Detecting Stack Layout Corruptions with Robust Stack Unwinding | SpringerLink
Skip to main content
Springer Nature Link
Log in

Detecting Stack Layout Corruptions with Robust Stack Unwinding

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

The stack is a critical memory structure to ensure the correct execution of programs because control flow changes through the data stored in it, such as return addresses and function pointers. Thus the stack has been a popular target by many attacks and exploits like stack smashing attacks and return-oriented programming (ROP). We present a novel system to detect the corruption of the stack layout using a robust stack unwinding technique and detailed stack layouts extracted from the stack unwinding information for exception handling widely available in off-the-shelf binaries. Our evaluation with real-world ROP exploits has demonstrated successful detection of them with performance overhead of only 3.93 % on average transparently without accessing any source code or debugging symbols of a protected binary.

Y. Fu—Work done during an internship at NEC Laboratories America, Princeton.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    SLIck represents Stack Layout Invariants Checker similar to fsck.

References

  1. Dwarf debugging information format, version 4. http://www.dwarfstd.org/doc/DWARF4.pdf

  2. Exception frames. https://refspecs.linuxfoundation.org/LSB_3.0.0/LSB-Core-generic/LSB-Core-generic/ehframechpt.html

  3. Exceptions and stack unwinding in C++. http://msdn.microsoft.com/en-us/library/hh254939.aspx

  4. Mach-o executables, issue 6 build tools. http://www.objc.io/issue-6/mach-o-executables.html

  5. Structured exception handling. http://msdn.microsoft.com/en-us/library/windows/desktop/ms680657(v=vs.85).aspx

  6. System V Application Binary Interface (ABI), AMD64 Architecture Processor Supplement, Draft Version 0.98

    Google Scholar 

  7. x64 manual stack reconstruction and stack walking. https://blogs.msdn.microsoft.com/ntdebugging/2010/05/12/x64-manual-stack-reconstruction-and-stack-walking/

  8. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of CCS (2005)

    Google Scholar 

  9. Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: Proceedings of IEEE Security and Privacy (2014)

    Google Scholar 

  10. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of ASIACCS (2011)

    Google Scholar 

  11. Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: Proceedings of IEEE Security and Privacy (2014)

    Google Scholar 

  12. Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: Proceedings of USENIX Security (2014)

    Google Scholar 

  13. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of CCS (2010)

    Google Scholar 

  14. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Chen, P., Xing, X., Mao, B., Xie, L.: Return-oriented rootkit without returns (on the x86). In: Proceedings of ICICS (2010)

    Google Scholar 

  16. Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Proceedings of NDSS (2014)

    Google Scholar 

  17. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of USENIX Security (1998)

    Google Scholar 

  18. Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Proceedings of the IEEE Security and Privacy (2014)

    Google Scholar 

  19. Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of ASIACCS (2011)

    Google Scholar 

  20. Durden, T.: Bypassing PaX ASLR protection. Phrack Mag. 59(9), June 2002. http://www.phrack.org/phrack/59/p59-0x09

  21. Fratric, I.: ROPGuard: runtime prevention of return-oriented programming attacks. https://code.google.com/p/ropguard/

  22. Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of SOSP (2003)

    Google Scholar 

  23. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of NDSS (2003)

    Google Scholar 

  24. Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Proceedings of IEEE Security and Privacy (2014)

    Google Scholar 

  25. Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: Proceedings of USENIX Security (2014)

    Google Scholar 

  26. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: where’d my gadgets go? In: Proceedings of IEEE Security and Privacy (2012)

    Google Scholar 

  27. Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: Proceedings of ASPLOS (2011)

    Google Scholar 

  28. Howard, M., Thomlinson, M.: Windows ISV software security defenses. http://msdn.microsoft.com/en-us/library/bb430720.aspx

  29. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Proceedings of USENIX Security (2009)

    Google Scholar 

  30. Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: Proceedings of CCS (1994)

    Google Scholar 

  31. Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with “return-less” kernels. In: Proceedings of EuroSys (2010)

