Abstract
Automatic return oriented programming (ROP) technology can effectively improve the efficiency of ROP constructed, but the existing research results still have some shortcomings including needing more address space, poor generality. In order to solve these problems, this paper presents an improved ROP auto-constructor QExtd. Firstly, we design a Turing-complete language QExtdL and provide the basis of gadgets analysis. Secondly, we represent the MI instruction and realize precise process of side-effect instructions for improving the efficiency of automatic construction. At last, we establish a three-layer language conversion mechanism, making it convenient for users to construct ROP. Theoretical and experimental data show that the QExtd automatic construction method is much better than the ROPgadget based on syntax. In addition, the proposed method succeeds in constructing gadgets of ROP with the probability of 84% for programs whose sizes are more than 20 KB and whose directory is “/usr/bin” in Ubuntu, which proves that the construction capability improves significantly.
Similar content being viewed by others
References
Sotirov A, Dowd M. Bypassing browser memory protections in Windows Vista [EB/OL]. [2014-05-10]. http://www-inst.cs.berkeley.edu/~cs161/fa08/Notes/alex-sotirov.pdf.
Müller T. ASLR smack & laugh reference [EB/OL]. [2014-04-18]. http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/docs/aslr.pdf.
Microsoft. A detailed description of the data execution prevention (dep) feature in Windows XP service pack 2, Windows XP tablet pc edition 2005, and Windows server 2003 [EB/OL]. [2014-04-19]. http://support.microsoft.com/kb/ 875352/EN-US.
Wojtczuk R N. The advanced return-into-lib (c) exploits: PaX case study[J]. Phrack Magazine, 2001, 11(58): 4–14.
Shacham H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM Press, 2007: 552–561.
Checkoway S, Feldman A J, Kantor B, et al. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage [EB/OL]. [2014-04-21]. https://www.usenix.org/legacy/event/evtwote09/tech/full_pap ers/checkoway.pdf.
Kornau T. Return Oriented Programming for the ARM Architecture [D]. Bochum: Ruhr-Universitat Bochum, 2010.
Hund R, Holz T, Freiling F C. Return-oriented rootkits: By-passing kernel code integrity protection mechanisms [C]// USENIX Security Symposium 2009. Berkeley: USENIX Association, 2009: 383–398.
Ryan G R. Finding the Bad in Good Code: Automated Return- Oriented Programming Exploit Discovery [D]. San Diego: University of California, 2009.
Dullien T, Kornau T, Weinmann R P. A framework for automated architecture-independent gadget search [C]// Proceedings of the 4th USENIX Workshop on Offensive Technologies. Berkeley: USENIX Association, 2010:1–3.
Bittau A, Belay A, Mashtizadeh A, et al. Hacking blind[C]// Proceedings of the 35th IEEE Symposium on Security and Privacy, S&P. Washington D C: IEEE Computer Society, 2014:227–242.
Schwartz E J, Avgerinos T, Brumley D. Q: Exploit hardening made easy[C]// Proceedings of the 20th USENIX Conference on Security. Berkeley: USENIX Association, 2011: 25.
Checkoway S, Davi L, Dmitrienko A, et al. Return-oriented programming without returns[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. New York: ACM Press, 2010: 559–572.
Paul. ROPC [EB/OL]. [2014-04-21]. https://github.com/ pakt/ropc.
Wikipedia. Live variable analysis [EB/OL]. [2014-04-21]. http://en.wikipedia.org/wiki/Live_variable_analysis.
Jonathan S. Shellcodes database [EB/OL]. [2014-04-21]. http://www.shell-storm.org/shell code.
Schwartz E J, Avgerinos T, Brumley D. Update on Q: Exploit hardening made easy [EB/OL]. [2014-04-26]. http://users.ece.cmu.edu/~ejschwar/papers/usenix11-update. pdf.
Bosman E, Bos H. Framing signals—A return to portable shellcode[C]// Proceedings of the 35th IEEE Symposium on Security and Privacy, S&P. Washington D C: IEEE Computer Society, 2014: 243–258.
Homescu A, Stewart M, Larsen P, et al. Microgadgets: Size does matter in Turing-complete return-oriented programming[C]// WOOT’ 12 Proceedings of the 6th USENIX Conference on Offensive Technologies. Berkeley: USENIX Association, 2012: 64–76.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National High Technology Research and Development Program of China (863 Program) (2012AA012902)
Biography: OUYANG Yongji, male, Ph.D. candidate, research direction: network communications and information security.
Rights and permissions
About this article
Cite this article
Ouyang, Y., Wang, Q., Peng, J. et al. An advanced automatic construction method of ROP. Wuhan Univ. J. Nat. Sci. 20, 119–128 (2015). https://doi.org/10.1007/s11859-015-1069-x
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-015-1069-x