drinking from LETHE: New methods of exploiting and mitigating memory corruption vulnerabilities
• Black Hat USA 2014 / Abusing Performance Optimization Weaknesses to Bypass ASLR
• DeepSec 2014 „Do you want to know more?“ / On the Effectiveness of Full-ASLR on 64-bit Linux