Nytro Posted September 21, 2017 Report Posted September 21, 2017 Abstract— The continuous discovery of exploitable vulnerabilities in popular applications (e.g., document viewers), along with their heightening protections against control flow hijacking, has opened the door to an often neglected attack strategy— namely, data-only attacks. In this paper, we demonstrate the practicality of the threat posed by data-only attacks that harness the power of memory disclosure vulnerabilities. To do so, we introduce memory cartography, a technique that simplifies the construction of data-only attacks in a reliable manner. Specifically, we show how an adversary can use a provided memory mapping primitive to navigate through process memory at runtime, and safely reach security-critical data that can then be modified at will. We demonstrate this capability by using our cross-platform memory cartography framework implementation to construct data-only exploits against Internet Explorer and Chrome. The outcome of these exploits ranges from simple HTTP cookie leakage, to the alteration of the same origin policy for targeted domains, which enables the cross-origin execution of arbitrary script code. The ease with which we can undermine the security of modern browsers stems from the fact that although isolation policies (such as the same origin policy) are enforced at the script level, these policies are not well reflected in the underlying sandbox process models used for compartmentalization. This gap exists because the complex demands of today’s web functionality make the goal of enforcing the same origin policy through process isolation a difficult one to realize in practice, especially when backward compatibility is a priority (e.g., for support of cross-origin IFRAMEs). While fixing the underlying problems likely requires a major refactoring of the security architecture of modern browsers (in the long term), we explore several defenses, including global variable randomization, that can limit the power of the attacks presented herein. Download: https://www3.cs.stonybrook.edu/~mikepo/papers/xfu.eurosp17.pdf Quote
