A practical analysis of ROP attacks

Control Flow Hijacking attacks have posed a serious threat to the security of applications for a long time where an attacker can damage the control Flow Integrity of the program and execute arbitrary code. These attacks can be performed by injecting code in the program’s memory or reusing already existing code in the program (also known as Code-Reuse Attacks). Code-Reuse Attacks in the form of Return-into-libc Attacks or Return-Oriented Programming Attacks are said to be Turing Complete, providing a guarantee that there will always exist code segments (also called ROP gadgets) within a binary allowing an attacker to perform any kind of function by building a suitable ROP chain (chain of ROP gadgets). Our goal is to study different techniques of performing ROP Attacks and find the difficulties encountered to perform such attacks. For this purpose, we have designed an automated tool which works on 64-bit systems and generates a ROP chain from ROP gadgets to execute arbitrary system calls. Ayush Bansal CONTENTS

[1]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[2]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[3]  Sung-Min Jung,et al.  Jump Oriented Programming on Windows Platform (on the x86) , 2012, ICCSA.

[4]  Ahmad-Reza Sadeghi,et al.  Return-Oriented Programming without Returns on ARM , 2010 .

[5]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[6]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[7]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[8]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[9]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[10]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[11]  黃心嘉 Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security , 2015, AsiaCCS.

[12]  Somesh Jha,et al.  Proceedings of the 15th ACM conference on Computer and communications security , 2005, CCS 2008.

[13]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[14]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[15]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[16]  Dionysus Blazakis Interpreter Exploitation , 2010, WOOT.

[17]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[18]  Ralf-Philipp Weinmann,et al.  A Framework for Automated Architecture-Independent Gadget Search , 2010, WOOT.

[19]  Xuxian Jiang,et al.  On the Expressiveness of Return-into-libc Attacks , 2011, RAID.

[20]  A. Karimi,et al.  Master‟s thesis , 2011 .

[21]  Alisha Narnavere,et al.  Implementations , 2018, Advances in Business Information Systems and Analytics.

[22]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[23]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.