Skip to main content
SpringerLink
Log in

Analyzing the Gadgets

Towards a Metric to Measure Gadget Quality

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9639))

Included in the following conference series:

Abstract

Current low-level exploits often rely on code-reuse, whereby short sections of code (gadgets) are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this attack vector by applying code transformations to reduce the number of available gadgets. Nevertheless, it has emerged that the residual gadgets can still be sufficient to conduct a successful attack. Crucially, the lack of a common metric for “gadget quality” hinders the effective comparison of current mitigations.

This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality. We apply these metrics to binaries produced when compiling programs for architectures implementing Intel’s recent MPX CPU extensions. Our results demonstrate a 17 % increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions, making them better suited for ROP attacks.

figure afigure a

The stamp on the top of this paper refers to an approval process conducted by the ESSoS artifact evaluation committee chaired by Alessandra Gorla and Jacques Klein.

At the time this research was conducted Eric Bodden was at Fraunhofer SIT and TU Darmstadt.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898%28v=vs.85%29.aspx.

  2. 2.

    https://msdn.microsoft.com/en-us/library/windows/hardware/ff561499%28v=vs.85%29.aspx.

  3. 3.

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa366887%28v=vs.85%29.aspx.

  4. 4.

    https://github.com/JonathanSalwan/ROPgadget.

  5. 5.

    https://software.intel.com/en-us/articles/intel-software-development-emulator.

  6. 6.

    http://shell-storm.org/project/ROPgadget/.

  7. 7.

    https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/.

  8. 8.

    https://scoding.de/ropper/.

References

  1. Intel 64, ia-32 architectures software developer’s manual combined volumes,: 1, 2a, 2b, 2c, 3a, 3b, and 3c, June 2015

    Google Scholar 

  2. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communication Security (CCS), Alexandria, VA, pp. 340–353, November 2005

    Google Scholar 

  3. Aycock, J.: A brief history of just-in-time. ACM Comput. Surv. (CSUR) 35(2), 97–113 (2003)

    Article  Google Scholar 

  4. Batchelder, D., Blackbird, J., Felstead, D., Henry, P., Jones, J., Kulkarni, A., Lambert, J., Lauricella, M., Malcolmson, K., Miller, M., Ng, N., Pecelj, D., Rains, T., Sekhar, V., Stewart, H., Thompson, T., Weston, D., Zink, T.: Microsoft Security Intelligence Report, vol. 16 (2013)

    Google Scholar 

  5. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 30–40. ACM, New York (2011)

    Google Scholar 

  6. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: On the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 161–176. USENIX Association, Washington, D.C., August 2015

    Google Scholar 

  7. Carlini, N., Wagner, D.: ROP is still dangerous: Breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 385–399. USENIX Association, San Diego, August 2014

    Google Scholar 

  8. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS 2010, pp. 559–572. ACM (2010)

    Google Scholar 

  9. Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H., ROPecker: A generic and practical approach for defending against ROP attacks (2014)

    Google Scholar 

  10. Conti, M., Crane, S., Davi, L., Franz, M., Larsen, P., Negro, M., Liebchen, C., Qunaibit, M., Sadeghi, A.-R.: Losing control: On the effectiveness of control-flow integrity under stack attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 952–963. ACM, New York (2015)

    Google Scholar 

  11. Davi, L., Sadeghi, A.-R., Lehmann, D., Monrose, F.: Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the 23rd USENIX Conference on Security, SEC 2014, pp. 401–416. USENIX Association, Berkeley (2014)

    Google Scholar 

  12. Ducklin, P.: Anatomy of an exploit - inside the CVE-2013-3893 internet explorer zero-day-part 2, October 2013

    Google Scholar 

  13. Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 417–432. USENIX Association, Berkeley (2014)

    Google Scholar 

  14. Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2014, pp. 575–589. IEEE Computer Society, Washington, DC (2014)

    Google Scholar 

  15. Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: Size does matter in turing-complete return-oriented programming. In: Presented as part of the 6th USENIX Workshop on Offensive Technologies. USENIX, Berkeley (2012)

    Google Scholar 

  16. Jurczyk, M.: One font vulnerability to rule them all #2: Adobe reader RCE exploitation, August 2015

    Google Scholar 

  17. Li, X., Szor, P.: Emerging stack pivoting exploits bypass common security, May 2013

    Google Scholar 

  18. Microsoft. Data execution prevention

    Google Scholar 

  19. One, A.: Smashing the stack for fun and profit. Phrack 7(49), 14–16 (1996)

    Google Scholar 

  20. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 447–462. USENIX, Berkeley (2013)

    Google Scholar 

  21. Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  22. Pi, P.: Unpatched flash player flaw, more POCs found in hacking team leak, July 2015

    Google Scholar 

  23. Ramakesavan, R., Zimmerman, D., Singaravelu, P.: Intel memory protection extensions (intel mpx) enabling guide, April 2015

    Google Scholar 

  24. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)

    Article  Google Scholar 

  25. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In: 36th IEEE Symposium on Security and Privacy (Oakland), May 2015

    Google Scholar 

  26. Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Heidelberg (2014)

    Google Scholar 

  27. Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, pp. 25–25. USENIX Association, Berkeley (2011)

    Google Scholar 

  28. Serna, F.J.: The info leak era of software exploitation (2012)

    Google Scholar 

  29. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561. ACM, New York (2007)

    Google Scholar 

  30. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2013, pp. 574–588 (2013)

    Google Scholar 

  31. Sotirov, A.: Heap feng shui in javascript (2007)

    Google Scholar 

  32. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 941–955. USENIX Association, San Diego, August 2014

    Google Scholar 

  33. van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 927–940. ACM, New York (2015)

    Google Scholar 

  34. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 337–352. USENIX Association, Berkeley (2013)

    Google Scholar 

Download references

Acknowledgements

We want to express our thanks to the anonymous reviewers for their valuable comments. In particular, we want to thank our shepherd, Mathias Payer, who helped us give this paper its final form. This work was supported by the BMBF within EC SPRIDE, by the Hessian LOEWE excellence initiative within CASED, by the DFG Collaborative Research Center CROSSING, by the DFG Priority Program 1496 Reliably Secure Software Systems, and the project INTERFLOW.

Author information

Authors and Affiliations

  1. Technische Universität Darmstadt, Darmstadt, Germany

    Andreas Follner & Alexandre Bartel

  2. Paderborn University, Paderborn, Germany

    Eric Bodden

  3. Fraunhofer IEM, Paderborn, Germany

    Eric Bodden

Authors
  1. Andreas Follner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandre Bartel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eric Bodden
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andreas Follner .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Madrid, Spain

    Juan Caballero

  2. Paderborn University & Fraunhofer IEM, Paderborn, Germany

    Eric Bodden

  3. VU University, Amsterdam, The Netherlands

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Follner, A., Bartel, A., Bodden, E. (2016). Analyzing the Gadgets. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30806-7_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30805-0

  • Online ISBN: 978-3-319-30806-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation