Advertisement

Automated Multi-architectural Discovery of CFI-Resistant Code Gadgets

  • Patrick Wollgast
  • Robert GawlikEmail author
  • Behrad Garmany
  • Benjamin Kollenda
  • Thorsten Holz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)

Abstract

Memory corruption vulnerabilities are still a severe threat for software systems. To thwart the exploitation of such vulnerabilities, many different kinds of defenses have been proposed in the past. Most prominently, Control-Flow Integrity (CFI) has received a lot of attention recently. Several proposals were published that apply coarse-grained policies with a low performance overhead. However, their security remains questionable as recent attacks have shown.

To ease the assessment of a given CFI implementation, we introduce a framework to discover code gadgets for code-reuse attacks that conform to coarse-grained CFI policies. For this purpose, binary code is extracted and transformed to a symbolic representation in an architecture-independent manner. Additionally, code gadgets are verified to provide the needed functionality for a security researcher. We show that our framework finds more CFI-compatible gadgets compared to other code gadget discovery tools. Furthermore, we demonstrate that code gadgets needed to bypass CFI solutions on the ARM architecture can be discovered by our framework as well.

Keywords

Basic Block Symbolic Execution Call Site Semantic Definition Conditional Jump 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgment

This work was supported by ERC Starting Grant No. 640110 (BASTION).

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)Google Scholar
  2. 2.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inform. Syst. Secur. (TISSEC) (2009)Google Scholar
  3. 3.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2011)Google Scholar
  4. 4.
  5. 5.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: ACM Conference on Computer and Communications Security (CCS) (2008)Google Scholar
  6. 6.
    Capstone - The Ultimate Disassembly Framework. http://www.capstone-engine.org/
  7. 7.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)Google Scholar
  8. 8.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (CCS) (2010)Google Scholar
  9. 9.
    Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security (NDSS) (2014)Google Scholar
  10. 10.
    Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security Symposium (1998)Google Scholar
  11. 11.
  12. 12.
    Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: Symposium on Network and Distributed System Security (NDSS) (2012)Google Scholar
  13. 13.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Return-oriented programming without returns on ARM. Technical report, HGI-TR-2010-002, Ruhr-University Bochum (2010)Google Scholar
  14. 14.
    Davi, L., Lehmann, D., Sadeghi, A.-R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX Security Symposium (2014)Google Scholar
  15. 15.
    Changes to Functionality in Microsoft Windows XP Service Pack 2. https://technet.microsoft.com/en-us/library/bb457151.aspx
  16. 16.
    Designer, S.: Return-to-Libc. Attack (1997)Google Scholar
  17. 17.
    Enhanced Mitigation Experience Toolkit - EMET - TechNet Security. https://technet.microsoft.com/en-us/security/jj653751
  18. 18.
    Microsoft Security Toolkit Delivers New BlueHat Prize Defensive Technology — News Center. http://news.microsoft.com/2012/07/25/microsoft-security-toolkit-delivers-new-bluehat-prize-defensive-technology/
  19. 19.
    Follner, A., Bartel, A., Bodden, E.: Analyzing the gadgets. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 155–172. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30806-7_10 CrossRefGoogle Scholar
  20. 20.
    Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
  21. 21.
    Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: USENIX Security Symposium (2014)Google Scholar
  22. 22.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium (2009)Google Scholar
  23. 23.
  24. 24.
    Joly, N.: Criminals are getting smarter: analysis of the adobe acrobat/reader 0-day exploit, September 2009. http://web.archive.org/web/20141018060115/, http://www.vupen.com/blog/20100909.Adobe_Acrobat_Reader_0_Day_Exploit_CVE-2010-2883_Technical_Analysis.php
  25. 25.
    Kornau, T.: Return-oriented programming for the ARM architecture (2009). http://www.zynamics.com/downloads/kornau-tim-diplomarbeit-rop.pdf
  26. 26.
    Krahmer, S.: x86–64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005). http://users.suse.com/~krahmer/no-nx.pdf
  27. 27.
    Microsoft-Research. Z3: Theorem Prover (2014). http://z3.codeplex.com/
  28. 28.
    Pakt. ROPC - A Turing Complete ROP Compiler. https://github.com/pakt/ropc
  29. 29.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security Symposium (2013)Google Scholar
  30. 30.
    PaX Team. Address Space Layout Randomization (2001). https://pax.grsecurity.net/docs/aslr.txt
  31. 31.
    Pelletier, A.: Advanced Exploitation of Internet Explorer Heap Overflow (Pwn2Own 2012 Exploit), July 2012. http://web.archive.org/web/20141005134545/, http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php
  32. 32.
    Pewny, J., Holz, T.: Control-flow restrictor: compiler-based CFI for iOS. In: Annual Computer Security Applications Conference (ACSAC) (2013)Google Scholar
  33. 33.
    ROPgadget - Gadgets finder and auto-roper. http://shell-storm.org/project/ROPgadget/
  34. 34.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code-reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (2015)Google Scholar
  35. 35.
    Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current Anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Heidelberg (2014)Google Scholar
  36. 36.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: USENIX Security Symposium (2011)Google Scholar
  37. 37.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS) (2007)Google Scholar
  38. 38.
    Shoshitaishvili, Y.: Pyvex - GitHub. https://github.com/zardus/pyvex
  39. 39.
  40. 40.
    Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  41. 41.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  42. 42.
    Valgrind Home. http://valgrind.org/
  43. 43.
    XROP - Tool to generate ROP gadgets for ARM, x86, MIPS and PPC. https://github.com/acama/xrop
  44. 44.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control-flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  45. 45.
    Zhang, M., Sekar, R.: Control-flow integrity for COTS binaries. In: USENIX Security Symposium (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Patrick Wollgast
    • 1
  • Robert Gawlik
    • 1
    Email author
  • Behrad Garmany
    • 1
  • Benjamin Kollenda
    • 1
  • Thorsten Holz
    • 1
  1. 1.Horst Görtz Institute for IT-Security (HGI)Ruhr-Universität BochumBochumGermany

Personalised recommendations