Abstract
In the arms race between binary exploitation techniques and mitigation schemes, code-reuse attacks have been proven indispensable. Typically, one of the initial hurdles is that an attacker cannot execute their own code due to countermeasures such as data execution prevention (DEP,
). While this technique is powerful, the task of finding and correctly chaining gadgets remains cumbersome. Although various methods automating this task have been proposed, they either rely on hard-coded heuristics or make specific assumptions about the gadgets’ semantics. This not only drastically limits the search space but also sacrifices their capability to find valid chains unless specific gadgets can be located. As a result, they often produce no chain or an incorrect chain that crashes the program. In this paper, we present SGC, the first generic approach to identify gadget chains in an automated manner without imposing restrictions on the gadgets or limiting its applicability to specific exploitation scenarios. Instead of using heuristics to find a gadget chain, we offload this task to an SMT solver. More specifically, we build a logical formula that encodes the CPU and memory state at the time when the attacker can divert execution flow to the gadget chain, as well as the attacker’s desired program state that the gadget chain should construct. In combination with a logical encoding of the data flow between gadgets, we query an SMT solver whether a valid gadget chain exists. If successful, the solver provides a proof of existence in the form of a synthesized gadget chain. This way, we remain fully flexible w.r.t. to the gadgets. In empirical tests, we find that the solver often uses all types of control-flow transfer instructions and even gadgets with side effects. Our evaluation shows that SGC successfully finds working gadget chains for real-world exploitation scenarios within minutes, even when all state-of-the-art approaches fail.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(1) (2009)
angr team: angrop. https://github.com/angr/angrop
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Conference on Computer and Communications Security (CCS) (2011)
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)
CEA IT Security: Miasm - reverse engineering framework. https://github.com/cea-sec/miasm
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (CCS) (2010)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: An Efficient method of computing static single assignment form. In: ACM Symposium on Principles of Programming Languages (POPL) (1989)
Follner, A., et al.: PSHAPE: automatically combining gadgets for arbitrary method execution. In: Security and Trust Management Workshop (2016)
Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: IEEE Symposium on Security and Privacy (2014)
Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: IEEE Symposium on Security and Privacy (2016)
Ispoglou, K.K., AlBassam, B., Jaeger, T., Payer, M.: Block-oriented programming: automating data-only attacks. In: ACM Conference on Computer and Communications Security (CCS) (2018)
Kelley, S.: dnsmasq. https://thekelleys.org.uk/dnsmasq/doc.html
Kornau, T.: Return-Oriented Programming for the ARM Architecture. Master’s thesis, Ruhr-Universität Bochum (2010)
Krahmer, S.: x86–64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005)
Kroening, D., Strichman, O.: Decision Procedures. Springer, Cham (2016). https://doi.org/10.1007/978-3-540-74105-3
Matz, M., Hubicka, J., Jaeger, A., Mitchell, M.: System V application binary interface. AMD64 Architecture Processor Supplement, Draft v0 99 (2013)
Milanov, B.: ROPium. https://github.com/Boyan-MILANOV/ropium
Niemetz, A., Preiner, M., Biere, A.: Boolector 2.0. J. Satisfiabil. Boolean Modeling Comput. 9(1), 53–58 (2014)
Roemer, R.G.: Finding the bad in good code: automated return-oriented programming exploit discovery. Master’s thesis, UC San Diego (2009)
Salwan, J.: ROPgadget. https://github.com/JonathanSalwan/ROPgadget
Schirra, S.: Ropper. https://github.com/sashs/Ropper
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ Applications. In: 2015 IEEE Symposium on Security and Privacy, pp. 745–762. IEEE (2015)
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: USENIX Security Symposium (2011)
Schwartz, E.J., Cohen, C.F., Gennari, J.S., Schwartz, S.M.: A generic technique for automatically finding defense-aware code reuse attacks. In: ACM Conference on Computer and Communications Security (CCS) (2020)
Serna, F.J., Linton, M., Stadmeyer, K.: dnsmasq stack-based buffer overflow (CVE-2017-14493). https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Shacham, H.: The geometry of innocent flesh on the bone: return-into-LIBC without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS) (2007)
Sinz, C., Falke, S., Merz, F.: A precise memory model for low-level bounded model checking. In: International Conference on Systems Software Verification (2010)
SMT-LIB: Logics. https://smtlib.cs.uiowa.edu/logics-all.shtml#QF_ABV
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (2013)
Solar Designer: Return-to-Libc (1997)
