TY - GEN
T1 - An Evil Copy
T2 - 24th Annual Network and Distributed System Security Symposium, NDSS 2017
AU - Ge, Xinyang
AU - Payer, Mathias
AU - Jaeger, Trent
N1 - Publisher Copyright:
© 2017 24th Annual Network and Distributed System Security Symposium, NDSS 2017. All Rights Reserved.
PY - 2017
Y1 - 2017
N2 - Dynamic loading is a core feature used on current systems to (i) enable modularity and reuse, (ii) reduce memory footprint by sharing code pages of libraries and executables among processes, and (iii) simplify update procedures by eliminating the need to recompile executables when a library is updated. The Executable and Linkable Format (ELF) is a generic specification that describes how executable programs are stitched together from object files produced from source code to libraries and executables. Programming languages allow fine-grained control over variables, including access and memory protections, so programmers may write defense mechanisms assuming that the permissions specified at the source and/or compiler level will hold at runtime. Unfortunately, information about memory protection is lost during compilation. We identify one case that has significant security implications: when instantiating a process, constant external variables that are referenced in executables are forcefully relocated to a writable memory segment without warning. The loader trades security for compatibility due to the lack of memory protection information on the relocated external variables. We call this new attack vector COREV for Copy Relocation Violation. An adversary may use a memory corruption vulnerability to modify such “read-only” constant variables like vtables, function pointers, format strings, and file names to bypass defenses (like FORTIFY_SOURCE or CFI) and to escalate privileges. We have studied all Ubuntu 16.04 LTS packages and found that out of 54,045 packages, 4,570 packages have unexpected copy relocations that change read-only permissions to read-write, presenting new avenues for attack. The attack surface is broad with 29,817 libraries exporting relocatable read-only variables. The set of 6,399 programs with actual copy relocation violations includes ftp servers, apt-get, and gettext. We discuss the cause, effects, and a set of possible mitigation strategies for the COREV attack vector.
AB - Dynamic loading is a core feature used on current systems to (i) enable modularity and reuse, (ii) reduce memory footprint by sharing code pages of libraries and executables among processes, and (iii) simplify update procedures by eliminating the need to recompile executables when a library is updated. The Executable and Linkable Format (ELF) is a generic specification that describes how executable programs are stitched together from object files produced from source code to libraries and executables. Programming languages allow fine-grained control over variables, including access and memory protections, so programmers may write defense mechanisms assuming that the permissions specified at the source and/or compiler level will hold at runtime. Unfortunately, information about memory protection is lost during compilation. We identify one case that has significant security implications: when instantiating a process, constant external variables that are referenced in executables are forcefully relocated to a writable memory segment without warning. The loader trades security for compatibility due to the lack of memory protection information on the relocated external variables. We call this new attack vector COREV for Copy Relocation Violation. An adversary may use a memory corruption vulnerability to modify such “read-only” constant variables like vtables, function pointers, format strings, and file names to bypass defenses (like FORTIFY_SOURCE or CFI) and to escalate privileges. We have studied all Ubuntu 16.04 LTS packages and found that out of 54,045 packages, 4,570 packages have unexpected copy relocations that change read-only permissions to read-write, presenting new avenues for attack. The attack surface is broad with 29,817 libraries exporting relocatable read-only variables. The set of 6,399 programs with actual copy relocation violations includes ftp servers, apt-get, and gettext. We discuss the cause, effects, and a set of possible mitigation strategies for the COREV attack vector.
UR - http://www.scopus.com/inward/record.url?scp=85061243098&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85061243098&partnerID=8YFLogxK
U2 - 10.14722/ndss.2017.23199
DO - 10.14722/ndss.2017.23199
M3 - Conference contribution
AN - SCOPUS:85061243098
T3 - 24th Annual Network and Distributed System Security Symposium, NDSS 2017
BT - 24th Annual Network and Distributed System Security Symposium, NDSS 2017
PB - The Internet Society
Y2 - 26 February 2017 through 1 March 2017
ER -