return-to-csu: a new method to bypass 64-bit Linux ASLR

Hector Marco-Gisbert, Ismael Ripoll

Research output: Contribution to conferencePaper

Abstract

In this paper, we will present "return-to-csu" - a new method to bypass the ASLR in 64-bit Linux systems. The method is generic, since it does not use the compiled code from the target application but code that is always "silently attached" to it. This, in practice, means that our attack can be applied to any application. We will present our analysis, which reveals who is attaching this "extra code" to the executable memory (not to the shared libraries memory region) and why this code can not be easily protected/removed by application developers.

Although the idea of incremental compilation to do less work sounds generally good, it could raise some security issues. Having code which is not re-compiled could result in old or less protected code that can be abused by attackers. As a proof of that, we will present an attack abusing this extra code to bypass the ASLR in 64-bit Linux systems.

We will briefly describe the code that is out of the developers control, showing why it is "unsafe" and how it can be abused finding that there are enough assembler instructions that can be used to created what we named "return-to-csu" - a method to bypass the full Linux ASLR in 64-bit systems in a reliable, fast and generic way.

We will disclose the exploit and a live proof of concept using the return-to-csu method to obtain a shell in less than 1 second. The attack works on PIE and non-PIE applications as well as on hardened (PaX) systems. To make it more realistic, in the demonstration we will also bypass the NX, SSP, RELRO and other protections. To illustrate the method we will exploit, we will use a classic stack buffer overflow showing that a stack buffer overflow is synonymous of having a remote shell even in current 64-bit full protected application in most of the cases.

Finally, we will discuss the root cause and provide some recommendations to prevent the return-to-csu attack.

Conference

ConferenceBlack Hat Asia 2018
Abbreviated titleBlack Hat
CountrySingapore
CitySingapore
Period20/03/1823/03/18
Internet address

Fingerprint

Data storage equipment
Demonstrations
Linux
Acoustic waves

Keywords

  • ASLR
  • Linux
  • Security

Cite this

Marco-Gisbert, H., & Ripoll, I. (2018). return-to-csu: a new method to bypass 64-bit Linux ASLR. Paper presented at Black Hat Asia 2018, Singapore, Singapore.
Marco-Gisbert, Hector ; Ripoll, Ismael. / return-to-csu : a new method to bypass 64-bit Linux ASLR. Paper presented at Black Hat Asia 2018, Singapore, Singapore.24 p.
@conference{24b0c3a8cc7f46388bc01aeb5f87d717,
title = "return-to-csu: a new method to bypass 64-bit Linux ASLR",
abstract = "In this paper, we will present {"}return-to-csu{"} - a new method to bypass the ASLR in 64-bit Linux systems. The method is generic, since it does not use the compiled code from the target application but code that is always {"}silently attached{"} to it. This, in practice, means that our attack can be applied to any application. We will present our analysis, which reveals who is attaching this {"}extra code{"} to the executable memory (not to the shared libraries memory region) and why this code can not be easily protected/removed by application developers.Although the idea of incremental compilation to do less work sounds generally good, it could raise some security issues. Having code which is not re-compiled could result in old or less protected code that can be abused by attackers. As a proof of that, we will present an attack abusing this extra code to bypass the ASLR in 64-bit Linux systems.We will briefly describe the code that is out of the developers control, showing why it is {"}unsafe{"} and how it can be abused finding that there are enough assembler instructions that can be used to created what we named {"}return-to-csu{"} - a method to bypass the full Linux ASLR in 64-bit systems in a reliable, fast and generic way.We will disclose the exploit and a live proof of concept using the return-to-csu method to obtain a shell in less than 1 second. The attack works on PIE and non-PIE applications as well as on hardened (PaX) systems. To make it more realistic, in the demonstration we will also bypass the NX, SSP, RELRO and other protections. To illustrate the method we will exploit, we will use a classic stack buffer overflow showing that a stack buffer overflow is synonymous of having a remote shell even in current 64-bit full protected application in most of the cases.Finally, we will discuss the root cause and provide some recommendations to prevent the return-to-csu attack.",
keywords = "ASLR, Linux, Security",
author = "Hector Marco-Gisbert and Ismael Ripoll",
year = "2018",
month = "3",
day = "20",
language = "English",
note = "Black Hat Asia 2018, Black Hat ; Conference date: 20-03-2018 Through 23-03-2018",
url = "https://www.blackhat.com/asia-18/",

}

Marco-Gisbert, H & Ripoll, I 2018, 'return-to-csu: a new method to bypass 64-bit Linux ASLR' Paper presented at Black Hat Asia 2018, Singapore, Singapore, 20/03/18 - 23/03/18, .

return-to-csu : a new method to bypass 64-bit Linux ASLR. / Marco-Gisbert, Hector; Ripoll, Ismael.

