• DocumentCode
    153556
  • Title

    Hacking Blind

  • Author

    Bittau, Andrea ; Belay, Adam ; Mashtizadeh, Ali ; Mazieres, David ; Boneh, Dan

  • fYear
    2014
  • fDate
    18-21 May 2014
  • Firstpage
    227
  • Lastpage
    242
  • Abstract
    We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. We implemented Braille, a fully automated exploit that yielded a shell in under 4,000 requests (20 minutes) against a contemporary nginx vulnerability, yaSSL + MySQL, and a toy proprietary server written by a colleague. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
  • Keywords
    Linux; security of data; Braille; Linux; address space layout randomization; blind ROP attack; nginx vulnerability; no-execute page protection; open-source servers hacking; proprietary closed-binary services hacking; return oriented programming; stack buffer overflow; stack canaries; write system call; Computer crashes; Layout; Libraries; Linux; Registers; Servers; Sockets;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy (SP), 2014 IEEE Symposium on
  • Conference_Location
    San Jose, CA
  • ISSN
    1081-6011
  • Type

    conf

  • DOI
    10.1109/SP.2014.22
  • Filename
    6956567