Stump, A., Barrett, C.W., Dill, D.L., Levitt, J.: A decision procedure for an extensional theory of arrays. In: IEEE Symposium on Logic in Computer Science (2001)
Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: IEEE Symposium on Security and Privacy (2013)
Vanegue, J., Heelan, S., Rolles, R.: SMT solvers in software security. In: USENIX Workshop on Offensive Technologies (WOOT) (2012)
Vector 35 Inc.: Binary Ninja. https://binary.ninja/
van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H., Giuffrdia, C.: The dynamics of innocent flesh on the bone: code reuse ten years later. In: ACM Conference on Computer and Communications Security (CCS) (2017)
Weber, T., Conchon, S., Déharbe, D., Heizmann, M., Niemetz, A., Reger, G.: The SMT competition 2015–2018. J. Satisf. Boolean Model. Comput. 11(1) (2019)
Wollgast, P., Gawlik, R., Garmany, B., Kollenda, B., Holz, T.: Automated multi-architectural discovery of CFI-resistant code gadgets. In: European Symposium on Research in Computer Security (ESORICS) (2016)
Acknowledgements
This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States—EXC 2092 CaSa—39078197.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Modeling
Byte-wise memory reads and writes are modeled using single select and store operators, respectively. Larger reads are modeled by concatenating multiple select expressions, which we define recursively in terms of smaller read operations. Reads smaller than 64-bit into a 64-bit register are zero-extended by using concat with the zero bit vector \(bv_0\). Larger writes are similarly modeled using the composition of multiple store expressions. Table 6 shows memory accesses of various sizes. Given an array m, address k and value v and bit size \(n \in (8, 16, 32, 64)\), we use the names \(mem\_read_n(m, k)\) and \(mem\_write_n(m, k, v)\) to substitute the longer SMT expressions from these tables.
B dnsmasq CVE-2017-14493
In the following, we analyze the dnsmasq bug in more detail. The stack-based buffer overflow in dnsmasq is caused by the absence of a length check of the data copied to a static buffer on the stack. Figure 2 shows the vulnerable call to memcpy in function dhcp6_maybe_relay. Sending a malicious DHCPv6 packet allows to gain control over the instruction pointer by overflowing the mac buffer of static size DHCP_CHADDR_MAX (16) in the state structure present on the stack.
Vulnerable memcpy in file rfc3315.c, which overflows the mac buffer in state.
The proof-of-concept (PoC) provided alongside the bug report [25] builds up such a DHCPv6 packet containing an OPTION6_CLIENT_MAC option holding data of excessive length. While the PoC overwrites the instruction pointer with a dummy value, injecting an arbitrary amount of bytes is possible. As long as the stack is not exhausted, the packet’s content is copied and remains untouched until the instruction pointer is overwritten.
In order to synthesize a gadget chain, the information needed to specify preconditions and postconditions is gathered by extracting the program state before hijacking the control flow through GDB. Table 7a shows the preconditions set for dnsmasq. The initial ret instruction, which redirects the control flow to the chain’s first gadget (gadget_0), is specified by preconditioning rip. The stack pointer rsp points to the part of the controlled buffer, where the gadget chain will be copied. In the logical formula, this stack area is a free variable.
Since we want to execute a system call to execve to spawn a shell, the final register values which the gadget chain needs to reach are specified accordingly. Table 7b shows the postconditions in preparation for calling execve(&"/bin/sh", 0, 0). Here, rip holds the address of a syscall instruction available in the program. Using the default configuration described in Sect. 5.1, SGC finds a gadget chain consisting of four gadgets within approximately 8m. While most gadgets are straightforward, gadget_3 (shown in Fig. 3) writes a value to the stack outside the attacker-controlled buffer, a side effect that does not harm the chain. The arithmetic operations of the first four instructions do not change register rax’ value of 0. In line 6, the lea instruction is used to add 0x5 to the value present in \(\texttt {rbp} = \texttt {0x55555559a1cb}\). The resulting address, 0x55555559a1d0, is a syscall instruction; the address is placed on the stack at address 0x7fffffffe240 present in register rbx. As this address is writable memory, no harm results from this side effect.
gadget_3 of the gadget chain used to spawn a shell in dnsmasq.
As mentioned earlier, the PoC crafts a rogue DHCPv6 packet. In order to construct the payload with our synthesized gadget chain, the length parameter is adjusted and the dummy value is replaced with the data of the gadget chain. Sending this packet to the dnsmasq DHCP server successfully spawns the shell.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Schloegel, M., Blazytko, T., Basler, J., Hemmer, F., Holz, T. (2021). Towards Automating Code-Reuse Attacks Using Synthesized Gadget Chains. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)