2018. Paper presented at Black Hat Asia 2018, Singapore, Singapore.

Research output: Contribution to conferencePaper

TY - CONF

T1 - return-to-csu

T2 - a new method to bypass 64-bit Linux ASLR

AU - Marco-Gisbert,Hector

AU - Ripoll,Ismael

PY - 2018/3/20

Y1 - 2018/3/20

N2 - In this paper, we will present "return-to-csu" - a new method to bypass the ASLR in 64-bit Linux systems. The method is generic, since it does not use the compiled code from the target application but code that is always "silently attached" to it. This, in practice, means that our attack can be applied to any application. We will present our analysis, which reveals who is attaching this "extra code" to the executable memory (not to the shared libraries memory region) and why this code can not be easily protected/removed by application developers.Although the idea of incremental compilation to do less work sounds generally good, it could raise some security issues. Having code which is not re-compiled could result in old or less protected code that can be abused by attackers. As a proof of that, we will present an attack abusing this extra code to bypass the ASLR in 64-bit Linux systems.We will briefly describe the code that is out of the developers control, showing why it is "unsafe" and how it can be abused finding that there are enough assembler instructions that can be used to created what we named "return-to-csu" - a method to bypass the full Linux ASLR in 64-bit systems in a reliable, fast and generic way.We will disclose the exploit and a live proof of concept using the return-to-csu method to obtain a shell in less than 1 second. The attack works on PIE and non-PIE applications as well as on hardened (PaX) systems. To make it more realistic, in the demonstration we will also bypass the NX, SSP, RELRO and other protections. To illustrate the method we will exploit, we will use a classic stack buffer overflow showing that a stack buffer overflow is synonymous of having a remote shell even in current 64-bit full protected application in most of the cases.Finally, we will discuss the root cause and provide some recommendations to prevent the return-to-csu attack.

AB - In this paper, we will present "return-to-csu" - a new method to bypass the ASLR in 64-bit Linux systems. The method is generic, since it does not use the compiled code from the target application but code that is always "silently attached" to it. This, in practice, means that our attack can be applied to any application. We will present our analysis, which reveals who is attaching this "extra code" to the executable memory (not to the shared libraries memory region) and why this code can not be easily protected/removed by application developers.Although the idea of incremental compilation to do less work sounds generally good, it could raise some security issues. Having code which is not re-compiled could result in old or less protected code that can be abused by attackers. As a proof of that, we will present an attack abusing this extra code to bypass the ASLR in 64-bit Linux systems.We will briefly describe the code that is out of the developers control, showing why it is "unsafe" and how it can be abused finding that there are enough assembler instructions that can be used to created what we named "return-to-csu" - a method to bypass the full Linux ASLR in 64-bit systems in a reliable, fast and generic way.We will disclose the exploit and a live proof of concept using the return-to-csu method to obtain a shell in less than 1 second. The attack works on PIE and non-PIE applications as well as on hardened (PaX) systems. To make it more realistic, in the demonstration we will also bypass the NX, SSP, RELRO and other protections. To illustrate the method we will exploit, we will use a classic stack buffer overflow showing that a stack buffer overflow is synonymous of having a remote shell even in current 64-bit full protected application in most of the cases.Finally, we will discuss the root cause and provide some recommendations to prevent the return-to-csu attack.

KW - ASLR

KW - Linux

KW - Security

UR - https://www.blackhat.com/asia-18/briefings.html#return-to-csu-a-new-method-to-bypass-64-bit-linux-aslr

M3 - Paper

ER -

Marco-Gisbert H, Ripoll I. return-to-csu: a new method to bypass 64-bit Linux ASLR. 2018. Paper presented at Black Hat Asia 2018, Singapore, Singapore.