Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization

The wide adoption of non-executable page protections in recent versions of popular operating systems has given rise to attacks that employ return-oriented programming (ROP) to achieve arbitrary code execution without the injection of any code. Existing defenses against ROP exploits either require source code or symbolic debugging information, or impose a significant runtime overhead, which limits their applicability for the protection of third-party applications. In this paper we present in-place code randomization, a practical mitigation technique against ROP attacks that can be applied directly on third-party software. Our method uses various narrow-scope code transformations that can be applied statically, without changing the location of basic blocks, allowing the safe randomization of stripped binaries even with partial disassembly coverage. These transformations effectively eliminate about 10%, and probabilistically break about 80% of the useful instruction sequences found in a large set of PE files. Since no additional code is inserted, in-place code randomization does not incur any measurable runtime overhead, enabling it to be easily used in tandem with existing exploit mitigations such as address space layout randomization. Our evaluation using publicly available ROP exploits and two ROP code generation toolkits demonstrates that our technique prevents the exploitation of the tested vulnerable Windows 7 applications, including Adobe Reader, as well as the automated construction of alternative ROP payloads that aim to circumvent in-place code randomization using solely any remaining unaffected instruction sequences

Secular trends of blood isolates in patients from a rural area population hospitalized in a tertiary center in a small city in Greece

BACKGROUND: Most of the studies evaluating the secular trends of blood isolates come from tertiary hospitals in urban areas. We sought to study the trends of the antimicrobial resistance of blood isolates in patients from a rural population hospitalized in a tertiary hospital in a small city in Greece. METHODS: We retrospectively collected and analysed data for the first positive blood culture obtained for each admission for each patient hospitalized in General Hospital of Tripolis, Tripolis, Peloponnesus, Greece during a 5 year period (16/05/2000 – 15/05/2005). RESULTS: Sixty-seven thousand and seventy patients were hospitalized during the study period from whom 3,206 blood cultures were obtained. A higher increase of the number of obtained blood cultures than the number of admissions was noted during the study period (p < 0.001). Three hundred and seventy-three (11.6%) blood cultures were positive. Coagulase-negative staphylococci (35.9%), Escherichia coli (29%), and Staphylococcus aureus (18.2%) were the most commonly isolated pathogens. Among the Staphylococcus aureus isolates, the proportion of methicillin-resistant Staphylococcus aureus (MRSA) was 17.2% (5/29). The proportion of Escherichia coli resistant to trimethoprim and sulfamethoxazole, ampicillin and cefuroxime was 29.6% (32/108), 25.0% (27/108), and 8.3% (9/108) respectively. Imipenem-resistance was noted in 3.4% (1/29) of Pseudomonas aeruginosa isolates. There were only 6 (1.6%) Acinetobacter baummanii blood isolates during the study period. CONCLUSION: The antimicrobial resistance of isolates from patients receiving care at the studied tertiary hospital in a small city in Greece is considerably less compared to that noted in tertiary hospitals in larger cities of the country

CloudFence: Enabling Users to Audit the Use of their Cloud-Resident Data

One of the primary concerns of users of cloud-based services and applications is the risk of unauthorized access to their private information. For the common setting in which the infrastructure provider and the online service provider are different, end users have to trust their data to both parties, although they interact solely with the service provider. This paper presents CloudFence, a framework that allows users to independently audit the treatment of their private data by third-party online services, through the intervention of the cloud provider that hosts these services. CloudFence is based on a fine-grained data flow tracking platform exposed by the cloud provider to both developers of cloud-based applications, as well as their users. Besides data auditing for end users, CloudFence allows service providers to confine the use of sensitive data in well-defined domains using data tracking at arbitrary granularity, offering additional protection against inadvertent leaks and unauthorized access. The results of our experimental evaluation with real-world applications, including an e-store platform and a cloud-based backup service, demonstrate that CloudFence requires just a few changes to existing application code, while it can detect and prevent a wide range of security breaches, ranging from data leakage attacks using SQL injection, to personal data disclosure due to missing or erroneously implemented access control checks

Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX Transparent ROP Exploit Mitigation Using Indirect Branch Tracing Transparent ROP Exploit Mitigation using Indirect Branch Tracing

Abstract Return-oriented programming (ROP) has become the primary exploitation technique for system compromise in the presence of non-executable page protections. ROP exploits are facilitated mainly by the lack of complete address space randomization coverage or the presence of memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations. In this paper we present a practical runtime ROP exploit prevention technique for the protection of thirdparty applications. Our approach is based on the detection of abnormal control transfers that take place during ROP code execution. This is achieved using hardware features of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to the protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for installed programs in the same fashion as user-friendly mitigation toolkits like Microsoft&apos;s EMET. The results of our evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially crafted workloads that continuously trigger its core detection component, while it has negligible overhead for actual user applications. In our experiments with in-thewild ROP exploits, kBouncer successfully protected all tested applications, including Internet Explorer, Adobe Flash Player, and Adobe Reader

