Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions

  • AliAkbar Sadeghi
  • Salman Niksefat
  • Maryam Rostamipour
Original Paper

Abstract

Return-oriented programming (ROP) and jump-oriented programming (JOP) are two well-known code-reuse attacks in which short code sequences ending in ret or jmp instructions are located and chained in a specific order to execute the attacker’s desired payload. JOP, comparing to ROP, is even more effective because it can be invoked without any reliance on the ret instruction and therefore it can bypass new defense mechanisms against ROP. In this paper, we continue this line of work by proposing Pure-Call Oriented Programming (PCOP). In PCOP, we drive the control flow by proposing special gadgets that all end in a call instruction rather than ret or jmp. We then propose techniques for chaining gadgets that removes the side-effects arise from the call-ending gadgets. The idea of having call-ending gadgets with the term Call Oriented Programming has been noted in some previous work but using call gadgets in these works, due to side-effects of the call instruction, was limited to one or two call-ending gadgets between other ret/jmp gadgets. Our work is the first that shows real code-reuse attacks solely based on call gadgets. We also show that our proposed approach is Turing-complete, meaning that any functionality can be driven by PCOP. We have successfully identified some call-oriented gadgets inside GNU libc library. Our experiments with the example shellcode show the practicality of the proposed approach. Finally, we propose a variant of PCOP named TinyCOP which resists detection by recent code-reuse defense mechanisms.

Keywords

Code-reuse attack Pure-Call Oriented Programming Return oriented programming Jump oriented programming Exploitation 

References

  1. 1.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 30–40. ACMGoogle Scholar
  2. 2.
    Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 385–399Google Scholar
  3. 3.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACMGoogle Scholar
  4. 4.
    Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: detecting return-oriented programming malicious code. In: International Conference on Information Systems Security, pp. 163–177. SpringerGoogle Scholar
  5. 5.
    Cheng, Y., Zhou, Z., Miao, Y., Ding, X., DENG, H.: Ropecker: a generic and practical approach for defending against ROP attack. In: Network and Distributed System Security Symposium (NDSS14)Google Scholar
  6. 6.
    Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54. ACMGoogle Scholar
  7. 7.
    Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACMGoogle Scholar
  8. 8.
    Designer, S.: Return-to-libc attack. Bugtraq, Aug (1997)Google Scholar
  9. 9.
    Falcn, F.: Exploiting cve-2015-0311, part ii: bypassing control flow guard on windows 8.1 update 3. https://www.coresecurity.com/blog/exploiting-cve-2015-0311-part-ii-bypassing-control-flow-guard-on-windows-8-1-update-3
  10. 10.
    Gktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589. IEEEGoogle Scholar
  11. 11.
    Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: Scrap: architecture for signature-based protection from code reuse attacks. In: 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013), pp. 258–269. doi: 10.1109/HPCA.2013.6522324
  12. 12.
    Rose, J.R., Steele, G.L.: Intel Architecture Software Developer’s Manual Volume 2: Instruction Set Reference (1999)Google Scholar
  13. 13.
    Salwan, J.: Shellcode Database. http://shell-storm.org/shellcode/
  14. 14.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACMGoogle Scholar
  15. 15.
  16. 16.
    Ubuntu: Ubuntu Release End of Life. https://www.ubuntu.com/info/release-end-of-life
  17. 17.
    Wojtczuk, R.: The advanced return-into-lib (c) exploits: Pax case study. Phrack Magazine, Volume 0x0b, Issue 0x3a (2001)Google Scholar
  18. 18.
    Yao, F., Chen, J., Venkataramani, G.: Jop-alarm: detecting jump-oriented programming-based anomalies in applications. In: 2013 IEEE 31st International Conference on Computer Design (ICCD), pp. 467–470. doi: 10.1109/ICCD.2013.6657084
  19. 19.
    Yunhai, Z.: Bypass Control Flow Guard Comprehensively. Black Hat, BH US (2015)Google Scholar
  20. 20.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEEGoogle Scholar

Copyright information

© Springer-Verlag France 2017

Authors and Affiliations

  1. 1.APA Research CenterAmirkabir University of TechnologyTehranIran

Personalised recommendations