Abstract
Here we consider common methods that exploit vulnerabilities in (typically non-security) software programs, through abuse of features in programming languages, system architectures, and supporting functionality.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
M. Abadi, M. Budiu, Ú . Erlingsson, and J. Ligatti. Control-flow integrity. In ACM Comp. & Comm. Security (CCS), pages 340–353, 2005. Journal version: ACM TISSEC, 2009.
P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symp. Security and Privacy, pages 263–277, 2008.
Aleph One (Elias Levy). Smashing the stack for fun and profit. In Phrack Magazine. 8 Nov 1996, vol. 7 no. 49, file 14 of 16, http://www.phrack.org.
C. Anley, J. Heasman, F. Lindner, and G. Richarte. The Shellcoder’s Handbook: Discovering and Exploiting Security Holes (2nd edition). Wiley, 2007.
anonymous. Once upon a free()... In Phrack Magazine. 11 Aug 2001, vol. 11 no. 57, file 9 of 18, http://www.phrack.org (for summaries see: Dowd [25, p. 184–186], Aycock [7, p. 119–123]).
K. Ashcraft and D. R. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symp. Security and Privacy, pages 143–159, 2002.
J. Aycock. Computer Viruses and Malware. Springer Science+Business Media, 2006.
A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Gros, A. Kamsky, S. McPeak, and D. R. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Comm. ACM, 53(2):66–75, 2010.
M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2):131–152, 1996.
D. Brumley, D. X. Song, T. Chiueh, R. Johnson, and H. Lin. RICH: Automatically protecting against integer-based vulnerabilities. In Netw. Dist. Sys. Security (NDSS), 2007.
E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In ACM Comp. & Comm. Security (CCS), pages 27–38, 2008.
N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. Control-flow integrity: Precision, security, and performance. ACM Computing Surveys, 50(1):16:1–16:33, 2017.
J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Int’l Symp. Soft. Testing & Anal. (ISSTA), pages 133–143, 2012.
X. Cai, Y. Gui, and R. Johnson. Exploiting Unix file-system races via algorithmic complexity attacks. In IEEE Symp. Security and Privacy, pages 27–44, 2009.
S. Chari, S. Halevi, and W. Z. Venema. Where do you want to go today? Escalating privileges by pathname manipulation. In Netw. Dist. Sys. Security (NDSS), 2010.
H. Chen, D. Dean, and D. A. Wagner. Model checking one million lines of C code. In Netw. Dist. Sys. Security (NDSS), 2004.
H. Chen and D. A. Wagner. MOPS: An infrastructure for examining security properties of software. In ACM Comp. & Comm. Security (CCS), pages 235–244, 2002. See also [16], [48].
M. Conover and w00w00 Security Development (WSD). w00w00 on Heap Overflows. January 1999, http://www.w00w00.org/articles.htmlhttp://www.w00w00.org/articles.html.
C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In USENIX Security, 2001.
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In USENIX Security, 2003.
C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security, 1998.
C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Info. Survivability Conf. and Expo (DISCEX), Jan. 2000.
C. Curtsinger, B. Livshits, B. G. Zorn, and C. Seifert. ZOZZLE: Fast and precise in-browser JavaScript malware detection. In USENIX Security, 2011.
W. Dietz, P. Li, J. Regehr, and V. S. Adve. Understanding integer overflow in C/C++. ACM Trans. Softw. Eng. Methodol., 25(1):2:1–2:29, 2015. Shorter conference version: ICSE 2012.
M. Dowd, J. McDonald, and J. Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley, 2006.
D. R. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Operating Sys. Design & Impl. (OSDI), pages 1–16, 2000.
M. E. Fagan. Design and code inspections to reduce errors in program development. IBM Systems Journal, 15(3):182–211, 1976.
S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In IEEE HotOS, 1997.
S. E. Hallyn and A. G. Morgan. Linux capabilities: making them work. In Linux Symp., July 2008.
V. C. Hamacher, Z. G. Vranesic, and S. G. Zaky. Computer Organization. McGraw-Hill, 1978.
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, 2004.
M. Howard and D. LeBlanc. Writing Secure Code (2nd edition). Microsoft Press, 2002.
M. Howard, D. LeBlanc, and J. Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, 2009.
T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conf., pages 275–288, 2002.
R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Third International Workshop on Automated Debugging, 1995. Original July 1995 announcement “Bounds Checking for C”, https://www.doc.ic.ac.uk/~phjk/BoundsChecking.html.
B. Kernighan and D. Ritchie. The C Programming Language, 2/e. Prentice-Hall, 1988. (1/e 1978).
A. D. Keromytis. Randomized instruction sets and runtime environments: Past research and future directions. IEEE Security & Privacy, 7(1):18–25, 2009.
