skip to main content
10.1145/3545948.3545997acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article

RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64

Published: 26 October 2022 Publication History

Abstract

Return-oriented programming (ROP) is a powerful run-time exploitation technique to attack vulnerable software. Modern RISC architectures like RISC-V and ARM64 pose new challenges for ROP execution due to the lack of a stack-based return instruction and strict instruction alignment. Further, the large number of caller-saved argument registers significantly reduces the gadget space available to the attacker. Consequently, existing ROP gadget tools for other processor architectures cannot be applied to these RISC architectures. Previous work on RISC-V provides only manual construction of ROP attacks against specially crafted programs, and no analysis of ROP attacks has been conducted for ARM64 yet.
In this paper, we address these challenges and present RiscyROP, the first automated ROP gadget finding and chaining toolkit for RISC-V and ARM64. RiscyROP analyzes available gadgets utilizing symbolic execution, and automatically generates complex multi-stage chains to conduct arbitrary function calls. Our approach enables the first investigation of the gadget space on RISC-V and ARM64 real-world binaries. RiscyROP successfully builds ROP chains that enable an attacker to execute arbitrary function calls for the nginx web server as well as any binary that contains the libc library.

References

[1]
Sergi Alvarez. 2008. radare2. https//rada.re/n/radare2.html
[2]
angr Team. 2014. angrop. https//github.com/angr/angrop/
[3]
Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert, Edward J Schwartz, Maverick Woo, and David Brumley. 2014. Automatic Exploit Generation. Commun. ACM (2014).
[4]
Andrea Biondo, Mauro Conti, Lucas Davi, Tommaso Frassetto, and Ahmad-Reza Sadeghi. 2018. The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX. In USENIX Security Symposium.
[5]
Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-Oriented Programming A New Class of Code-Reuse Attack. In ACM Asia Conference on Computer and Communications Security (AsiaCCS).
[6]
Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage. 2008. When Good Instructions Go Bad Generalizing Return-Oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS).
[7]
Amat Cama. 2017. xrop. https//github.com/acama/xrop
[8]
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending On the Effectiveness of Control-Flow Integrity. In USENIX Security Symposium.
[9]
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-Oriented Programming without Returns. In ACM Conference on Computer and Communications Security (CCS).
[10]
Tobias Cloosters, Michael Rodler, and Lucas Davi. 2020. TeeRex Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves. In USENIX Security Symposium.
[11]
Tobias Cloosters, Johannes Willbold, Thorsten Holz, and Lucas Davi. 2022. SGXFuzz Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing. In USENIX Security Symposium.
[12]
CVE-2013-2028 2013. nginx-1.4.0 for the analysis of CVE-2013-2028. https//github.com/danghvu/nginx-1.4.0
[13]
Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy. 2010. Privilege escalation attacks on Android. In International Conference on Information Security. Springer.
[14]
Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy. 2010. Return-Oriented Programming without Returns on ARM. Technical Report HGI-TR-2010-002. https//www.ais.rub.de/media/trust/veroeffentlichungen/2010/07/21/ROP-without-Returns-on-ARM.pdf
[15]
Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In USENIX Security Symposium.
[16]
Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. 2011. ROPdefender A Detection Tool to Defend against Return-Oriented Programming Attacks. In ACM Asia Conference on Computer and Communications Security (AsiaCCS).
[17]
Asmit De, Aditya Basu, Swaroop Ghosh, and Trent Jaeger. 2019. FIXER Flow integrity extensions for embedded RISC-V. In IEEE Design, Automation & Test in Europe Conference & Exhibition (DATE).
[18]
Leonardo de Moura and Nikolaj Bjørner. 2008. Z3 An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems.
[19]
Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris, Taesoo Kim, and Wenke Lee. 2017. Efficient Protection of Path-Sensitive Control Security. In USENIX Security Symposium.
[20]
Reza Mirzazade Farkhani, Mansour Ahmadi, and Long Lu. 2021. PTAuth Temporal Memory Safety via Robust Points-to Authentication. In USENIX Security Symposium.
[21]
Aurélien Francillon and Claude Castelluccia. 2008. Code Injection Attacks on Harvard-Architecture Devices. In ACM Conference on Computer and Communications Security (CCS).
[22]
Google. 2022. opentitan. https//opentitan.org/
[23]
Garrett Gu and Hovav Shacham. 2020. No RISC No Reward Return-Oriented Programming in RISC-V. https//arxiv.org/abs/2007.14995
[24]
Ralf Hund, Thorsten Holz, and Felix C. Freiling. 2009. Return-Oriented Rootkits Bypassing Kernel Code Integrity Protection Mechanisms. In USENIX Security Symposium.
[25]
Kyriakos K Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer. 2018. Block oriented programming Automating data-only attacks. In ACM SIGSAC Conference on Computer and Communications Security.
[26]
Georges-Axel Jaloyan, Konstantinos Markantonakis, Raja Naeem Akram, David Robin, Keith Mayes, and David Naccache. 2020. Return-Oriented Programming on RISC-V. In ACM Asia Conference on Computer and Communications Security (AsiaCCS).
[27]
Mustakimur Rahman Khandaker, Wenqing Liu, Abu Naser, Zhi Wang, and Jie Yang. 2019. Origin-sensitive control flow integrity. In USENIX Security Symposium.
[28]
Sun Hyoung Kim, Cong Sun, Dongrui Zeng, and Gang Tan. 2021. Refining indirect call targets at the binary level. In Symposium on Network and Distributed System Security (NDSS).
[29]
Tim Kornau. 2009. Return oriented programming for the ARM architecture. Master’s thesis. Ruhr-University Bochum. https//zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf
[30]
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanovic, and Dawn Song. 2020. Keystone An Open Framework for Architecting Trusted Execution Environments. In European Conference on Computer Systems (EuroSys).
[31]
Hans Liljestrand, Thomas Nyman, Lachlan J Gunn, Jan-Erik Ekberg, and N Asokan. 2021. PACStack an Authenticated Call Stack. In USENIX Security Symposium.
[32]
Ted Marena. 2019. RISC-V high performance embedded SweRV™ core microarchitecture, performance and CHIPS Alliance. Western Digital Corporation(2019).
[33]
nginx 2019. nginx. https//nginx.org/
[34]
Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2012. Smashing the Gadgets Hindering Return-Oriented Programming Using In-place Code Randomization. In IEEE Symposium on Security and Privacy (S&P).
[35]
Seonghwan Park, Dongwook Kang, Jeonghwan Kang, and Donghyun Kwon. 2022. Bratter An Instruction Set Extension for Forward Control-Flow Integrity in RISC-V. Sensors (2022).
[36]
rizin 2020. rizin. https//rizin.re/
[37]
Jonathan Salwan. 2011. ROPgadget Tool. http//shell-storm.org/project/ROPgadget/
[38]
Moritz Schloegel, Tim Blazytko, Julius Basler, Fabian Hemmer, and Thorsten Holz. 2021. Towards Automating Code-Reuse Attacks Using Synthesized Gadget Chains. In European Symposium on Research in Computer Security (ESORICS).
[39]
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In IEEE Symposium on Security and Privacy (S&P).
[40]
Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2011. Q Exploit hardening made easy. In USENIX Security Symposium.
[41]
Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone Return-into-Libc without Function Calls (on the X86). In ACM Conference on Computer and Communications Security (CCS).
[42]
Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK (State of) The Art of War Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy (S&P).
[43]
Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (S&P).
[44]
László Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK Eternal War in Memory. In IEEE Symposium on Security and Privacy (S&P).
[45]
PaX Team. 2003. PaX non-executable pages design & implementation.https//pax.grsecurity.net/docs/noexec.txt
[46]
Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In USENIX Security Symposium.
[47]
Jo Van Bulck, David Oswald, Eduard Marin, Abdulla Aldoseri, Flavio D Garcia, and Frank Piessens. 2019. A Tale of Two Worlds Assessing the Vulnerability of Enclave Shielding Runtimes. In ACM Conference on Computer and Communications Security (CCS).
[48]
Victor Van der Veen, Dennis Andriesse, Enes Göktaş, Ben Gras, Lionel Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. 2015. Practical context-sensitive CFI. In ACM SIGSAC Conference on Computer and Communications Security.
[49]
Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, László Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (S&P).

