SlideShare a Scribd company logo

Automating Return Oriented Programming Attacks

ETH Zurich
ETH Zurich

The document discusses automating return oriented programming (ROP) attacks. It begins with background on ROP and related work that has limitations. The contribution is a method to automate ROP attacks on standalone binaries by analyzing the binaries to find usable gadgets despite limited registers and instructions. The conclusion reiterates the focus on standalone binaries to expand automated ROP attacks.

1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Background Related Work Contribution Conclusion Automating Return Oriented Programming Attacks Alen Stojanov ´ Ecole Polytechnique F´d´rale de Lausanne e e Programming Methods Laboratory (LAMP) University of California, Irvine Secure Systems and Software Laboratory (SSSL) alen.stojanov@epfl.ch April 23, 2012 Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Motivation Return oriented programming is an exploit technique. Hand-crafting ROP attacks is tedious and error prone, and thus automation is required. Automating ROP attacks leads to fast generation of attacks or even higher level attacks We concentrate on stand-alone binaries and automate the creation of ROP attacks. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Return Oriented Programming (ROP) Return oriented programming (ROP) is an exploit technique which avoids code injection by reusing existing code to induce arbitrary behavior in a program. ROP attacks are conducted by chaining available instruction sequences (gadgets) ending in a “return” instruction. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Creating ROP attacks Attacker using this technique must accomplish two tasks: Find some way to subvert the program’s control flow from its normal course: Stack overflows Heap overflows String formatting vulnerabilities Force the program to act in the manner of his choosing. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Return Oriented Programming (ROP) Contribution Conclusion ▪ Return Oriented Programming avoids code injection by reusing legitimate code ROP illustrated ▪ Attackers place addresses of short instruction sequences ending in a return statement (gadgets) on the stack. Gadget 1 Simplified ROP ... jailbreak attack OPEN 0x080 RETURN Gadget 3 Gadget 2 ... ... Stack growth CONNECTION ADD EAX, EBX Gadget 3 RETURN POP EBP ... RETURN TO THE Gadget 4 RETURN ... WHITEHOUSE 0x1C0 RETURN ▪ Each return unwinds the stack and transfers control to the next gadget. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Variations: Jump Oriented Programming ROP also has variations such as Jump Oriented Programming. Instead of using ret instructions, emphasis is on pop reg; jmp reg. Display_ColorText ... 0x555A08 EAX = “white” 0x555A0C JMP Audio_LowerVolume ... 0x00555A08 0xABCD00 SUBI #5000, @EBX 0xABCD04 JMP 0x00212508 HelpTexts_IOSpecific ... Dispacher 0x00ABCD00 0x212500 EBX = “keyboard” 0x212504 else 0x212508 EBX = “mouse” 0x21250C JMP FileSystem_DirectoryName ... 0x777700 JSR strg_concat_EAX_EBX 0x00777700 0x777704 JMP 0x00919100 PrintManager_Prepare ... 0x919100 JSR open_connection 0x919104 JMP Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion ROP Threat The idea of ROP emerged with the discovery of the stack overflow attacks in 1997 and evolved as a community work First introduced in the academic world by H. Shacham in 2007 It bypasses the most widely deployed defence techniques such as W X and ASLR. It also affects different computer architectures including x86, ARM, SPARC, Atmel AVR, and PowerPC Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion ROP Threat (cont.) Current defences resemble peace-meal techniques to address each variant of code-reuse attacks: Return-less kernels Return address verification via hypervisors (HyperCrop) Binary Instrumentation for ROP detection (ROPdefender) ROP mitigation via code rewriting for gadgets removal and return address encoding (G-Free) Control Flow Integrity (CFI) Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion ROP Thread (cont.) The available protection mechanisms either: Do not provide comprehensive defence Introduce high performance overhead Are not deployed on all affected systems. This leaves the thread of ROP in the heart of security problems. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Automatic ROP Q combines software verification techniques in attack generation Return-into-libc provide automation on POSIX complaint systems Reverse Engineering Intermediate Language (REIL) provides automatic gadget search on different architectures. Return-Oriented Rootkits automate generation of ROP attacks in the Windows kernel Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Automatic ROP limitations Related work in automating ROP attacks is limited to: Gadgets operating on limited set of registers Predefined templates for gadget search As a result: Targeted shared libraries or operating system kernels where required instructions are likely to be present Approach unlikely to apply on wider range of smaller binaries Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Contribution We focus on stand-alone binaries where gadget set is limited We operate on Linux OS on x86 architecture Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation 0x00000000 By analysing different binaries we observe: Text Segment Data Segment Data segment of a typical Linux process can BSS segment be used to read and write memory Heap Most common gadgets available: pop-gadgets (almost every CPU register) mov-gadgets (memory and registers) Memory Mapping add-gadgets (memory and registers) At least one gadget performing arithmetic and logical operations is available Crafting ROP exploit is tedious when only Stack few gadgets are available Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. If there are only few gadgets available, then gadget chaining requires to move the data between registers, such that the result of one operation can be used as an input to the next operation. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx ret 0x42295cee: sub eax, edx inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax ret Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx 1 ret 0x42295cee: sub eax, edx 3 inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax 2 ret Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Collateral Damage In most cases useful gadgets include pop instruction or other instructions that change the state of some registers before the return instruction When those gadgets are used, the value of those registers is lost and considered as a collateral damage In other cases, instructions modifying the value of a particular address relative to some register are also present before the return instruction. Those registers must be initialized properly to avoid segmentation faults. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Register Transfer Graph edx edx Generate Register Transfer mov mov Graph to analyse data flow eax cl between registers and memory mov mov [ebx,] Take into consideration the collateral damage edi ebx al mov [ebp,edi,] xchg xchg mov Discover available register candidates eax Use the graph to chain gadgets mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov X X esp Pidgin CPU Register Memory Add. Data Movement Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Intermediate Results Strongly Connected Components Cardinality (SCCC) gives the number of registers available for moving data. Binary Size (b) SCCC 8 ● ● ● ● ●● ● vlc 1.228 x 10KB 1 master 3.227 x 10KB 0 ● firefox 4.915 x 10KB 1 rpcbind 5.325 x 10KB 2 6 ● amarok 6.963 x 10KB 0 avahi 1.147 x 10KB 3 Available x86 CPU Registers ● ● apache2 4.055 x 100KB 3 cupsd 4.342 x 100KB 3 4 ● sshd 5.407 x 100KB 5 yast2 5.939 x 100KB 4 ● ●● pidgin 1.049 x 1MB 5 dhclient 1.761 x 1MB 6 Xorg 1.987 x 1MB 7 2 ● filezilla 2.589 x 1MB 8 mysqld 7.004 x 1MB 8 ● ● smbd 1.017 x 10MB 8 opera 1.706 x 10MB 8 0 ● ● skype 2.143 x 10MB 8 104.5 105 105.5 106 106.5 107 107.5 acroread 2.393 x 10MB 8 Binary Section Size chrome 5.396 x 10MB 8 Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Encapsulate available gadgets performing logical or arithmetic operation to operate on the memory locations by using the Register Transfer Graph (virtual instructions) Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation Read data from memory location to the gadget registers, and write back to memory. edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] 5 edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Results add sub inc dec and or xor not neg jmp test cmp acroread skype opera smbd mysqld filezilla Xorg dhclient pidgin yast2 sshd cupsd apache2 avahi amarok rpcbind firefox master vlc Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Conclusion In most cases one gadget having one of the logical or arithmetic instructions is enough to encapsulate the computation of all instructions across memory locations. Once we generate virtual registers and virtual instructions, it is easy to create a small compiler or interpreter on top of those instructions. Automating ROP is possible on stand-alone binaries having size as little as 400KB. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Future Work Extend the automatic attack generation using the Jump Oriented Programming model. Automate the conditional branching, to have fully automatic generation of ROP attacks. Create a virtual stack that resides in the data segment, or in any writeable memory section of the process and generate a higher level language. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Thank You Questions ? Alen Stojanov Automating Return Oriented Programming Attacks
Ad