J. A. Kupsch and B. P. Miller. How to open a file and not get hacked. In Availability, Reliability and Security (ARES), pages 1196–1203, 2008. Extended version: https://research.cs.wisc.edu/mist/papers/safeopen.pdf.
B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing use-after-free with dangling pointers nullification. In Netw. Dist. Sys. Security (NDSS), 2015.
J. Mason, S. Small, F. Monrose, and G. MacManus. English shellcode. In ACM Comp. & Comm. Security (CCS), pages 524–533, 2009.
S. McClure, J. Scambray, and G. Kurtz. Hacking Exposed 6: Network Security Secrets and Solutions (6th edition). McGraw-Hill, 2009.
T. C. Miller and T. de Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. In USENIX Annual Technical Conf., pages 175–178, 1999. FREENIX track.
mudge (Peiter Zatko). How to write Buffer Overflows. 20 Oct 1995, available online.
G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27(3):477–526, 2005.
M. Payer and T. R. Gross. Protecting applications against TOCTTOU races by user-space caching of file metadata. In Virtual Execution Environments (VEE), pages 215–226, 2012.
P. Ratanaworabhan, V. B. Livshits, and B. G. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In USENIX Security, pages 169–186, 2009.
R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Systems and Security, 15(1):2:1–2:34, 2012.
B. Schwarz, H. Chen, D. A. Wagner, J. Lin, W. Tu, G. Morrison, and J. West. Model checking an entire Linux distribution for security violations. In Annual Computer Security Applications Conf. (ACSAC), pages 13–22, 2005.
scut / team teso. Exploiting Format String Vulnerabilities (version 1.2). 1 Sept 2001, online; follows a Dec. 2000 Chaos Communication Congress talk, https://events.ccc.de/congress/.
H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM Comp. & Comm. Security (CCS), pages 552–561, 2007.
H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of addressspace randomization. In ACM Comp. & Comm. Security (CCS), pages 298–307, 2004.
U. Shankar, K. Talwar, J. S. Foster, and D. A. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security, 2001.
S. Silvestro, H. Liu, T. Liu, Z. Lin, and T. Liu. Guarder: A tunable secure allocator. In USENIX Security, pages 117–133, 2018. See also “FreeGuard” (CCS 2017) for heap allocator background.
R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. W. Streilein. Systematic analysis of defenses against return-oriented programming. In Reseach in Attacks, Intrusions, Defenses (RAID), 2013.
Solar Designer. “return-to-libc” attack. Bugtraq, Aug. 1997.
A. Sotirov. Bypassing memory protections: The future of exploitation. USENIX Security (talk), 2009. https://www.usenix.org/legacy/events/sec09/tech/slides/sotirov.pdf, video online.
L. Szekeres, M. Payer, T. Wei, and R. Sekar. Eternal war in memory. IEEE Security & Privacy, 12(3):45–53, 2014. Longer systematization (fourth author D. Song) in IEEE Symp. Sec. and Priv. 2013.
A. S. Tanenbaum. Modern Operating Systems (3rd edition). Pearson Prentice Hall, 2008.
D. Tsafrir, T. Hertz, D. Wagner, and D. D. Silva. Portably solving file TOCTTOU races with hardness amplification. In USENIX File and Storage Tech. (FAST), 2008. Also: ACM Trans. on Storage, 2008.
E. Tsyrklevich and B. Yee. Dynamic detection and prevention of race conditions in file accesses. In USENIX Security, 2003.
V. van der Veen, N. dutt-Sharma, L. Cavallaro, and H. Bos. Memory errors: The past, the present, and the future. In Reseach in Attacks, Intrusions, Defenses (RAID), pages 86–106, 2012.
J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, 2001.
H. Vijayakumar, J. Schiffman, and T. Jaeger. STING: Finding name resolution vulnerabilities in programs. In USENIX Security, pages 585–599, 2012. See also Vijayakumar, Ge, Payer, Jaeger, “JIGSAW: Protecting resource access by inferring programmer expectations”, USENIX Security 2014.
D. A. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Netw. Dist. Sys. Security (NDSS), 2000.
J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Netw. Dist. Sys. Security (NDSS), 2003.
G. Wurster and J. Ward. Towards efficient dynamic integer overflow detection on ARM processors. Technical report, BlackBerry Limited, Apr. 2016.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
van Oorschot, P.C. (2021). Software Security—Exploits and Privilege Escalation. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-83411-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-83410-4
Online ISBN: 978-3-030-83411-1
eBook Packages: Computer ScienceComputer Science (R0)