Cited By

View all
  • (2024)Bridging the Gap: A Survey and Classification of Research-Informed Ethical Hacking ToolsJournal of Cybersecurity and Privacy10.3390/jcp40300214:3(410-448)Online publication date: 16-Jul-2024
  • (2024)DeTRAP: RISC-V Return Address Protection With Debug Triggers2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00021(166-177)Online publication date: 7-Oct-2024
  • (2024)Memory Corruption at the Border of Trusted ExecutionIEEE Security and Privacy10.1109/MSEC.2024.338143922:4(87-96)Online publication date: 1-Jul-2024
  • Show More Cited By

Index Terms

  1. RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
      October 2022
      536 pages
      ISBN:9781450397049
      DOI:10.1145/3545948
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 26 October 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. ARM64
      2. Exploitation
      3. RISC-V
      4. Return-Oriented Programming
      5. Symbolic Execution

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Funding Sources

      Conference

      RAID 2022

      Acceptance Rates

      Overall Acceptance Rate 43 of 173 submissions, 25%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)135
      • Downloads (Last 6 weeks)8
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Bridging the Gap: A Survey and Classification of Research-Informed Ethical Hacking ToolsJournal of Cybersecurity and Privacy10.3390/jcp40300214:3(410-448)Online publication date: 16-Jul-2024
      • (2024)DeTRAP: RISC-V Return Address Protection With Debug Triggers2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00021(166-177)Online publication date: 7-Oct-2024
      • (2024)Memory Corruption at the Border of Trusted ExecutionIEEE Security and Privacy10.1109/MSEC.2024.338143922:4(87-96)Online publication date: 1-Jul-2024
      • (2024)TGRop: Top Gun of Return-Oriented Programming AutomationComputer Security – ESORICS 202410.1007/978-3-031-70896-1_7(130-152)Online publication date: 6-Sep-2024
      • (2023)Securing Virtual Architecture of Smartphones based on Network Function VirtualizationMetaverse Basic and Applied Research10.56294/mr202337Online publication date: 8-Apr-2023
      • (2023)SPEAR-V: Secure and Practical Enclave Architecture for RISC-VProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595784(457-468)Online publication date: 10-Jul-2023
      • (2023)RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel ProtectionsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623220(3093-3107)Online publication date: 15-Nov-2023
      • (2023)Whole-Program Control-Flow Path AttestationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616687(2680-2694)Online publication date: 15-Nov-2023
      • (2023)Basic secure services for standard RISC-V architecturesComputers and Security10.1016/j.cose.2023.103415133:COnline publication date: 1-Oct-2023

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format.

      HTML Format

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media