Exploiting Array-Out-of-Bounds-Write-Accesses on Linux
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
distance-matrix-arch-linux.pdf
kirsch-roots-2017-paper.pdf
kirsch-roots-2017-slides.pdf
poster.pdf
simple.py
strong.py

README.md

Wiedergänger

Material

This repository contains supporting material for the paper Dynamic Loader oriented Programming on Linux:

  • The paper itself
  • The slide deck as presented at ROOTS 2017
  • A poster highlighting some details
  • simple.py: A python script that bootstraps an attack succeeding with probability 1:4096 against weak ASLR implementations
  • strong.py: A python script that bootstraps an attack succeeding with probability 1:1 against weak ASLR implementations

Summary

The central point of all the documents is to show that Linux currently (November 2017, kernel 4.14) uses a weak mmap implementation that maps chunks at constant distances to each other into the virtual address space. To show that this can be problematic, we developed two attacks that show how to escalate Array-Out-of-Bounds-Writes to code execution by overwriting internal data structures used by ld.so.