Abstract
Return-Oriented Programming (ROP) is the cornerstone of today’s exploits. Yet, building ROP chains is predominantly a manual task, enjoying limited tool support. Many of the available tools contain bugs, are not tailored to the needs of exploit development in the real world and do not offer practical support to analysts, which is why they are seldom used for any tasks beyond gadget discovery. We present PSHAPE (Practical Support for Half-Automated Program Exploitation), a tool which assists analysts in exploit development. It discovers gadgets, chains gadgets together, and ensures that side effects such as register dereferences do not crash the program. Furthermore, we introduce the notion of gadget summaries, a compact representation of the effects a gadget or a chain of gadgets has on memory and registers. These semantic summaries enable analysts to quickly determine the usefulness of long, complex gadgets that use a lot of aliasing or involve memory accesses. Case studies on nine real binaries representing 147 MiB of code show PSHAPE’s usefulness: it automatically builds usable ROP chains for nine out of eleven scenarios.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Andersen, S., Abella, V.: Memory protection technologies. https://technet.microsoft.com/en-us/library/bb457155.aspx, August 2004
Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: Bypassing defenses in browser JIT engines. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8–11, 2014 (2015)
Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., Boneh, D.: Hacking blind. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2014, pp. 227–242. IEEE Computer Society, Washington, DC (2014)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 30–40. ACM, New York (2011)
Bray, B.: Compiler security checks in depth, February 2002. http://msdn.microsoft.com/en-us/library/aa290051(v=vs.71).aspx
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (USA, 2010), CCS 2010, pp. 559–572. ACM, New York, NY (2010)
Chen, X.: Aslr bypass apocalypse in recent zero-day exploits. https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html
Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: Ropecker: A generic and practical approach for defending against ROP attacks. In: NDSS (2014)
Davi, L., Sadeghi, A.-R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 40–51. ACM, New York (2011)
Dinh, L.L.: Ropeme - rop exploit made easy. https://github.com/packz/ropeme
Eeckhoutte, P. V. mona.py. https://github.com/corelan/mona
Federico, A.D., Cama, A., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: How the elf ruined christmas. In 24th USENIX Security Symposium (USENIX Security 15), pp. 643–658. USENIX Association, Washington, D.C. (2015)
Follner, A., Bartel, A., Bodden, E.: Analyzing the gadgets. In: Caballero, J., et al. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 155–172. Springer, Heidelberg (2016). doi:10.1007/978-3-319-30806-7_10
Follner, A., Bodden, E.: Ropocop - dynamic mitigation of code-reuse attacks. J. Inf. Secur. Appl. 82, 3–22 (2016)
Fraser, L.: Roper. https://github.com/oblivia-simplex/roper
Gallo, M.: Agafi. https://github.com/CoreSecurity/Agafi
Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: Proceedings of the IEEE Symposium on Security and Privacy SP 2014, pp. 575–589. IEEE Computer Society, Washington, DC (2014)
Howard, M., Miller, M., Lambert, J., Thomlinson, M.: Windows isv software security defenses, December 2010. http://msdn.microsoft.com/en-us/library/bb430720.aspx
Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space aslr. In: Proceeding of the IEEE Symposium on Security and Privacy SP 2013, pp. 191–205. IEEE Computer Society, Washington, DC (2013)
Metasploit. Msfrop. http://www.offensive-security.com/metasploit-unleashed/msfrop
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM Sigplan notices, ACM (2007)
Nguyen, A.Q.: Capstone: Next generation disassembly framework. http://www.capstone-engine.org/BHUSA2014-capstone.pdf
Nguyen, A.Q.: Optirop. https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf
Pakt. Ropc. https://github.com/pakt/ropc
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 447–462. USENIX, Berkeley (2013)
Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)
Salwan, J.: Ropgadget. https://github.com/JonathanSalwan/ROPgadget
Schirra, S.: Ropper - rop gadget finder and binary information tool. https://scoding.de/ropper/
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: 36th IEEE Symposium on Security and Privacy (Oakland) (2015)
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 25. USENIX Association, Berkeley (2011)
Serna, F.J.: The info leak era of software exploitation (2012). http://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and communications security, CCS 2007. ACM, New York, NY (2007)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and communications security, CCS 2004, ACM (2004)
Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS (2015)
Sol, P.: Deplib. https://www.immunitysec.com/downloads/DEPLIB.pdf
Souchet, A.: rp++. https://github.com/0vercl0k/rp
STIC, P.: Barfgadgets. https://github.com/programa-stic/barf-project
Wailly, A.: nrop. https://github.com/awailly/nrop
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2013, pp. 559–573. IEEE Computer Society, Washington, DC (2013)
Acknowledgments
We would like to thank the anonymous reviewers for their feedback and suggestions on improving the paper. This work was supported, in part, by NSF CNS-1513783, by the German Federal Ministry of Education and Research (BMBF) and by the Hessian Ministry of Science and the Arts within CRISP (www.crisp-da.de), as well as by the Heinz Nixdorf Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Follner, A. et al. (2016). PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-46598-2_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46597-5
Online ISBN: 978-3-319-46598-2
eBook Packages: Computer ScienceComputer Science (R0)