Tiny jump-oriented programming attack (A class of code reuse attacks)

Code reuse attacks such as return oriented programming and jump oriented programming become the most popular exploitation methods among attackers. A large number of practical and non-practical defenses have been proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. However, a usual aspect among them is to consider the common behavior of code reuse attacks, which is the construction of a gadget chain. Therefore, the implication of a gadget and the minimum size of an attack chain are a matter of controversy. Conservative or relaxed thresholds may cause false positive and false negative alarms respectively. The main contribution of this paper is to provide a tricky aspect of code reuse techniques, called Tiny Jump-oriented Programming (Tiny-JOP) that demonstrates the ineffectiveness of the threshold based detection methods. We demonstrate the effectiveness of our approach by implementing a sample proof of concept shell-code and exploiting a real-world buffer overflow vulnerability in HT Editor 2.0.20.

[1]  Fan Yao,et al.  JOP-alarm: Detecting jump-oriented programming-based anomalies in applications , 2013, 2013 IEEE 31st International Conference on Computer Design (ICCD).

[2]  John Regehr,et al.  Understanding integer overflow in C/C++ , 2012, ICSE 2012.

[3]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[5]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[6]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[7]  Mehmet Kayaalp,et al.  SCRAP: Architecture for signature-based protection from Code Reuse Attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[8]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[9]  Tao Zheng,et al.  A dynamic detection method against ROP and JOP , 2012, 2012 International Conference on Systems and Informatics (ICSAI2012).

[10]  Bing Mao,et al.  Efficient Detection of the Return-Oriented Programming Malicious Code , 2010, ICISS.

[11]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[12]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[13]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.

[14]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[15]  Xuxian Jiang,et al.  On the Expressiveness of Return-into-libc Attacks , 2011, RAID.

[16]  Bing Mao,et al.  Automatic construction of jump-oriented programming shellcode (on the x86) , 2011, ASIACCS '11.

[17]  Farzane Aminmansour,et al.  Tazhi: A novel technique for hunting trampoline gadgets of jump oriented programming (A class of code reuse attacks) , 2014, 2014 11th International ISC Conference on Information Security and Cryptology.