ARG: Automatic ROP Chains Generation

Return Oriented Programming (ROP) chains attack has been widely used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection. However, the generation technology for ROP chains is still in a state of manual coding. While, current techniques for automatically generating ROP chains are still insufficiently researched and have few successful applications. On the other hand, the existing methods are based on using Intermediate Language (IL) which is in order to translate the semantics of original instructions for symbolic execution, and then fill in a predefined gadget arrangement to automatically construct a gadget list. This kind of methods may bring following problems: (1) when converting semantics of original to IL, there is a large amount of overhead time, critical instructions may be discarded; (2) the process of populating a predetermined gadget arrangement is inflexible and may fail to construct ROP chains due to address mismatching. In this paper, we propose the Automatic ROP chains Generation (ARG) which is the first fully automatic ROP chains generation tool without using IL. Tested with data from 6 open-source international Capture The Flag (CTF) competitions and 3 Common Vulnerabilities & Exposures (CVE)s, this technology successfully generated ROP chains for all of them. According to the obtained results, our technique can automatically create ROP payloads and reduce up to 80% of ROP exploit payloads. It takes only 3–5 seconds to exploit successfully, compared to manual analysis for at least 60 minutes, as well as it can effectively bypass both Write XOR Execute ( $\text{W}\oplus \text{X}$ ) and ASLR.

[2]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[3]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[4]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[5]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[6]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[7]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[8]  A. V. Vishnyakov Classification of ROP gadgets , 2016 .

[9]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.

[10]  Hector Marco Gisbert,et al.  On the Effectiveness of Full-ASLR on 64-bit Linux , 2014 .

[11]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Zheng-Xu Zhao,et al.  Protecting against address space layout randomisation (ASLR) compromises and return-to-libc attacks using network intrusion detection systems , 2011, Int. J. Autom. Comput..

[13]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[14]  Yan Shoshitaishvili,et al.  Angr - The Next Generation of Binary Analysis , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[15]  Marco Ramilli,et al.  Return-Oriented Programming , 2012, IEEE Security & Privacy.

[16]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[17]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[18]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2021, Handbook of Satisfiability.

[19]  Anthony M. Sloane,et al.  Skink: Static Analysis of Programs in LLVM Intermediate Representation - (Competition Contribution) , 2017, TACAS.

[20]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[21]  Takashi Yokota,et al.  Efficient Translation and Execution Method for Automated Parallel Processing System by Using Valgrind , 2015, 2015 Third International Symposium on Computing and Networking (CANDAR).

[22]  Yi Yang,et al.  Automatic Polymorphic Exploit Generation for Software Vulnerabilities , 2013, SecureComm.

[23]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[24]  Iván Arce,et al.  BARF: a multiplatform open source binary analysis and reverse engineering framework , 2014 .

[25]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[26]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[27]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.