How the Elf ruined Christmas

Alessandro Di Federico, Amat Cama, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Scopus citations

Abstract

Throughout the last few decades, computer software has experienced an arms race between exploitation techniques leveraging memory corruption and detection/protection mechanisms. Effective mitigation techniques, such as Address Space Layout Randomization, have significantly increased the difficulty of successfully exploiting a vulnerability. A modern exploit is often two-stage: a first information disclosure step to identify the memory layout, and a second step with the actual exploit. However, because of the wide range of conditions under which memory corruption occurs, retrieving memory layout information from the program is not always possible. In this paper, we present a technique that uses the dynamic loader’s ability to identify the locations of critical functions directly and call them, without requiring an information leak. We identified several fundamental weak points in the design of ELF standard and dynamic loader implementations that can be exploited to resolve and execute arbitrary library functions. Through these, we are able to bypass specific security mitigation techniques, including partial and full RELRO, which are specifically designed to protect ELF data-structures from being co-opted by attackers. We implemented a prototype tool, Leakless, and evaluated it against different dynamic loader implementations, previous attack techniques, and real-life case studies to determine the impact of our findings. Among other implications, Leakless provides attackers with reliable and non-invasive attacks, less likely to trigger intrusion detection systems.

Original languageEnglish (US)
Title of host publicationProceedings of the 24th USENIX Security Symposium
PublisherUSENIX Association
Pages643-658
Number of pages16
ISBN (Electronic)9781931971232
StatePublished - Jan 1 2015
Event24th USENIX Security Symposium - Washington, United States
Duration: Aug 12 2015Aug 14 2015

Publication series

NameProceedings of the 24th USENIX Security Symposium

Conference

Conference24th USENIX Security Symposium
CountryUnited States
CityWashington
Period8/12/158/14/15

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'How the Elf ruined Christmas'. Together they form a unique fingerprint.

  • Cite this

    Federico, A. D., Cama, A., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2015). How the Elf ruined Christmas. In Proceedings of the 24th USENIX Security Symposium (pp. 643-658). (Proceedings of the 24th USENIX Security Symposium). USENIX Association.