Recommended

Abstracting Vector Architectures in Library Generators: Case Study Convolutio...
Abstracting Vector Architectures in Library Generators: Case Study Convolutio...
ETH Zurich
 
Android from A to Z
Android from A to Z
Hazem Hagrass
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
guest9f4856
 
Advance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
Exploitation and State Machines
Exploitation and State Machines
Michael Scovetta
 
Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
BillyEllis3
 
Protect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data Obfuscation
Steven Davis
 
Return Oriented Programming - ROP
Return Oriented Programming - ROP
Mihir Shah
 
Art of Exploit Writing
Art of Exploit Writing
n|u - The Open Security Community
 
Return oriented programming
Return oriented programming
hybr1s
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Miguel Arroyo
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
 
Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
Shellmates
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
Vincenzo Iozzo
 
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
ahmed8790
 
StackOverflow
StackOverflow
Susam Pal
 
Software(runtime) attacks
Software(runtime) attacks
Amir Neziri
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Marcel Winandy
 
The walking 0xDEAD
The walking 0xDEAD
Carlos Garcia Prado
 
Buffer overflow
Buffer overflow
Jacob Pimental
 
Automated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse Engineering
zynamics GmbH
 
rop heap attacks cfi int overflows computer security
rop heap attacks cfi int overflows computer security
FannyBellows
 
Marat-Slides
Marat-Slides
Marat Vyshegorodtsev
 

More Related Content

Similar to Automating Return Oriented Programming Attacks (20)

Protect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data Obfuscation
Steven Davis
 
Return Oriented Programming - ROP
Return Oriented Programming - ROP
Mihir Shah
 
Art of Exploit Writing
Art of Exploit Writing
n|u - The Open Security Community
 
Return oriented programming
Return oriented programming
hybr1s
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Miguel Arroyo
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
 
Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
Shellmates
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
Vincenzo Iozzo
 
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
ahmed8790
 
StackOverflow
StackOverflow
Susam Pal
 
Software(runtime) attacks
Software(runtime) attacks
Amir Neziri
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Marcel Winandy
 
The walking 0xDEAD
The walking 0xDEAD
Carlos Garcia Prado
 
Buffer overflow
Buffer overflow
Jacob Pimental
 
Automated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse Engineering
zynamics GmbH
 
rop heap attacks cfi int overflows computer security
rop heap attacks cfi int overflows computer security
FannyBellows
 
Marat-Slides
Marat-Slides
Marat Vyshegorodtsev
 
Protect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data Obfuscation
Steven Davis
 
Return Oriented Programming - ROP
Return Oriented Programming - ROP
Mihir Shah
 
Art of Exploit Writing
Art of Exploit Writing
n|u - The Open Security Community
 
Return oriented programming
Return oriented programming
hybr1s
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Miguel Arroyo
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
 
Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
Shellmates
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
Vincenzo Iozzo
 
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
ahmed8790
 
StackOverflow
StackOverflow
Susam Pal
 
Software(runtime) attacks
Software(runtime) attacks
Amir Neziri
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Marcel Winandy
 
The walking 0xDEAD
The walking 0xDEAD
Carlos Garcia Prado
 
Buffer overflow
Buffer overflow
Jacob Pimental
 
Automated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse Engineering
zynamics GmbH
 
rop heap attacks cfi int overflows computer security
rop heap attacks cfi int overflows computer security
FannyBellows
 
