Introduction

Know thy enemy.

Understanding attacks that exploit the lack of memory safety in programs is vital to understanding the different types of memory safety as well as the tradeoffs between enforcing one kind of memory safety over another. Not all memory safety techniques are created equal.

Below are papers that describe how attacks exploit memory safety errors. Be sure to use them for research and not for "fun and profit."

Memory Safety Exploit Papers

• Out of Control: Overcoming Control-Flow Integrity
  Enes Göktaş, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis
  Proceedings of the Thirty Fifth IEEE Symposium on Security and Privacy (Oakland 2014) , San Jose, CA, May 2014.
  


• Framing Signals - A Return to Portable Shellcode
  Erik Bosman and Herbert Bos
  Proceedings of the Thirty Fifth IEEE Symposium on Security and Privacy (Oakland 2014) , San Jose, CA, May 2014.
  


• Hacking Blind
  Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh
  Proceedings of the Thirty Fifth IEEE Symposium on Security and Privacy (Oakland 2014) , San Jose, CA, May 2014.
  


• On the Expressiveness of Return-into-libc Attacks
  Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning
  Proceedings of the Fourteenth International Conference on Recent Advances in Intrusion Detection (RAID 2011) , Menlo Park, CA, September 2011.
  


• Q: Exploit Hardening Made Easy
  Edward J. Schwartz, Thanassis Avgerinos, and David Brumley
  Proceedings of the Twentieth USENIX Security Symposium, San Francisco, CA, August 2011.
  


• Return-Oriented Rookits: Bypassing Kernel Code Integrity Protection Mechanisms
  Ralf Hund, Thorsten Holz, and Felix C. Freiling
  Proceedings of the Eighteenth USENIX Security Symposium, Montreal, Canada, August 2009.
  


• Breaking the Memory Secrecy Assumption
  Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter
  Proceedings of the Second European Workshop on System Security, Nuremburg, Germany, March 2009.
  


• The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
  Hovav Shacham
  Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, October 2007.
  


• Dangling Pointer: Smashing the Pointer for Fun and Profit
  Jonathan Afek and Adi Sharabani
  Whitepaper, 2007.
  


• Non-Control-Data Attacks Are Realistic Threats
  Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer
  Proceedings of the Fourteenth USENIX Security Symposium, Baltimore, MD, August 2005.


• On the Effectiveness of Address-Space Randomization
  Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh
  Proceedings of the Eleventh ACM conference on Computer and Communications Security (CCS 2005), Washington, D.C., October 2004.


• Advanced return-into-lib(c) exploits (PaX case study)
  Nergal
  Phrack Volume 11, Issue 58 December 2001.


• Smashing The Stack For Fun And Profit
  Aleph1
  Phrack Volume 7, Issue 49, August 11, 1996.

General

Menageries

University of Illinois