Automatic construction of printable return-oriented programming payload

Return-oriented programming is a kind of codereuse technique for attackers, which is very effective to bypass the DEP defense. However, the instruction snippet (we call it gadget) is often unprintable 1. This shortcoming can limit the ROP attack to be deployed to practice, since non-ASCII scanning can detect such ROP payload. In this paper, we present a novel method that only uses the printable gadgets, as such it can circumvent the non-ASCII detection. However, this method is non-trival because printable gadgets count for about 10 percents of all the gadgets we can find in existing code(e.g., library or program code). Additionally, not only the gadget address but also data should all be printable in our ROP payload. To construct the printable ROP payload, we propose reverse derivation method to transform original shellcode to printable ROP payload. The transformation is driven by state machines, which indicate the status of data flows. Experimental results show that our method can construct the printable ROP payload that has the same functionality as the real-world malicious shellcode, in addition, the construction process is totally automatic.

[1]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[2]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[3]  Per Larsen,et al.  Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming , 2012, WOOT.

[4]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[5]  Joshua Mason,et al.  English shellcode , 2009, CCS.

[6]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[7]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[8]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[9]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[10]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[11]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[12]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[13]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Debin Gao,et al.  Packed, Printable, and Polymorphic Return-Oriented Programming , 2011, RAID.

[16]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[17]  Bing Mao,et al.  Automatic construction of jump-oriented programming shellcode (on the x86) , 2011, ASIACCS '11.

[18]  Elisa Bertino,et al.  Marlin: making it harder to fish for gadgets , 2012, CCS '12.