Marat-Slides
Marat-Slides
Marat Vyshegorodtsev
 

Automating Return Oriented Programming Attacks

  • 1. Background Related Work Contribution Conclusion Automating Return Oriented Programming Attacks Alen Stojanov ´ Ecole Polytechnique F´d´rale de Lausanne e e Programming Methods Laboratory (LAMP) University of California, Irvine Secure Systems and Software Laboratory (SSSL) alen.stojanov@epfl.ch April 23, 2012 Alen Stojanov Automating Return Oriented Programming Attacks
  • 2. Background Related Work Contribution Conclusion Motivation Return oriented programming is an exploit technique. Hand-crafting ROP attacks is tedious and error prone, and thus automation is required. Automating ROP attacks leads to fast generation of attacks or even higher level attacks We concentrate on stand-alone binaries and automate the creation of ROP attacks. Alen Stojanov Automating Return Oriented Programming Attacks
  • 3. Background Related Work Contribution Conclusion Return Oriented Programming (ROP) Return oriented programming (ROP) is an exploit technique which avoids code injection by reusing existing code to induce arbitrary behavior in a program. ROP attacks are conducted by chaining available instruction sequences (gadgets) ending in a “return” instruction. Alen Stojanov Automating Return Oriented Programming Attacks
  • 4. Background Related Work Contribution Conclusion Creating ROP attacks Attacker using this technique must accomplish two tasks: Find some way to subvert the program’s control flow from its normal course: Stack overflows Heap overflows String formatting vulnerabilities Force the program to act in the manner of his choosing. Alen Stojanov Automating Return Oriented Programming Attacks
  • 5. Background Related Work Return Oriented Programming (ROP) Contribution Conclusion ▪ Return Oriented Programming avoids code injection by reusing legitimate code ROP illustrated ▪ Attackers place addresses of short instruction sequences ending in a return statement (gadgets) on the stack. Gadget 1 Simplified ROP ... jailbreak attack OPEN 0x080 RETURN Gadget 3 Gadget 2 ... ... Stack growth CONNECTION ADD EAX, EBX Gadget 3 RETURN POP EBP ... RETURN TO THE Gadget 4 RETURN ... WHITEHOUSE 0x1C0 RETURN ▪ Each return unwinds the stack and transfers control to the next gadget. Alen Stojanov Automating Return Oriented Programming Attacks
  • 6. Background Related Work Contribution Conclusion Variations: Jump Oriented Programming ROP also has variations such as Jump Oriented Programming. Instead of using ret instructions, emphasis is on pop reg; jmp reg. Display_ColorText ... 0x555A08 EAX = “white” 0x555A0C JMP Audio_LowerVolume ... 0x00555A08 0xABCD00 SUBI #5000, @EBX 0xABCD04 JMP 0x00212508 HelpTexts_IOSpecific ... Dispacher 0x00ABCD00 0x212500 EBX = “keyboard” 0x212504 else 0x212508 EBX = “mouse” 0x21250C JMP FileSystem_DirectoryName ... 0x777700 JSR strg_concat_EAX_EBX 0x00777700 0x777704 JMP 0x00919100 PrintManager_Prepare ... 0x919100 JSR open_connection 0x919104 JMP Alen Stojanov Automating Return Oriented Programming Attacks
  • 7. Background Related Work Contribution Conclusion ROP Threat The idea of ROP emerged with the discovery of the stack overflow attacks in 1997 and evolved as a community work First introduced in the academic world by H. Shacham in 2007 It bypasses the most widely deployed defence techniques such as W X and ASLR. It also affects different computer architectures including x86, ARM, SPARC, Atmel AVR, and PowerPC Alen Stojanov Automating Return Oriented Programming Attacks
  • 8. Background Related Work Contribution Conclusion ROP Threat (cont.) Current defences resemble peace-meal techniques to address each variant of code-reuse attacks: Return-less kernels Return address verification via hypervisors (HyperCrop) Binary Instrumentation for ROP detection (ROPdefender) ROP mitigation via code rewriting for gadgets removal and return address encoding (G-Free) Control Flow Integrity (CFI) Alen Stojanov Automating Return Oriented Programming Attacks
  • 9. Background Related Work Contribution Conclusion ROP Thread (cont.) The available protection mechanisms either: Do not provide comprehensive defence Introduce high performance overhead Are not deployed on all affected systems. This leaves the thread of ROP in the heart of security problems. Alen Stojanov Automating Return Oriented Programming Attacks
  • 10. Background Related Work Contribution Conclusion Automatic ROP Q combines software verification techniques in attack generation Return-into-libc provide automation on POSIX complaint systems Reverse Engineering Intermediate Language (REIL) provides automatic gadget search on different architectures. Return-Oriented Rootkits automate generation of ROP attacks in the Windows kernel Alen Stojanov Automating Return Oriented Programming Attacks
  • 11. Background Related Work Contribution Conclusion Automatic ROP limitations Related work in automating ROP attacks is limited to: Gadgets operating on limited set of registers Predefined templates for gadget search As a result: Targeted shared libraries or operating system kernels where required instructions are likely to be present Approach unlikely to apply on wider range of smaller binaries Alen Stojanov Automating Return Oriented Programming Attacks
  • 12. Background Related Work Contribution Conclusion Contribution We focus on stand-alone binaries where gadget set is limited We operate on Linux OS on x86 architecture Alen Stojanov Automating Return Oriented Programming Attacks
