The Experts below are selected from a list of 32262 Experts worldwide ranked by ideXlab platform
Angelos D Keromytis - One of the best experts on this subject based on the ideXlab platform.
-
from the aether to the ethernet attacking the internet using broadcast digital television
USENIX Security Symposium, 2014Co-Authors: Yossef Oren, Angelos D KeromytisAbstract:In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard. Our analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely. This enables a large-scale Exploitation Technique with a localized geographical footprint based on radio frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect. Despite our responsible disclosure to the standards body, our attack was viewed as too expensive and with limited pay-off to the attackers. In this paper, we present the attack methodology and a number of follow-on Exploitation Techniques that provide significant flexibility to attackers. Furthermore, we demonstrate that the technical complexity and required budget are low, making this attack practical and realistic, especially in areas with high population density - in a dense urban area, an attacker with a budget of about $450 can target more than 20,000 devices in a single attack. A unique aspect of this attack is that, in contrast to most Internet of Things/Cyber-Physical System threat scenarios where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network.
-
transparent rop exploit mitigation using indirect branch tracing
USENIX Security Symposium, 2013Co-Authors: Vasilis Pappas, Michalis Polychronakis, Angelos D KeromytisAbstract:Return-oriented programming (ROP) has become the primary Exploitation Technique for system compromise in the presence of non-executable page protections. ROP exploits are facilitated mainly by the lack of complete address space randomization coverage or the presence of memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations. In this paper we present a practical runtime ROP exploit prevention Technique for the protection of third-party applications. Our approach is based on the detection of abnormal control transfers that take place during ROP code execution. This is achieved using hardware features of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to the protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for installed programs in the same fashion as user-friendly mitigation toolkits like Microsoft's EMET. The results of our evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially crafted workloads that continuously trigger its core detection component, while it has negligible overhead for actual user applications. In our experiments with in-the-wild ROP exploits, kBouncer successfully protected all tested applications, including Internet Explorer, Adobe Flash Player, and Adobe Reader.
Engin Kirda - One of the best experts on this subject based on the ideXlab platform.
-
g free defeating return oriented programming through gadget less binaries
Annual Computer Security Applications Conference, 2010Co-Authors: Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, Engin KirdaAbstract:Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the Exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. A recent Exploitation Technique, called Return-Oriented Programming (ROP), has lately attracted a considerable attention from academia. Past research on the topic has mostly focused on refining the original attack Technique, or on proposing partial solutions that target only particular variants of the attack. In this paper, we present G-Free, a compiler-based approach that represents the first practical solution against any possible form of ROP. Our solution is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-branch instructions to prevent them from being misused by an attacker. We developed a prototype based on our approach, and evaluated it by compiling GNU libc and a number of real-world applications. The results of the experiments show that our solution is able to prevent any form of return-oriented programming.
David Wagner - One of the best experts on this subject based on the ideXlab platform.
-
rop is still dangerous breaking modern defenses
USENIX Security Symposium, 2014Co-Authors: Nicholas Carlini, David WagnerAbstract:Return Oriented Programming (ROP) has become the Exploitation Technique of choice for modern memory-safety vulnerability attacks. Recently, there have been multiple attempts at defenses to prevent ROP attacks. In this paper, we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and ROPecker, two recent low-overhead defenses that can be applied to legacy software on existing hardware. We examine several recent ROP attacks seen in the wild and demonstrate that our Techniques successfully cloak them so they are not detected by these defenses. Our attacks apply to many CFI-based defenses which we argue are weaker than previously thought. Future defenses will need to take our attacks into account.
Kaan Onarlioglu - One of the best experts on this subject based on the ideXlab platform.
-
g free defeating return oriented programming through gadget less binaries
Annual Computer Security Applications Conference, 2010Co-Authors: Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, Engin KirdaAbstract:Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the Exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. A recent Exploitation Technique, called Return-Oriented Programming (ROP), has lately attracted a considerable attention from academia. Past research on the topic has mostly focused on refining the original attack Technique, or on proposing partial solutions that target only particular variants of the attack. In this paper, we present G-Free, a compiler-based approach that represents the first practical solution against any possible form of ROP. Our solution is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-branch instructions to prevent them from being misused by an attacker. We developed a prototype based on our approach, and evaluated it by compiling GNU libc and a number of real-world applications. The results of the experiments show that our solution is able to prevent any form of return-oriented programming.
Nicholas Carlini - One of the best experts on this subject based on the ideXlab platform.
-
rop is still dangerous breaking modern defenses
USENIX Security Symposium, 2014Co-Authors: Nicholas Carlini, David WagnerAbstract:Return Oriented Programming (ROP) has become the Exploitation Technique of choice for modern memory-safety vulnerability attacks. Recently, there have been multiple attempts at defenses to prevent ROP attacks. In this paper, we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and ROPecker, two recent low-overhead defenses that can be applied to legacy software on existing hardware. We examine several recent ROP attacks seen in the wild and demonstrate that our Techniques successfully cloak them so they are not detected by these defenses. Our attacks apply to many CFI-based defenses which we argue are weaker than previously thought. Future defenses will need to take our attacks into account.
