Abstract
Return-oriented programming (ROP) and jump-oriented programming (JOP) are two well-known code-reuse attacks in which short code sequences ending in ret or jmp instructions are located and chained in a specific order to execute the attacker’s desired payload. JOP, comparing to ROP, is even more effective because it can be invoked without any reliance on the ret instruction and therefore it can bypass new defense mechanisms against ROP. In this paper, we continue this line of work by proposing Pure-Call Oriented Programming (PCOP). In PCOP, we drive the control flow by proposing special gadgets that all end in a call instruction rather than ret or jmp. We then propose techniques for chaining gadgets that removes the side-effects arise from the call-ending gadgets. The idea of having call-ending gadgets with the term Call Oriented Programming has been noted in some previous work but using call gadgets in these works, due to side-effects of the call instruction, was limited to one or two call-ending gadgets between other ret/jmp gadgets. Our work is the first that shows real code-reuse attacks solely based on call gadgets. We also show that our proposed approach is Turing-complete, meaning that any functionality can be driven by PCOP. We have successfully identified some call-oriented gadgets inside GNU libc library. Our experiments with the example shellcode show the practicality of the proposed approach. Finally, we propose a variant of PCOP named TinyCOP which resists detection by recent code-reuse defense mechanisms.
Similar content being viewed by others
Notes
One question that might come into mind is that why one of the 1-syscall shellcodes cannot be converted into its equivalent PCOP shellcode. The reason is that this shellcode code used in Forkbomb attack, uses the sys_fork syscall (No. 0x02) and In the libc library (ver.2.19), there is no kernel-trapper gadget with sys_fork syscall.
References
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 30–40. ACM
Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 385–399
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: detecting return-oriented programming malicious code. In: International Conference on Information Systems Security, pp. 163–177. Springer
Cheng, Y., Zhou, Z., Miao, Y., Ding, X., DENG, H.: Ropecker: a generic and practical approach for defending against ROP attack. In: Network and Distributed System Security Symposium (NDSS14)
Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54. ACM
Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACM
Designer, S.: Return-to-libc attack. Bugtraq, Aug (1997)
Falcn, F.: Exploiting cve-2015-0311, part ii: bypassing control flow guard on windows 8.1 update 3. https://www.coresecurity.com/blog/exploiting-cve-2015-0311-part-ii-bypassing-control-flow-guard-on-windows-8-1-update-3
Gktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589. IEEE
Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: Scrap: architecture for signature-based protection from code reuse attacks. In: 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013), pp. 258–269. doi:10.1109/HPCA.2013.6522324
Rose, J.R., Steele, G.L.: Intel Architecture Software Developer’s Manual Volume 2: Instruction Set Reference (1999)
Salwan, J.: Shellcode Database. http://shell-storm.org/shellcode/
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM
Tang, J.: Exploring Control Flow Guard in Windows 10. http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-inwindows10.pdf
Ubuntu: Ubuntu Release End of Life. https://www.ubuntu.com/info/release-end-of-life
Wojtczuk, R.: The advanced return-into-lib (c) exploits: Pax case study. Phrack Magazine, Volume 0x0b, Issue 0x3a (2001)
Yao, F., Chen, J., Venkataramani, G.: Jop-alarm: detecting jump-oriented programming-based anomalies in applications. In: 2013 IEEE 31st International Conference on Computer Design (ICCD), pp. 467–470. doi:10.1109/ICCD.2013.6657084
Yunhai, Z.: Bypass Control Flow Guard Comprehensively. Black Hat, BH US (2015)
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEE
Author information
Authors and Affiliations
Corresponding author
Additional information
This work is supported by APA research center (http://apa.aut.ac.ir) at Amirkabir University of Technology, Tehran, Iran.
Rights and permissions
About this article
Cite this article
Sadeghi, A., Niksefat, S. & Rostamipour, M. Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions. J Comput Virol Hack Tech 14, 139–156 (2018). https://doi.org/10.1007/s11416-017-0299-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-017-0299-1