Polper: Process-aware restriction of over-privileged setuid calls in legacy applications

setuid system calls enable critical functions such as user authentications and modular privileged components. Such operations must only be executed after careful validation. However, current systems do not perform rigorous checks, allowing exploitation of privileges through memory corruption vulnerabilities in privileged programs. As a solution, understanding which setuid system calls can be invoked in what context of a process allows precise enforcement of least privileges. We propose a novel comprehensive method to systematically extract and enforce least privilege of setuid system calls to prevent misuse. Our approach learns the required process contexts of setuid system calls along multiple dimensions: process hierarchy, call stack, and parameter in a process-aware way. Every setuid system call is then restricted to the per-process context by our kernel-level context enforcer. Previous approaches without process-awareness are too coarse-grained to control setuid system calls, resulting in over-privilege. Our method reduces available privileges even for identical code depending on whether it is run by a parent or a child process. We present our prototype called PoLPer which systematically discovers only required setuid system calls and effectively prevents real-world exploits targeting vulnerabilities of the setuid family of system calls in popular desktop and server software at near zero overhead. ?? 2019 Copyright held by the owner/author(s)

The Multidrug Resistance 1 Gene <i>Abcb1</i> in Brain and Placenta: Comparative Analysis in Human and Guinea Pig

<div><p>The Multidrug Resistance 1 (<i>MDR1;</i> alternatively <i>ABCB1</i>) gene product P-glycoprotein (P-gp), an ATP binding cassette transporter, extrudes multiple endogenous and exogenous substrates from the cell, playing an important role in normal physiology and xenobiotic distribution and bioavailability. To date, the predominant animal models used to investigate the role of P-gp have been the mouse and rat, which have two distinct genes, <i>Abcb1a</i> and <i>Abcb1b.</i> In contrast, the human has a single gene, <i>ABCB1,</i> for which only a single isoform has been validated. We and others have previously shown important differences between Abcb1a and Abcb1b, limiting the extrapolation from rodent findings to the human. Since the guinea pig has a relatively long gestation, hemomonochorial placentation and neuroanatomically mature offspring, it is more similar to the human, and may provide a more comparable model for investigating the regulation of P-gp in the brain and placenta, however, to date, the <i>Abcb1</i> gene in the guinea pig remains to be characterized. The placenta and fetal brain are barrier sites that express P-gp and that play a critical role of protection of the fetus and the fetal brain from maternally administered drugs and other xenobiotics. Using RNA sequencing (RNA-seq), reverse transcription-polymerase chain reaction (RT-PCR) and quantitative PCR (QPCR) to sequence the expressed isoforms of guinea pig <i>Abcb1</i>, we demonstrate that like the human, the guinea pig genome contains one gene for <i>Abcb1</i> but that it is expressed as at least three different isoforms via alternative splicing and alternate exon usage. Further, we demonstrate that these isoforms are more closely related to human than to rat or mouse isoforms. This striking, overall similarity and evolutionary relatedness between guinea pig <i>Abcb1</i> and human <i>ABCB1</i> indicate that the guinea pig represents a relevant animal model for investigating the function and regulation of P-gp in the placenta and brain.</p></div

RT-PCR validation of guinea pig <i>Abcb1</i> transcripts.

<p>A. Diagram showing the relative emplacement of the primer pairs designed to identify and validate the 5′ (start) sequence via sequencing. B. Diagram showing the relative emplacement of the primer pairs designed to validate isoform 1 (genewalk). C. Diagram showing the relative emplacement of the primer pairs designed to validate the 3′ (end) sequence. Diagonal lines between exons 30 and 31 represent a longer region than can be represented here.</p

Phylogenetic tree.

<p>Phylogenetic tree of human, guinea pig, mouse, rat and hamster <i>ABCB1</i> inferring that guinea pig is closest to human and that these share a common historical evolution with <i>Abcb1a</i> of mouse, rat and hamster, whereas <i>Abcb1b</i> evolved separately. Phylogenetic tree created using <a href="http://www.phylogeny.fr/version2_cgi/simple_phylogeny.cgi" target="_blank">http://www.phylogeny.fr/version2_cgi/simple_phylogeny.cgi</a> and based on protein sequences. Branch length is proportional to the number of substitutions per amino acid site.</p

Guinea pig <i>Abcb1</i> gene, transcripts and C-terminal amino acid differences.

<p>A. Guinea pig <i>Abcb1</i> locus showing the relative localization of exons (bars) on the coding (minus) strands and in the 5′- to -3′ (left-right) orientation relative to that of the corresponding human <i>ABCB1</i> locus (above). Dashed lines join highly homologous exons. Diagram drawn to scale. Stars indicate major differences between guinea pig and human P-gp, including the absence of the first two exons, a 2.8 kb exon 29, and the presence of two additional terminal exons, exons 30 and 31. Diagonal lines between exons 30 and 31 represent a longer region than can be represented here. B. Composition of guinea pig <i>ABCB1</i> transcripts following alternate exon usage and alternative splicing. Note that exons 3 to 28 are common to all three isoforms. Dotted lines represent spliced junctions; Met represents start codon (AUG); Hexagons represent stop codons (UAA). Diagram drawn to scale. C. The 4 carboxy terminal amino acids of the guinea pig P-gp proteins according to <i>in silico</i> translation. R– = the rest of the protein; -COOH = the carboxylic acid tail. Note that diagrams based on results returned from <i>BLAST</i> or <i>BLAT</i> against the UCSC 2008 guinea pig genome assembly change periodically as the assembly evolves; hence, results regarding nucleotide sequences especially intron sizes are subject to change.</p