After a long break, I decided to continue enriching the content of my blog. To conclude my investigation in the automation of Return Oriented Programming Attacks, I am publishing a short PDF presentation for my master thesis work.
Download link: Automating Return Oriented Programming Attacks Presentation
Return oriented programming (ROP) is an exploit technique which avoids code injection by reusing existing code to induce arbitrary behavior in a program. ROP attacks are conducted by chaining available instruction sequences (gadgets) ending in a “return” instruction. While the construction of ROP attacks has been automated, these approaches rely on searching gadgets using predefined sequences which operate on a fixed set of registers, on the grounds that large and widely distributed chunks of binary code are likely to contain them. As a result, libraries and operating system kernels have been targeted as gadget providers.
We propose an automatic gadget construction, targeting stand-alone executable, without relying on libraries or the system kernel. Due to the possible limit of available gadgets, stand-alone executables are likely to be restricted on instructions operating on distinct registers. Subsequently, chaining instructions so that the result of one instruction is used in the consecutive instructions can be achieved only by moving data across registers. For that purpose, we build a graph representing register manipulation instruction sequences (mov, xchg, add, sub, etc). Each register represents a node, and each data movement across registers represents an edge. The strongly connected components in the graph provide the available registers, and the shortest paths among those registers describe instruction chaining with minimal data movements. Customizing the gadget search to the available registers increases the flexibility when automatically constructing attacks, allowing the attacks to be applied on stand-alone executable, and minimal data movements help optimize the generated attacks.
Full text of master thesis: Automating Return Oriented Attacks on x86 Architecture