PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution

  • Andreas FollnerEmail author
  • Alexandre Bartel
  • Hui Peng
  • Yu-Chen Chang
  • Kyriakos Ispoglou
  • Mathias Payer
  • Eric Bodden
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)


Return-Oriented Programming (ROP) is the cornerstone of today’s exploits. Yet, building ROP chains is predominantly a manual task, enjoying limited tool support. Many of the available tools contain bugs, are not tailored to the needs of exploit development in the real world and do not offer practical support to analysts, which is why they are seldom used for any tasks beyond gadget discovery. We present PSHAPE (Practical Support for Half-Automated Program Exploitation), a tool which assists analysts in exploit development. It discovers gadgets, chains gadgets together, and ensures that side effects such as register dereferences do not crash the program. Furthermore, we introduce the notion of gadget summaries, a compact representation of the effects a gadget or a chain of gadgets has on memory and registers. These semantic summaries enable analysts to quickly determine the usefulness of long, complex gadgets that use a lot of aliasing or involve memory accesses. Case studies on nine real binaries representing 147 MiB of code show PSHAPE’s usefulness: it automatically builds usable ROP chains for nine out of eleven scenarios.


Memory Location Mitigation Technique Conditional Jump Privileged Instruction Window Binary 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank the anonymous reviewers for their feedback and suggestions on improving the paper. This work was supported, in part, by NSF CNS-1513783, by the German Federal Ministry of Education and Research (BMBF) and by the Hessian Ministry of Science and the Arts within CRISP (, as well as by the Heinz Nixdorf Foundation.


  1. 1.
    Andersen, S., Abella, V.: Memory protection technologies., August 2004
  2. 2.
    Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: Bypassing defenses in browser JIT engines. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8–11, 2014 (2015)Google Scholar
  3. 3.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., Boneh, D.: Hacking blind. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2014, pp. 227–242. IEEE Computer Society, Washington, DC (2014)Google Scholar
  4. 4.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 30–40. ACM, New York (2011)Google Scholar
  5. 5.
    Bray, B.: Compiler security checks in depth, February 2002.
  6. 6.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (USA, 2010), CCS 2010, pp. 559–572. ACM, New York, NY (2010)Google Scholar
  7. 7.
  8. 8.
    Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: Ropecker: A generic and practical approach for defending against ROP attacks. In: NDSS (2014)Google Scholar
  9. 9.
    Davi, L., Sadeghi, A.-R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 40–51. ACM, New York (2011)Google Scholar
  10. 10.
    Dinh, L.L.: Ropeme - rop exploit made easy.
  11. 11.
    Eeckhoutte, P. V.
  12. 12.
    Federico, A.D., Cama, A., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: How the elf ruined christmas. In 24th USENIX Security Symposium (USENIX Security 15), pp. 643–658. USENIX Association, Washington, D.C. (2015)Google Scholar
  13. 13.
    Follner, A., Bartel, A., Bodden, E.: Analyzing the gadgets. In: Caballero, J., et al. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 155–172. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30806-7_10 CrossRefGoogle Scholar
  14. 14.
    Follner, A., Bodden, E.: Ropocop - dynamic mitigation of code-reuse attacks. J. Inf. Secur. Appl. 82, 3–22 (2016)Google Scholar
  15. 15.
  16. 16.
  17. 17.
    Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: Proceedings of the IEEE Symposium on Security and Privacy SP 2014, pp. 575–589. IEEE Computer Society, Washington, DC (2014)Google Scholar
  18. 18.
    Howard, M., Miller, M., Lambert, J., Thomlinson, M.: Windows isv software security defenses, December 2010.
  19. 19.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space aslr. In: Proceeding of the IEEE Symposium on Security and Privacy SP 2013, pp. 191–205. IEEE Computer Society, Washington, DC (2013)Google Scholar
  20. 20.
  21. 21.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM Sigplan notices, ACM (2007)Google Scholar
  22. 22.
    Nguyen, A.Q.: Capstone: Next generation disassembly framework.
  23. 23.
  24. 24.
  25. 25.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 447–462. USENIX, Berkeley (2013)Google Scholar
  26. 26.
    Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)CrossRefGoogle Scholar
  27. 27.
  28. 28.
    Schirra, S.: Ropper - rop gadget finder and binary information tool.
  29. 29.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: 36th IEEE Symposium on Security and Privacy (Oakland) (2015)Google Scholar
  30. 30.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 25. USENIX Association, Berkeley (2011)Google Scholar
  31. 31.
    Serna, F.J.: The info leak era of software exploitation (2012).
  32. 32.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and communications security, CCS 2007. ACM, New York, NY (2007)Google Scholar
  33. 33.
    Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and communications security, CCS 2004, ACM (2004)Google Scholar
  34. 34.
    Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS (2015)Google Scholar
  35. 35.
  36. 36.
    Souchet, A.: rp++.
  37. 37.
  38. 38.
  39. 39.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2013, pp. 559–573. IEEE Computer Society, Washington, DC (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Andreas Follner
    • 1
    Email author
  • Alexandre Bartel
    • 1
  • Hui Peng
    • 2
  • Yu-Chen Chang
    • 2
  • Kyriakos Ispoglou
    • 2
  • Mathias Payer
    • 2
  • Eric Bodden
    • 3
  1. 1.Technische Universität DarmstadtDarmstadtGermany
  2. 2.Purdue UniversityWest LafayetteUSA
  3. 3.Paderborn University & Fraunhofer IEMPaderbornGermany

Personalised recommendations