|
References [1] address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt. [2] non-executable pages design & implementation. http://pax.grsecurity.net/docs/noexec.txt. [3] Pwn2own 2015:Day two results. http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-Two-results/ba-p/6722884. [4] Stefan Savage Erik Buchanan,Ryan Roemer and Hovav Shacham. Return-oriented programming:Exploits without code injection. https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_ US_08_Shacham_Return_Oriented_Programming.pdf. [5] Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Ge- off Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’05, pages 190–200, New York, NY, USA, 2005. ACM. [6] Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), November 1996. [7] c0ntex. Bypassing non-executable-stack during exploitation using return-to-libc. http://css.csail.mit.edu/6.858/2014/readings/return-to-libc.pdf. [8] ltrace. http://ltrace.org/. [9] Global offset tables. http://bottomupcs.sourceforge.net/csbu/x3824.htm. [10] proc - process information pseudo-file system. http://linux.die.net/man/5/proc. [11] Position independent executables(pie). https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie. [12] objdump. http://linux.die.net/man/1/objdump. [13] Ropgadget. https://github.com/JonathanSalwan/ROPgadget. [14] Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Conference on Secu- rity, SEC’11, pages 25–25, Berkeley, CA, USA, 2011. USENIX Association. [15] Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning. On the expressiveness of return-into-libc attacks. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID’11, pages 121–141, Berlin, Heidelberg, 2011. Springer-Verlag. [16] Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. Stack- guard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7, SSYM’98, pages 5–5, Berkeley, CA, USA, 1998. USENIX Association. [17] Freefloat ftp 1.0 - dep bypass with rop. https://www.exploit-db.com/exploits/24944/. [18] Microsoft internet explorer 8 - fixed col span id full aslr, dep & emet 5.1 bypass (ms12-037). https://www.exploit-db.com/exploits/35273/. [19] Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. Ropdefender: A detection tool to defend against return-oriented programming attacks. In Pro- ceedings of the 6th ACM Symposium on Information, Computer and Commu- nications Security, ASIACCS ’11, pages 40–51, New York, NY, USA, 2011. ACM. [20] Runtime Prevention of Return-Oriented Programming Attacks. https://ropguard.googlecode.com/svn/trunk/doc/ropguard.pdf. [21] Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. Jump- oriented programming: A new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Se- curity, ASIACCS ’11, pages 30–40, New York, NY, USA, 2011. ACM. [22] Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Transparent rop exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 447–462, Washington, D.C., 2013. USENIX. [23] Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H. Deng. Ropecker: A generic and practical approach for defending against ROP attacks. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014, 2014. [24] Intel(r) 64 and ia-32 architectures software developer manuals. http: //www.intel.com/content/dam/www/public/us/en/documents/manuals/ 64-ia-32-architectures-software-developer-vol-3b-part-2-manual. pdf. [25] Nicholas Carlini and David Wagner. Rop is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security 14), pages 385–399, San Diego, CA, August 2014. USENIX Association. [26] Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Smash- ing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pages 601–615, Washington, DC, USA, 2012. IEEE Computer Society. [27] Pin 2.14 user guide. https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/. [28] Pldi 2007. https://software.intel.com/sites/default/files/article/256675/pldi2007-pintutorial.pdf. [29] Cve-2013-3893. http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx. [30] Advanced return-into-lib(c) exploits (pax case study). http://phrack.org/issues/58/4.html. [31] Microsoft pe and coff specification. https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx. [32] Ctf? wtf? https://ctftime.org/ctf-wtf/. [33] Wiki-like ctf write-ups repository maintained by the community 2014. https://github.com/ctfs/write-ups-2014. [34] exploit-by-cutz.pl. https://github.com/ctfs/write-ups-2014/blob/master/hack-lu-ctf-2014/oreo/exploit-by-cutz.pl. [35] test.py. https://rzhou.org/~ricky/hitcon2014/rsbo/test.py. [36] time - time a simple command or give resource usage. http://linux.about.com/library/cmd/blcmdl1_time.htm.
|