Introduction
Know thy enemy.
Understanding attacks that exploit the lack of memory safety in programs is vital to understanding the different types of memory safety as well as the tradeoffs between enforcing one kind of memory safety over another. Not all memory safety techniques are created equal.
Below are papers that describe how attacks exploit memory safety errors. Be sure to use them for research and not for "fun and profit."
Memory Safety Exploit Papers
-
Out of Control: Overcoming Control-Flow Integrity
Enes Göktaş, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis
Proceedings of the Thirty Fifth IEEE Symposium on Security and Privacy (Oakland 2014) , San Jose, CA, May 2014.
-
Framing Signals - A Return to Portable Shellcode
Erik Bosman and Herbert Bos
Proceedings of the Thirty Fifth IEEE Symposium on Security and Privacy (Oakland 2014) , San Jose, CA, May 2014.
-
Hacking Blind
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh
Proceedings of the Thirty Fifth IEEE Symposium on Security and Privacy (Oakland 2014) , San Jose, CA, May 2014.
-
On the Expressiveness of Return-into-libc Attacks
Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning
Proceedings of the Fourteenth International Conference on Recent Advances in Intrusion Detection (RAID 2011) , Menlo Park, CA, September 2011.
-
Q: Exploit Hardening Made Easy
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley
Proceedings of the Twentieth USENIX Security Symposium, San Francisco, CA, August 2011.
-
Return-Oriented Rookits: Bypassing Kernel Code Integrity Protection
Mechanisms
Ralf Hund, Thorsten Holz, and Felix C. Freiling
Proceedings of the Eighteenth USENIX Security Symposium, Montreal, Canada, August 2009.
-
Breaking the Memory Secrecy Assumption
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter
Proceedings of the Second European Workshop on System Security, Nuremburg, Germany, March 2009.
-
The Geometry of Innocent Flesh on the Bone: Return-into-libc without
Function Calls (on the x86)
Hovav Shacham
Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, October 2007.
-
Dangling Pointer: Smashing the Pointer for Fun and Profit
Jonathan Afek and Adi Sharabani
Whitepaper, 2007.
-
Non-Control-Data Attacks Are Realistic Threats
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer
Proceedings of the Fourteenth USENIX Security Symposium, Baltimore, MD, August 2005. -
On the Effectiveness of Address-Space Randomization
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh
Proceedings of the Eleventh ACM conference on Computer and Communications Security (CCS 2005), Washington, D.C., October 2004. -
Advanced return-into-lib(c) exploits (PaX case study)
Nergal
Phrack Volume 11, Issue 58 December 2001. -
Smashing The Stack For Fun And Profit
Aleph1
Phrack Volume 7, Issue 49, August 11, 1996.