Aggrandizing the beast's limbs: patulous code reuse attack on ARM architecture

Since smartphones are usually personal devices full of private information, they are a popular target for a vast variety of real-world attacks such as Code Reuse Attack (CRA). CRAs enable attackers to execute any arbitrary algorithm on a device without injecting an executable code. Since the standard platform for mobile devices is ARM architecture, we concentrate on available ARM-based CRAs. Currently, three types of CRAs are proposed on ARM architecture including Return2ZP, ROP, and BLX-attack, in accordance to three sub-models available on X86 Ret2Libc, ROP, and JOP. In this paper, we have considered some unique aspects of ARM architecture to provide a general model for code reuse attacks called Patulous Code Reuse Attack (PCRA). Our attack applies all available machine instructions that change Program Counter (PC), as well as direct or indirect branches in order to deploy the principles of CRA convention. We have demonstrated the effectiveness of our approach by defining five different sub-models of PCRA, explaining the algorithm of finding PCRA gadgets, introducing a useful set of gadgets, and providing a sample proof of concept exploit on Android 4.4 platform. © 2016 ISC. All rights reserved.

[1]  Collin Mulliner,et al.  Android Hacker's Handbook , 2014 .

[2]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[3]  Charlie Miller,et al.  Fun and Games with Mac OS X and iPhone Payloads , 2009 .

[4]  Peng Li,et al.  Understanding integer overflow in C/C++ , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[5]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[6]  Hamid Reza Shahriari,et al.  Tiny jump-oriented programming attack (A class of code reuse attacks) , 2015, 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC).

[7]  Bruce W. Weide,et al.  Checkmate: cornering C++ dynamic memory errors with checked pointers , 2000, SIGCSE '00.

[8]  Richard Earnshaw Procedure Call Standard for the ARM ® Architecture , 2006 .

[9]  Hamid Reza Shahriari,et al.  Patulous Code Reuse Attack: A novel code reuse attack on ARM architecture (A proof of concept on Android OS) , 2015, 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC).

[10]  Charlie Miller,et al.  Injecting SMS messages into smart phones for security analysis , 2009 .

[11]  Farzane Aminmansour,et al.  Tazhi: A novel technique for hunting trampoline gadgets of jump oriented programming (A class of code reuse attacks) , 2014, 2014 11th International ISC Conference on Information Security and Cryptology.

[12]  Gang Tan,et al.  An Empirical Security Study of the Native Code in the JDK , 2008, USENIX Security Symposium.

[13]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[14]  David Seal,et al.  ARM Architecture Reference Manual , 2001 .

[15]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[16]  Ahmad-Reza Sadeghi,et al.  Return-Oriented Programming without Returns on ARM , 2010 .

[17]  Zi-Shun Huang,et al.  Return-oriented vulnerabilities in ARM executables , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).

[18]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.