  • 13. Background Related Work Contribution Conclusion Observation 0x00000000 By analysing different binaries we observe: Text Segment Data Segment Data segment of a typical Linux process can BSS segment be used to read and write memory Heap Most common gadgets available: pop-gadgets (almost every CPU register) mov-gadgets (memory and registers) Memory Mapping add-gadgets (memory and registers) At least one gadget performing arithmetic and logical operations is available Crafting ROP exploit is tedious when only Stack few gadgets are available Alen Stojanov Automating Return Oriented Programming Attacks
  • 14. Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. Alen Stojanov Automating Return Oriented Programming Attacks
  • 15. Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. Alen Stojanov Automating Return Oriented Programming Attacks
  • 16. Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. If there are only few gadgets available, then gadget chaining requires to move the data between registers, such that the result of one operation can be used as an input to the next operation. Alen Stojanov Automating Return Oriented Programming Attacks
  • 17. Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx ret 0x42295cee: sub eax, edx inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax ret Alen Stojanov Automating Return Oriented Programming Attacks
  • 18. Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx 1 ret 0x42295cee: sub eax, edx 3 inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax 2 ret Alen Stojanov Automating Return Oriented Programming Attacks
  • 19. Background Related Work Contribution Conclusion Collateral Damage In most cases useful gadgets include pop instruction or other instructions that change the state of some registers before the return instruction When those gadgets are used, the value of those registers is lost and considered as a collateral damage In other cases, instructions modifying the value of a particular address relative to some register are also present before the return instruction. Those registers must be initialized properly to avoid segmentation faults. Alen Stojanov Automating Return Oriented Programming Attacks
  • 20. Background Related Work Contribution Conclusion Register Transfer Graph edx edx Generate Register Transfer mov mov Graph to analyse data flow eax cl between registers and memory mov mov [ebx,] Take into consideration the collateral damage edi ebx al mov [ebp,edi,] xchg xchg mov Discover available register candidates eax Use the graph to chain gadgets mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov X X esp Pidgin CPU Register Memory Add. Data Movement Alen Stojanov Automating Return Oriented Programming Attacks
  • 21. Background Related Work Contribution Conclusion Intermediate Results Strongly Connected Components Cardinality (SCCC) gives the number of registers available for moving data. Binary Size (b) SCCC 8 ● ● ● ● ●● ● vlc 1.228 x 10KB 1 master 3.227 x 10KB 0 ● firefox 4.915 x 10KB 1 rpcbind 5.325 x 10KB 2 6 ● amarok 6.963 x 10KB 0 avahi 1.147 x 10KB 3 Available x86 CPU Registers ● ● apache2 4.055 x 100KB 3 cupsd 4.342 x 100KB 3 4 ● sshd 5.407 x 100KB 5 yast2 5.939 x 100KB 4 ● ●● pidgin 1.049 x 1MB 5 dhclient 1.761 x 1MB 6 Xorg 1.987 x 1MB 7 2 ● filezilla 2.589 x 1MB 8 mysqld 7.004 x 1MB 8 ● ● smbd 1.017 x 10MB 8 opera 1.706 x 10MB 8 0 ● ● skype 2.143 x 10MB 8 104.5 105 105.5 106 106.5 107 107.5 acroread 2.393 x 10MB 8 Binary Section Size chrome 5.396 x 10MB 8 Alen Stojanov Automating Return Oriented Programming Attacks
  • 22. Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Alen Stojanov Automating Return Oriented Programming Attacks
  • 23. Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Encapsulate available gadgets performing logical or arithmetic operation to operate on the memory locations by using the Register Transfer Graph (virtual instructions) Alen Stojanov Automating Return Oriented Programming Attacks
  • 24. Background Related Work Contribution Conclusion Encapsulation Read data from memory location to the gadget registers, and write back to memory. edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 25. Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 26. Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 27. Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] 5 edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 28. Background Related Work Contribution Conclusion Results add sub inc dec and or xor not neg jmp test cmp acroread skype opera smbd mysqld filezilla Xorg dhclient pidgin yast2 sshd cupsd apache2 avahi amarok rpcbind firefox master vlc Alen Stojanov Automating Return Oriented Programming Attacks
  • 29. Background Related Work Contribution Conclusion Conclusion In most cases one gadget having one of the logical or arithmetic instructions is enough to encapsulate the computation of all instructions across memory locations. Once we generate virtual registers and virtual instructions, it is easy to create a small compiler or interpreter on top of those instructions. Automating ROP is possible on stand-alone binaries having size as little as 400KB. Alen Stojanov Automating Return Oriented Programming Attacks
  • 30. Background Related Work Contribution Conclusion Future Work Extend the automatic attack generation using the Jump Oriented Programming model. Automate the conditional branching, to have fully automatic generation of ROP attacks. Create a virtual stack that resides in the data segment, or in any writeable memory section of the process and generate a higher level language. Alen Stojanov Automating Return Oriented Programming Attacks
  • 31. Background Related Work Contribution Conclusion Thank You Questions ? Alen Stojanov Automating Return Oriented Programming Attacks