Skip to main content
Log in

Filter-resistant code injection on ARM

Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Code injection attacks are one of the most powerful and important classes of attacks on software. In these attacks, the attacker sends malicious input to a software application, where it is stored in memory. The malicious input is chosen in such a way that its representation in memory is also a valid representation of a machine code program that performs actions chosen by the attacker. The attacker then triggers a bug in the application to divert the control flow to this injected machine code. A typical action of the injected code is to launch a command interpreter shell, and hence the malicious input is often called shellcode. Attacks are usually performed against network facing applications, and such applications often perform validations or encodings on input. Hence, a typical hurdle for attackers, is that the shellcode has to pass one or more filtering methods before it is stored in the vulnerable application’s memory space. Clearly, for a code injection attack to succeed, the malicious input must survive such validations and transformations. Alphanumeric input (consisting only of letters and digits) is typically very robust for this purpose: it passes most filters and is untouched by most transformations. This paper studies the power of alphanumeric shellcode on the ARM architecture. It shows that the subset of ARM machine code programs that (when interpreted as data) consist only of alphanumerical characters is a Turing complete subset. This is a non-trivial result, as the number of instructions that consist only of alphanumeric characters is very limited. To craft useful exploit code (and to achieve Turing completeness), several tricks are needed, including the use of self-modifying code.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: 12th ACM Conference on Computer and Communications Security (2005)

  2. Aleph1.: Smashing the stack for fun and profit. Phrack, 49, (1996)

  3. Anisimov, A.: Defeating Microsoft Windows XP SP2 heap protection and DEP bypass. Positive Technologies, Tech Report. http://www.ptsecurity.com/download/defeating-xpsp2-heapprotection.pdf

  4. Anonymous.: Once upon a free(). Phrack, 57, (2001)

  5. Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanović, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: 10th ACM Conference on Computer and Communications Security (2003)

  6. Bello Rivas, J.: Overwriting the .dtors section (2000)

  7. Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: 12th USENIX Security Symposium (2003)

  8. Bhatkar, S., Sekar, R.: Data space randomization. In: 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Lecture Notes in Computer Science, vol. 5137 (2008)

  9. Bhatkar, S., Sekar, R., Duvarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: 14th USENIX Security Symposium (2005)

  10. Blexim. Basic integer overflows. Phrack, 60 (2002)

  11. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: 15th ACM Conference on Computer and Communications Security (2008)

  12. Bulba and Kil3r.: Bypassing StackGuard and Stackshield. Phrack, 56, (2000)

  13. Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: 12th USENIX Security Symposium (2003)

  14. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: 7th USENIX Security Symposium (1998)

  15. Dobrovitski, I.: Exploit for CVS double free() for Linux pserver (2003)

  16. Eller, R.: Bypassing msb data filters for buffer overflow exploits on intel platforms (2000)

  17. Erlingsson, Ú.: Low-level software security: attacks and defenses. Technical Report MSR-TR-2007-153, Microsoft Research (2007)

  18. Etoh, H., Yoda, K.: Protecting from stack-smashing attacks. Technical report, IBM Research (2000)

  19. funkysh. Into my ARMs: Developing StrongARM/Linux shellcode. Phrack, 58 (2001)

  20. Hurman, T.: Exploring Windows CE shellcode (2005)

  21. Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: 3rd International Workshop on Automatic Debugging (1997)

  22. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: 10th ACM Conference on Computer and Communications Security (2003)

  23. Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: 11th USENIX Security Symposium (2002)

  24. Köhler, S., Schindelhauer, C., Ziegler, M.: On approximating real-world halting problems. In: 15th International Symposium on Fundamentals of Computation Theory. Lecture Notes in Computer Science, vol. 3623 (2005)

  25. Moore, H.D.: Cracking the iPhone. http://blog.metasploit.com/2007/10/cracking-iphone-part-1.html

  26. Müller, U.: Brainf*ck (1993)

  27. Ormandy, T.: LibTIFF next rle decoder remote heap buffer overflow vulnerability (2006)

  28. Ormandy, T.: LibTIFF TiffFetchShortPair remote buffer overflow vulnerability (2006)

  29. Ortega, A.: Android web browser gif file heap-based buffer overflow vulnerability (2008)

  30. Provos, N.: Improving host security with system call policies. In: 12th USENIX Security Symposium (2003)

  31. Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: a defense against heap-spraying code injection attacks. Technical Report MSR-TR-2008-176, Microsoft Research (2008)

  32. Richarte, G.: Four different tricks to bypass stackshield and stackguard protection (2002)

  33. rix. Writing IA32 alphanumeric shellcodes. Phrack, 57 (2001)

  34. Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: 11th Annual Network and Distributed System Security Symposium (2004)

  35. Scut. Exploiting format string vulnerabilities (2001)

  36. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: 14th ACM conference on Computer and Communications Security (2007)

  37. Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: 11th ACM conference on Computer and Communications Security (2004)

  38. skape, Skywing.: Bypassing windows hardware-enforced data execution prevention. Uninformed, 2 (2005)

  39. Sloss A., Symes D., Wright C.: ARM System Developer’s Guide. Elsevier, Amsterdam (2004)

    Google Scholar 

  40. Solar Designer.: Getting around non-executable stack (and fix) (1997)

  41. Sotirov, A.: Reverse engineering and the ANI vulnerability (2007)

  42. Sotirov, A., Dowd, M.: Bypassing browser memory protections: setting back browser security by 10 years. In: BlackHat (2008)

  43. Sovarel, N., Evans, D., Paul, N.: Where’s the FEEB? the effectiveness of instruction set randomization. In: 14th USENIX Security Symposium (2005)

  44. Stokes, J.: ARM attacks Atom with 2GHz A9; can servers be far behind? Ars Technica. http://arstechnica.com/business/news/2009/09/arm-attacks-atom-with-2ghz-a9-can-servers-be-far-behind.ars

  45. Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: European Workshop on System Security (2009)

  46. Wojtczuk, R.: Defeating Solar Designer non-executable stack patch (1998)

  47. Younan, Y., Joosen, W., Piessens, F.: Code injection in C and C++: a survey of vulnerabilities and countermeasures. Technical Report CW386, Dept. Computerwetenschappen, KULeuven (2004)

  48. Younan, Y., Philippaerts, P., Cavallaro, L., Sekar, R., Piessens, F., Joosen, W.: PAriCheck: an efficient pointer arithmetic checker for C programs. Technical Report CW554, Dept. Computerwetenschappen, KULeuven (2009)

  49. Younan, Y., Philippaerts, P., Piessens, F., Joosen, W., Lachmund, S., Walter, T.: Filter-resistant code injection on ARM. In: Proceedings of the 16th ACM conference on Computer and communications security, pages 11–20. ACM (2009)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yves Younan.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Younan, Y., Philippaerts, P., Piessens, F. et al. Filter-resistant code injection on ARM. J Comput Virol 7, 173–188 (2011). https://doi.org/10.1007/s11416-010-0146-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-010-0146-0

Keywords

Navigation