Skip to main content
SpringerLink
Log in

Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Return-oriented programming (ROP) and jump-oriented programming (JOP) are two well-known code-reuse attacks in which short code sequences ending in ret or jmp instructions are located and chained in a specific order to execute the attacker’s desired payload. JOP, comparing to ROP, is even more effective because it can be invoked without any reliance on the ret instruction and therefore it can bypass new defense mechanisms against ROP. In this paper, we continue this line of work by proposing Pure-Call Oriented Programming (PCOP). In PCOP, we drive the control flow by proposing special gadgets that all end in a call instruction rather than ret or jmp. We then propose techniques for chaining gadgets that removes the side-effects arise from the call-ending gadgets. The idea of having call-ending gadgets with the term Call Oriented Programming has been noted in some previous work but using call gadgets in these works, due to side-effects of the call instruction, was limited to one or two call-ending gadgets between other ret/jmp gadgets. Our work is the first that shows real code-reuse attacks solely based on call gadgets. We also show that our proposed approach is Turing-complete, meaning that any functionality can be driven by PCOP. We have successfully identified some call-oriented gadgets inside GNU libc library. Our experiments with the example shellcode show the practicality of the proposed approach. Finally, we propose a variant of PCOP named TinyCOP which resists detection by recent code-reuse defense mechanisms.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. One question that might come into mind is that why one of the 1-syscall shellcodes cannot be converted into its equivalent PCOP shellcode. The reason is that this shellcode code used in Forkbomb attack, uses the sys_fork syscall (No. 0x02) and In the libc library (ver.2.19), there is no kernel-trapper gadget with sys_fork syscall.

References

  1. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 30–40. ACM

  2. Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 385–399

  3. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM

  4. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: detecting return-oriented programming malicious code. In: International Conference on Information Systems Security, pp. 163–177. Springer

  5. Cheng, Y., Zhou, Z., Miao, Y., Ding, X., DENG, H.: Ropecker: a generic and practical approach for defending against ROP attack. In: Network and Distributed System Security Symposium (NDSS14)

  6. Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54. ACM

  7. Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACM

  8. Designer, S.: Return-to-libc attack. Bugtraq, Aug (1997)

  9. Falcn, F.: Exploiting cve-2015-0311, part ii: bypassing control flow guard on windows 8.1 update 3. https://www.coresecurity.com/blog/exploiting-cve-2015-0311-part-ii-bypassing-control-flow-guard-on-windows-8-1-update-3

  10. Gktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589. IEEE

  11. Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: Scrap: architecture for signature-based protection from code reuse attacks. In: 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013), pp. 258–269. doi:10.1109/HPCA.2013.6522324

  12. Rose, J.R., Steele, G.L.: Intel Architecture Software Developer’s Manual Volume 2: Instruction Set Reference (1999)

  13. Salwan, J.: Shellcode Database. http://shell-storm.org/shellcode/

  14. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM

  15. Tang, J.: Exploring Control Flow Guard in Windows 10. http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-inwindows10.pdf

  16. Ubuntu: Ubuntu Release End of Life. https://www.ubuntu.com/info/release-end-of-life

  17. Wojtczuk, R.: The advanced return-into-lib (c) exploits: Pax case study. Phrack Magazine, Volume 0x0b, Issue 0x3a (2001)

  18. Yao, F., Chen, J., Venkataramani, G.: Jop-alarm: detecting jump-oriented programming-based anomalies in applications. In: 2013 IEEE 31st International Conference on Computer Design (ICCD), pp. 467–470. doi:10.1109/ICCD.2013.6657084

  19. Yunhai, Z.: Bypass Control Flow Guard Comprehensively. Black Hat, BH US (2015)

  20. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEE

Download references

Author information

Authors and Affiliations

  1. APA Research Center, Amirkabir University of Technology, No. 424, Hafez Ave, Tehran, Iran

    AliAkbar Sadeghi, Salman Niksefat & Maryam Rostamipour

Authors
  1. AliAkbar Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Salman Niksefat
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maryam Rostamipour
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Salman Niksefat.

Additional information

This work is supported by APA research center (http://apa.aut.ac.ir) at Amirkabir University of Technology, Tehran, Iran.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sadeghi, A., Niksefat, S. & Rostamipour, M. Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions. J Comput Virol Hack Tech 14, 139–156 (2018). https://doi.org/10.1007/s11416-017-0299-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-017-0299-1

Keywords

Search

Navigation