    Google Scholar 

  32. Microsoft: A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 (2008). http://support.microsoft.com/kb/875352

  33. Mudge: How to Write Buffer Overflows (1997). http://l0pht.com/advisories/bufero.html

  34. Oakley, J., Bratus, S.: Exploiting the hard-working DWARF: trojan and exploit techniques with no native executable code. In: Proceedings of WOOT (2011)

    Google Scholar 

  35. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: defeating return-oriented programming through gadget-less binaries. In: Proceedings of ACSAC (2010)

    Google Scholar 

  36. Aleph One: Smashing the stack for fun and profit. Phrack 7(49), November 1996. http://www.phrack.com/issues.html?issue=49&id=14

  37. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: Proceedings of IEEE Security and Privacy (2012)

    Google Scholar 

  38. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of USENIX Security (2013)

    Google Scholar 

  39. Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of USENIX Security (2004)

    Google Scholar 

  40. Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of USENIX Security (2006)

    Google Scholar 

  41. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of CCS (2007)

    Google Scholar 

  42. Pietrek, M.: A crash course on the depths of win32 structured exception handling. Microsoft Syst. J. 12(1), January 1997

    Google Scholar 

  43. Prakash, A., Yin, H.: Defeating ROP through denial of stack pivot. In: ACSAC (2015)

    Google Scholar 

  44. Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Proceedings of ACSAC (2009)

    Google Scholar 

  45. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of SOSP (2007)

    Google Scholar 

  46. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of CCS (2007)

    Google Scholar 

  47. Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of CCS (2004)

    Google Scholar 

  48. Smith, N.P.: Stack Smashing Vulnerabilities in the UNIX Operating System (2000)

    Google Scholar 

  49. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of IEEE Security and Privacy (2013)

    Google Scholar 

  50. Sotirov, A., Dowd, M.: Bypassing browser memory protections in windows vista. http://www.phreedom.org/research/bypassing-browser-memory-protections/

  51. Spafford, E.H.: The internet worm program: an analysis. SIGCOMM Comput. Commun. Rev. 19, 17–57 (1989)

    Article  Google Scholar 

  52. Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: Proceedings of EuroSec (2009)

    Google Scholar 

  53. PaX Team: http://pax.grsecurity.net/

  54. PaX Team: Pax address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt

  55. The Enhanced Mitigation Experience Toolkit, Microsoft. http://technet.microsoft.com/en-us/security/

  56. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: Proceedings of USENIX Security (2014)

    Google Scholar 

  57. Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Proceedings of RAID (2011)

    Google Scholar 

  58. Vreugdenhil, P.: Pwn2own 2010: Windows 7 internet explorer 8 exploit. http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf

  59. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of CCS (2012)

    Google Scholar 

  60. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of IEEE Security and Privacy (2013)

    Google Scholar 

  61. Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: Proceedings of the USENIX Security (2013)

    Google Scholar 

  62. Zovi, D.A.D.: Return oriented exploitation. In: Blackhat (2010)

    Google Scholar 

Download references

Acknowledgments

We would like to thank our shepherd, Michalis Polychronakis, and the anonymous reviewers for their insightful comments and feedback. Yangchun Fu and Zhiqiang Lin were supported in part by the AFOSR grant no. FA9550-14-1-0173 and the NSF award no. 1453011. Any opinions, findings, conclusions, or recommendations expressed are those of the authors and do not necessarily reflect the views of any organization.

Author information

Authors and Affiliations

  1. NEC Laboratories America, Princeton, USA

    Yangchun Fu, Junghwan Rhee, Zhichun Li, Hui Zhang & Guofei Jiang

  2. University of Texas at Dallas, Richardson, USA

    Yangchun Fu & Zhiqiang Lin

Authors
  1. Yangchun Fu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Junghwan Rhee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhiqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhichun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Hui Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Guofei Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Junghwan Rhee .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Fu, Y., Rhee, J., Lin, Z., Li, Z., Zhang, H., Jiang, G. (2016). Detecting Stack Layout Corruptions with Robust Stack Unwinding. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation