1. Background
Related Work
Contribution
Conclusion
Automating Return Oriented Programming
Attacks
Alen Stojanov
´
Ecole Polytechnique F´d´rale de Lausanne
e e
Programming Methods Laboratory (LAMP)
University of California, Irvine
Secure Systems and Software Laboratory (SSSL)
alen.stojanov@epfl.ch
April 23, 2012
Alen Stojanov Automating Return Oriented Programming Attacks
2. Background
Related Work
Contribution
Conclusion
Motivation
Return oriented programming is an exploit technique.
Hand-crafting ROP attacks is tedious and error prone, and
thus automation is required.
Automating ROP attacks leads to fast generation of attacks
or even higher level attacks
We concentrate on stand-alone binaries and automate the
creation of ROP attacks.
Alen Stojanov Automating Return Oriented Programming Attacks
3. Background
Related Work
Contribution
Conclusion
Return Oriented Programming (ROP)
Return oriented programming (ROP) is an exploit technique
which avoids code injection by reusing existing code to induce
arbitrary behavior in a program.
ROP attacks are conducted by chaining available instruction
sequences (gadgets) ending in a “return” instruction.
Alen Stojanov Automating Return Oriented Programming Attacks
4. Background
Related Work
Contribution
Conclusion
Creating ROP attacks
Attacker using this technique must accomplish two tasks:
Find some way to subvert the program’s control flow from its
normal course:
Stack overflows
Heap overflows
String formatting vulnerabilities
Force the program to act in the manner of his choosing.
Alen Stojanov Automating Return Oriented Programming Attacks
5. Background
Related Work
Return Oriented Programming (ROP)
Contribution
Conclusion
▪ Return Oriented Programming avoids code injection by reusing legitimate code
ROP illustrated
▪ Attackers place addresses of short instruction sequences ending in a return
statement (gadgets) on the stack.
Gadget 1 Simplified ROP
... jailbreak attack
OPEN
0x080 RETURN
Gadget 3
Gadget 2
... ...
Stack growth
CONNECTION ADD EAX, EBX
Gadget 3
RETURN POP EBP
... RETURN
TO THE
Gadget 4
RETURN
...
WHITEHOUSE
0x1C0 RETURN
▪ Each return unwinds the stack and transfers control to the next gadget.
Alen Stojanov Automating Return Oriented Programming Attacks
6. Background
Related Work
Contribution
Conclusion
Variations: Jump Oriented Programming
ROP also has variations such as Jump Oriented Programming.
Instead of using ret instructions, emphasis is on pop reg; jmp reg.
Display_ColorText
...
0x555A08 EAX = “white”
0x555A0C JMP
Audio_LowerVolume
...
0x00555A08 0xABCD00 SUBI #5000, @EBX
0xABCD04 JMP
0x00212508
HelpTexts_IOSpecific
...
Dispacher 0x00ABCD00 0x212500 EBX = “keyboard”
0x212504 else
0x212508 EBX = “mouse”
0x21250C JMP
FileSystem_DirectoryName
...
0x777700 JSR strg_concat_EAX_EBX
0x00777700 0x777704 JMP
0x00919100
PrintManager_Prepare
...
0x919100 JSR open_connection
0x919104 JMP
Alen Stojanov Automating Return Oriented Programming Attacks
7. Background
Related Work
Contribution
Conclusion
ROP Threat
The idea of ROP emerged with the discovery of the stack
overflow attacks in 1997 and evolved as a community work
First introduced in the academic world by H. Shacham in 2007
It bypasses the most widely deployed defence techniques such
as W X and ASLR.
It also affects different computer architectures including x86,
ARM, SPARC, Atmel AVR, and PowerPC
Alen Stojanov Automating Return Oriented Programming Attacks
8. Background
Related Work
Contribution
Conclusion
ROP Threat (cont.)
Current defences resemble peace-meal techniques to address each
variant of code-reuse attacks:
Return-less kernels
Return address verification via hypervisors (HyperCrop)
Binary Instrumentation for ROP detection (ROPdefender)
ROP mitigation via code rewriting for gadgets removal and
return address encoding (G-Free)
Control Flow Integrity (CFI)
Alen Stojanov Automating Return Oriented Programming Attacks
9. Background
Related Work
Contribution
Conclusion
ROP Thread (cont.)
The available protection mechanisms either:
Do not provide comprehensive defence
Introduce high performance overhead
Are not deployed on all affected systems.
This leaves the thread of ROP in the heart of security problems.
Alen Stojanov Automating Return Oriented Programming Attacks
10. Background
Related Work
Contribution
Conclusion
Automatic ROP
Q combines software verification techniques in attack
generation
Return-into-libc provide automation on POSIX complaint
systems
Reverse Engineering Intermediate Language (REIL) provides
automatic gadget search on different architectures.
Return-Oriented Rootkits automate generation of ROP
attacks in the Windows kernel
Alen Stojanov Automating Return Oriented Programming Attacks
11. Background
Related Work
Contribution
Conclusion
Automatic ROP limitations
Related work in automating ROP attacks is limited to:
Gadgets operating on limited set of registers
Predefined templates for gadget search
As a result:
Targeted shared libraries or operating system kernels where
required instructions are likely to be present
Approach unlikely to apply on wider range of smaller binaries
Alen Stojanov Automating Return Oriented Programming Attacks
12. Background
Related Work
Contribution
Conclusion
Contribution
We focus on stand-alone binaries where gadget set is limited
We operate on Linux OS on x86 architecture
Alen Stojanov Automating Return Oriented Programming Attacks
13. Background
Related Work
Contribution
Conclusion
Observation
0x00000000 By analysing different binaries we observe:
Text Segment
Data Segment
Data segment of a typical Linux process can
BSS segment
be used to read and write memory
Heap Most common gadgets available:
pop-gadgets (almost every CPU register)
mov-gadgets (memory and registers)
Memory Mapping add-gadgets (memory and registers)
At least one gadget performing arithmetic
and logical operations is available
Crafting ROP exploit is tedious when only
Stack
few gadgets are available
Alen Stojanov Automating Return Oriented Programming Attacks
14. Background
Related Work
Contribution
Conclusion
Observation (cont.)
If there is no gadget available that does a particular logical or
arithmetical operation we might be able to find suitable
substitution.
Alen Stojanov Automating Return Oriented Programming Attacks
15. Background
Related Work
Contribution
Conclusion
Observation (cont.)
If there is no gadget available that does a particular logical or
arithmetical operation we might be able to find suitable
substitution.
If there is no gadget and no substitution, then that particular
operation will not be available in the ROP attack.
Alen Stojanov Automating Return Oriented Programming Attacks
16. Background
Related Work
Contribution
Conclusion
Observation (cont.)
If there is no gadget available that does a particular logical or
arithmetical operation we might be able to find suitable
substitution.
If there is no gadget and no substitution, then that particular
operation will not be available in the ROP attack.
If there are only few gadgets available, then gadget chaining
requires to move the data between registers, such that the
result of one operation can be used as an input to the next
operation.
Alen Stojanov Automating Return Oriented Programming Attacks
17. Background
Related Work
Contribution
Conclusion
Example
Calculate C = C (edx) −A (ebp) −B (ecx) having:
0xb9268970: add ebp, ecx
ret
0x42295cee: sub eax, edx
inc [esi+0x5D5B]
ret
0x42295cee: mov ecx, eax
ret
Alen Stojanov Automating Return Oriented Programming Attacks
18. Background
Related Work
Contribution
Conclusion
Example
Calculate C = C (edx) −A (ebp) −B (ecx) having:
0xb9268970: add ebp, ecx
1 ret
0x42295cee: sub eax, edx
3 inc [esi+0x5D5B]
ret
0x42295cee: mov ecx, eax
2 ret
Alen Stojanov Automating Return Oriented Programming Attacks
19. Background
Related Work
Contribution
Conclusion
Collateral Damage
In most cases useful gadgets include pop instruction or other
instructions that change the state of some registers before the
return instruction
When those gadgets are used, the value of those registers is
lost and considered as a collateral damage
In other cases, instructions modifying the value of a particular
address relative to some register are also present before the
return instruction.
Those registers must be initialized properly to avoid
segmentation faults.
Alen Stojanov Automating Return Oriented Programming Attacks
20. Background
Related Work
Contribution
Conclusion
Register Transfer Graph
edx edx
Generate Register Transfer
mov mov Graph to analyse data flow
eax cl
between registers and memory
mov mov [ebx,]
Take into consideration the
collateral damage
edi ebx al
mov [ebp,edi,] xchg xchg mov
Discover available register
candidates
eax
Use the graph to chain gadgets
mov xchg mov mov [esi,edi,]
ebp esi ecx
mov [ebp,] mov
X X
esp Pidgin
CPU Register Memory Add. Data Movement
Alen Stojanov Automating Return Oriented Programming Attacks
21. Background
Related Work
Contribution
Conclusion
Intermediate Results
Strongly Connected Components Cardinality (SCCC) gives the
number of registers available for moving data.
Binary Size (b) SCCC
8 ● ● ● ● ●● ●
vlc 1.228 x 10KB 1
master 3.227 x 10KB 0
●
firefox 4.915 x 10KB 1
rpcbind 5.325 x 10KB 2
6 ● amarok 6.963 x 10KB 0
avahi 1.147 x 10KB 3
Available x86 CPU Registers
● ● apache2 4.055 x 100KB 3
cupsd 4.342 x 100KB 3
4 ●
sshd 5.407 x 100KB 5
yast2 5.939 x 100KB 4
● ●●
pidgin 1.049 x 1MB 5
dhclient 1.761 x 1MB 6
Xorg 1.987 x 1MB 7
2 ●
filezilla 2.589 x 1MB 8
mysqld 7.004 x 1MB 8
● ●
smbd 1.017 x 10MB 8
opera 1.706 x 10MB 8
0 ● ●
skype 2.143 x 10MB 8
104.5 105 105.5 106 106.5 107 107.5
acroread 2.393 x 10MB 8
Binary Section Size chrome 5.396 x 10MB 8
Alen Stojanov Automating Return Oriented Programming Attacks
22. Background
Related Work
Contribution
Conclusion
Steps towards automation
Use memory locations available in the data segment of the
process as registers (virtual registers)
Alen Stojanov Automating Return Oriented Programming Attacks
23. Background
Related Work
Contribution
Conclusion
Steps towards automation
Use memory locations available in the data segment of the
process as registers (virtual registers)
Encapsulate available gadgets performing logical or arithmetic
operation to operate on the memory locations by using the
Register Transfer Graph (virtual instructions)
Alen Stojanov Automating Return Oriented Programming Attacks
24. Background
Related Work
Contribution
Conclusion
Encapsulation
Read data from memory location to the gadget registers, and write
back to memory.
edx edx
Data
Segment mov mov
3 eax cl
2
mov mov [ebx,]
edi ebx al
0xb92689782: add ebp, ebx
mov [ebp,edi,] xchg xchg mov
ret
eax
mov xchg mov mov [esi,edi,]
ebp esi ecx
mov [ebp,] mov
esp
Alen Stojanov Automating Return Oriented Programming Attacks
25. Background
Related Work
Contribution
Conclusion
Encapsulation
edx edx
Data
Segment mov mov
3 eax cl
2
mov mov [ebx,]
edi ebx al
0xb92689782: add ebp, ebx
mov [ebp,edi,] xchg xchg mov
ret
eax
mov xchg mov mov [esi,edi,]
ebp esi ecx
mov [ebp,] mov
esp
Alen Stojanov Automating Return Oriented Programming Attacks
26. Background
Related Work
Contribution
Conclusion
Encapsulation
edx edx
Data
Segment mov mov
3 eax cl
2
mov mov [ebx,]
edi ebx al
0xb92689782: add ebp, ebx
mov [ebp,edi,] xchg xchg mov
ret
eax
mov xchg mov mov [esi,edi,]
ebp esi ecx
mov [ebp,] mov
esp
Alen Stojanov Automating Return Oriented Programming Attacks
27. Background
Related Work
Contribution
Conclusion
Encapsulation
edx edx
Data
Segment mov mov
3 eax cl
2
mov mov [ebx,]
5
edi ebx al
0xb92689782: add ebp, ebx
mov [ebp,edi,] xchg xchg mov
ret
eax
mov xchg mov mov [esi,edi,]
ebp esi ecx
mov [ebp,] mov
esp
Alen Stojanov Automating Return Oriented Programming Attacks
28. Background
Related Work
Contribution
Conclusion
Results
add sub inc dec and or xor not neg jmp test cmp
acroread
skype
opera
smbd
mysqld
filezilla
Xorg
dhclient
pidgin
yast2
sshd
cupsd
apache2
avahi
amarok
rpcbind
firefox
master
vlc
Alen Stojanov Automating Return Oriented Programming Attacks
29. Background
Related Work
Contribution
Conclusion
Conclusion
In most cases one gadget having one of the logical or
arithmetic instructions is enough to encapsulate the
computation of all instructions across memory locations.
Once we generate virtual registers and virtual instructions, it
is easy to create a small compiler or interpreter on top of
those instructions.
Automating ROP is possible on stand-alone binaries having
size as little as 400KB.
Alen Stojanov Automating Return Oriented Programming Attacks
30. Background
Related Work
Contribution
Conclusion
Future Work
Extend the automatic attack generation using the Jump
Oriented Programming model.
Automate the conditional branching, to have fully automatic
generation of ROP attacks.
Create a virtual stack that resides in the data segment, or in
any writeable memory section of the process and generate a
higher level language.
Alen Stojanov Automating Return Oriented Programming Attacks
31. Background
Related Work
Contribution
Conclusion
Thank You
Questions ?
Alen Stojanov Automating Return Oriented Programming Attacks