Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security and Trust Management

STM 2016: Security and Trust Management pp 212–228Cite as

PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9871))

Abstract

Return-Oriented Programming (ROP) is the cornerstone of today’s exploits. Yet, building ROP chains is predominantly a manual task, enjoying limited tool support. Many of the available tools contain bugs, are not tailored to the needs of exploit development in the real world and do not offer practical support to analysts, which is why they are seldom used for any tasks beyond gadget discovery. We present PSHAPE (Practical Support for Half-Automated Program Exploitation), a tool which assists analysts in exploit development. It discovers gadgets, chains gadgets together, and ensures that side effects such as register dereferences do not crash the program. Furthermore, we introduce the notion of gadget summaries, a compact representation of the effects a gadget or a chain of gadgets has on memory and registers. These semantic summaries enable analysts to quickly determine the usefulness of long, complex gadgets that use a lot of aliasing or involve memory accesses. Case studies on nine real binaries representing 147 MiB of code show PSHAPE’s usefulness: it automatically builds usable ROP chains for nine out of eleven scenarios.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html.

  2. 2.

    https://github.com/eliben/pyelftools.

  3. 3.

    https://github.com/erocarrera/pefile.

References

  1. Andersen, S., Abella, V.: Memory protection technologies. https://technet.microsoft.com/en-us/library/bb457155.aspx, August 2004

  2. Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: Bypassing defenses in browser JIT engines. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8–11, 2014 (2015)

    Google Scholar 

  3. Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., Boneh, D.: Hacking blind. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2014, pp. 227–242. IEEE Computer Society, Washington, DC (2014)

    Google Scholar 

  4. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 30–40. ACM, New York (2011)

    Google Scholar 

  5. Bray, B.: Compiler security checks in depth, February 2002. http://msdn.microsoft.com/en-us/library/aa290051(v=vs.71).aspx

  6. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (USA, 2010), CCS 2010, pp. 559–572. ACM, New York, NY (2010)

    Google Scholar 

  7. Chen, X.: Aslr bypass apocalypse in recent zero-day exploits. https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html

  8. Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: Ropecker: A generic and practical approach for defending against ROP attacks. In: NDSS (2014)

    Google Scholar 

  9. Davi, L., Sadeghi, A.-R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 40–51. ACM, New York (2011)

    Google Scholar 

  10. Dinh, L.L.: Ropeme - rop exploit made easy. https://github.com/packz/ropeme

  11. Eeckhoutte, P. V. mona.py. https://github.com/corelan/mona

  12. Federico, A.D., Cama, A., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: How the elf ruined christmas. In 24th USENIX Security Symposium (USENIX Security 15), pp. 643–658. USENIX Association, Washington, D.C. (2015)

    Google Scholar 

  13. Follner, A., Bartel, A., Bodden, E.: Analyzing the gadgets. In: Caballero, J., et al. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 155–172. Springer, Heidelberg (2016). doi:10.1007/978-3-319-30806-7_10

    Chapter  Google Scholar 

  14. Follner, A., Bodden, E.: Ropocop - dynamic mitigation of code-reuse attacks. J. Inf. Secur. Appl. 82, 3–22 (2016)

    Google Scholar 

  15. Fraser, L.: Roper. https://github.com/oblivia-simplex/roper

  16. Gallo, M.: Agafi. https://github.com/CoreSecurity/Agafi

  17. Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: Proceedings of the IEEE Symposium on Security and Privacy SP 2014, pp. 575–589. IEEE Computer Society, Washington, DC (2014)

    Google Scholar 

  18. Howard, M., Miller, M., Lambert, J., Thomlinson, M.: Windows isv software security defenses, December 2010. http://msdn.microsoft.com/en-us/library/bb430720.aspx

  19. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space aslr. In: Proceeding of the IEEE Symposium on Security and Privacy SP 2013, pp. 191–205. IEEE Computer Society, Washington, DC (2013)

    Google Scholar 

  20. Metasploit. Msfrop. http://www.offensive-security.com/metasploit-unleashed/msfrop

  21. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM Sigplan notices, ACM (2007)

    Google Scholar 

  22. Nguyen, A.Q.: Capstone: Next generation disassembly framework. http://www.capstone-engine.org/BHUSA2014-capstone.pdf

  23. Nguyen, A.Q.: Optirop. https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf

  24. Pakt. Ropc. https://github.com/pakt/ropc

  25. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 447–462. USENIX, Berkeley (2013)

    Google Scholar 

  26. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)

    Article  Google Scholar 

  27. Salwan, J.: Ropgadget. https://github.com/JonathanSalwan/ROPgadget

  28. Schirra, S.: Ropper - rop gadget finder and binary information tool. https://scoding.de/ropper/

  29. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: 36th IEEE Symposium on Security and Privacy (Oakland) (2015)

    Google Scholar 

  30. Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 25. USENIX Association, Berkeley (2011)

    Google Scholar 

  31. Serna, F.J.: The info leak era of software exploitation (2012). http://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf

  32. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and communications security, CCS 2007. ACM, New York, NY (2007)

    Google Scholar 

  33. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and communications security, CCS 2004, ACM (2004)

    Google Scholar 

  34. Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS (2015)

    Google Scholar 

  35. Sol, P.: Deplib. https://www.immunitysec.com/downloads/DEPLIB.pdf

  36. Souchet, A.: rp++. https://github.com/0vercl0k/rp

  37. STIC, P.: Barfgadgets. https://github.com/programa-stic/barf-project

  38. Wailly, A.: nrop. https://github.com/awailly/nrop

  39. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2013, pp. 559–573. IEEE Computer Society, Washington, DC (2013)

    Google Scholar 

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their feedback and suggestions on improving the paper. This work was supported, in part, by NSF CNS-1513783, by the German Federal Ministry of Education and Research (BMBF) and by the Hessian Ministry of Science and the Arts within CRISP (www.crisp-da.de), as well as by the Heinz Nixdorf Foundation.

Author information

Authors and Affiliations

  1. Technische Universität Darmstadt, Darmstadt, Germany

    Andreas Follner & Alexandre Bartel

  2. Purdue University, West Lafayette, USA

    Hui Peng, Yu-Chen Chang, Kyriakos Ispoglou & Mathias Payer

  3. Paderborn University & Fraunhofer IEM, Paderborn, Germany

    Eric Bodden

Authors
  1. Andreas Follner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandre Bartel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hui Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yu-Chen Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Kyriakos Ispoglou
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Mathias Payer
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Eric Bodden
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andreas Follner .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute , Pozuelo de Alarcón, Madrid, Spain

    Gilles Barthe

  2. Dept Comp Sci, Vassilika Vouton, Univ of Crete Dept Comp Sci, Vassilika Vouton, Heraklion, Crete, Greece

    Evangelos Markatos

  3. Dipto di Informatica, Univ degli Studi di Milano Dipto di Informatica, Crema, Italy

    Pierangela Samarati

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Follner, A. et al. (2016). PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46598-2_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46597-5

  • Online ISBN: 978-3-319-46598-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation