Skip to main content
SpringerLink
Log in

An advanced automatic construction method of ROP

  • Computer Science
  • Published:
Wuhan University Journal of Natural Sciences

Abstract

Automatic return oriented programming (ROP) technology can effectively improve the efficiency of ROP constructed, but the existing research results still have some shortcomings including needing more address space, poor generality. In order to solve these problems, this paper presents an improved ROP auto-constructor QExtd. Firstly, we design a Turing-complete language QExtdL and provide the basis of gadgets analysis. Secondly, we represent the MI instruction and realize precise process of side-effect instructions for improving the efficiency of automatic construction. At last, we establish a three-layer language conversion mechanism, making it convenient for users to construct ROP. Theoretical and experimental data show that the QExtd automatic construction method is much better than the ROPgadget based on syntax. In addition, the proposed method succeeds in constructing gadgets of ROP with the probability of 84% for programs whose sizes are more than 20 KB and whose directory is “/usr/bin” in Ubuntu, which proves that the construction capability improves significantly.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Sotirov A, Dowd M. Bypassing browser memory protections in Windows Vista [EB/OL]. [2014-05-10]. http://www-inst.cs.berkeley.edu/~cs161/fa08/Notes/alex-sotirov.pdf.

  2. Müller T. ASLR smack & laugh reference [EB/OL]. [2014-04-18]. http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/docs/aslr.pdf.

  3. Microsoft. A detailed description of the data execution prevention (dep) feature in Windows XP service pack 2, Windows XP tablet pc edition 2005, and Windows server 2003 [EB/OL]. [2014-04-19]. http://support.microsoft.com/kb/ 875352/EN-US.

  4. Wojtczuk R N. The advanced return-into-lib (c) exploits: PaX case study[J]. Phrack Magazine, 2001, 11(58): 4–14.

    Google Scholar 

  5. Shacham H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM Press, 2007: 552–561.

    Google Scholar 

  6. Checkoway S, Feldman A J, Kantor B, et al. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage [EB/OL]. [2014-04-21]. https://www.usenix.org/legacy/event/evtwote09/tech/full_pap ers/checkoway.pdf.

  7. Kornau T. Return Oriented Programming for the ARM Architecture [D]. Bochum: Ruhr-Universitat Bochum, 2010.

    Google Scholar 

  8. Hund R, Holz T, Freiling F C. Return-oriented rootkits: By-passing kernel code integrity protection mechanisms [C]// USENIX Security Symposium 2009. Berkeley: USENIX Association, 2009: 383–398.

    Google Scholar 

  9. Ryan G R. Finding the Bad in Good Code: Automated Return- Oriented Programming Exploit Discovery [D]. San Diego: University of California, 2009.

    Google Scholar 

  10. Dullien T, Kornau T, Weinmann R P. A framework for automated architecture-independent gadget search [C]// Proceedings of the 4th USENIX Workshop on Offensive Technologies. Berkeley: USENIX Association, 2010:1–3.

    Google Scholar 

  11. Bittau A, Belay A, Mashtizadeh A, et al. Hacking blind[C]// Proceedings of the 35th IEEE Symposium on Security and Privacy, S&P. Washington D C: IEEE Computer Society, 2014:227–242.

    Google Scholar 

  12. Schwartz E J, Avgerinos T, Brumley D. Q: Exploit hardening made easy[C]// Proceedings of the 20th USENIX Conference on Security. Berkeley: USENIX Association, 2011: 25.

    Google Scholar 

  13. Checkoway S, Davi L, Dmitrienko A, et al. Return-oriented programming without returns[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. New York: ACM Press, 2010: 559–572.

    Chapter  Google Scholar 

  14. Paul. ROPC [EB/OL]. [2014-04-21]. https://github.com/ pakt/ropc.

  15. Wikipedia. Live variable analysis [EB/OL]. [2014-04-21]. http://en.wikipedia.org/wiki/Live_variable_analysis.

  16. Jonathan S. Shellcodes database [EB/OL]. [2014-04-21]. http://www.shell-storm.org/shell code.

  17. Schwartz E J, Avgerinos T, Brumley D. Update on Q: Exploit hardening made easy [EB/OL]. [2014-04-26]. http://users.ece.cmu.edu/~ejschwar/papers/usenix11-update. pdf.

  18. Bosman E, Bos H. Framing signals—A return to portable shellcode[C]// Proceedings of the 35th IEEE Symposium on Security and Privacy, S&P. Washington D C: IEEE Computer Society, 2014: 243–258.

    Google Scholar 

  19. Homescu A, Stewart M, Larsen P, et al. Microgadgets: Size does matter in Turing-complete return-oriented programming[C]// WOOT’ 12 Proceedings of the 6th USENIX Conference on Offensive Technologies. Berkeley: USENIX Association, 2012: 64–76.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, 450002, Henan, China

    Yongji Ouyang, Qingxian Wang, Jianshan Peng & Jie Zeng

Authors
  1. Yongji Ouyang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qingxian Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jianshan Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jie Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qingxian Wang.

Additional information

Foundation item: Supported by the National High Technology Research and Development Program of China (863 Program) (2012AA012902)

Biography: OUYANG Yongji, male, Ph.D. candidate, research direction: network communications and information security.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ouyang, Y., Wang, Q., Peng, J. et al. An advanced automatic construction method of ROP. Wuhan Univ. J. Nat. Sci. 20, 119–128 (2015). https://doi.org/10.1007/s11859-015-1069-x

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11859-015-1069-x

Keywords

CLC number

Search

Navigation