Advertisement

A Method for Analyzing Code-Reuse Attacks

  • 1 Accesses

Abstract

Nowadays, ensuring software security is of paramount importance. Software failures can have significant consequences, and malicious vulnerability exploitation can inflict immense losses. Large corporations pay particular attention to the investigation of computer security incidents. Code-reuse attacks based on return-oriented programming (ROP) are gaining popularity each year and can bypass even modern operating system protection mechanisms. Unlike ordinary shellcode, where instructions are placed sequentially in memory, a ROP chain consists of multiple small instruction blocks (called gadgets) and uses the stack to chain them together. This makes the analysis of ROP exploits more difficult. The main goal of this work is to simplify reverse engineering of ROP exploits. A method for analyzing code-reuse attacks that allows one to split the chain into gadgets, restore the semantics of each particular gadget, and restore the prototypes and parameter values of the system calls and functions invoked during the execution of the ROP chain is proposed. The semantics of each gadget is determined by its parameterized type. Each gadget type is defined by a postcondition (Boolean predicate) that must always be true after the gadget execution. The proposed method was implemented as a software tool and tested on real-world ROP exploits found on the Internet.

This is a preview of subscription content, log in to check access.

Access options

Buy single article

Instant unlimited access to the full article PDF.

US$ 39.95

Price includes VAT for USA

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.

REFERENCES

  1. 1

    Belevantsev, A. and Avetisyan, A., Multi-level static analysis for finding error patterns and defects in source code, 2018. https://doi.org/10.1007/978-3-319-74313-4_3

  2. 2

    Gerasimov, A.Y., Directed dynamic symbolic execution for static analysis warnings confirmation, Program. Comput. Software, 2018, vol. 44, no. 5, pp. 316-323. https://doi.org/10.1134/S036176881805002X

  3. 3

    Gerasimov, A. and Kruglov, L., Reachability confirmation of statically detected defects using dynamic analysis, Proc. of the 11th International Conference on Computer Science and Information Technologies, CSIT2017, pp. 60-64. https://doi.org/10.1109/CSITechnol.2017.8312141

  4. 4

    Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org

  5. 5

    Vulnerabilities (CVE) by year. https://www.cvedetails.com/browse-by-date.php

  6. 6

    Nurmukhametov, A.R., Zhabotinskiy, E.A., Kurmangaleev, S.F., Gaissaryan, S.S., Vishnyakov, A.V., Fine-Grained Address Space Layout Randomization on Program Load, Program. Comput. Software, 2018, vol. 44, no. 5, pp. 363-370. https://doi.org/10.1134/S0361768818050080

  7. 7

    CWE-121: Stack-based Buffer Overflow. https://cwe.mitre.org/data/definitions/121.html

  8. 8

    Shacham, H., “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proc. of the 14th ACM Conf. on Computer and Communications Security, 2007, pp. 552–561.

  9. 9

    Schwartz, E.J, Avgerinos, T., and Brumley, D. Q: Exploit hardening made easy, Proc. of the 20th USENIX Conference on Security, SEC’11, USENIX Association, 2011, p. 25.

  10. 10

    Jager, I. and Brumley, D., Efficient directionless weakest preconditions. Technical Report CMU-CyLab-10-002, 2010.

  11. 11

    Lu, K., Zou, D., Wen, W., and Gao, D., deRop: Removing return-oriented programming from malware, Proc. of the 27th Annual Computer Security Applications Conference, ACSAC’11, ACM, 2011, pp. 363–372.

  12. 12

    Graziano, M., Balzarotti, D., and Zidouemba, A., ROPMEMU: A framework for the analysis of complex code-reuse attacks, Proc. of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS’16, ACM, 2016, pp. 47–58.

  13. 13

    Roemer, R., Buchanan, E., Shacham, H., and Savage, S., “Return-oriented programming: Systems, languages, and applications,” ACM Trans. Inf. Syst. Secur., 2012, vol. 15, no. 1, pp. 2:1–2:34.

  14. 14

    IDA Pro. https://www.hex-rays.com/products/ida/

  15. 15

    Nethercote, N. and Seward, J., How to shadow every byte of memory used by a program, Proc. of the 3rd International Conference on Virtual Execution Environments, VEE’07, ACM, 2007, pp. 65–74.

  16. 16

    Moser, A., Kruegel, C., and Kirda, E., Exploring multiple execution paths for malware analysis, Proc. of the 2007 IEEE Symposium on Security and Privacy, SP’07, IEEE Computer Society, 2007, pp. 231–245.

  17. 17

    Vishnyakov, A.V., Classification of ROP gadgets, Trudy ISP RAN, 2016, vol. 28, no. 6, pp. 27–36.

  18. 18

    VirtualProtect function (Windows). https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx

  19. 19

    The Linux man-pages project. https://www.kernel.org/doc/man-pages/

  20. 20

    API Monitor: Spy on API Calls and COM Interfaces. http://www.rohitab.com/apimonitor

  21. 21

    Padaryan, V.A., Soloviev, M.A., and Kononov, A.I., Modeling operational semantics of machine instructions, Trudy ISP RAN, 2010, vol. 19, pp. 165–186.

  22. 22

    Metasploit Framework. https://github.com/rapid7/metasploit-framework

  23. 23

    Exploit Database. https://www.exploit-db.com

  24. 24

    snapshot.debian.org. http://snapshot.debian.org

  25. 25

    Salwan, J., An introduction to the Return Oriented Programming and ROP-chain generation, 2014. http://shell-storm.org/talks/ROP_course_lecture_jonathan_salwan_2014.pdf

Download references

Author information

Correspondence to A. V. Vishnyakov or A. R. Nurmukhametov or Sh. F. Kurmangaleev or S. S. Gaisaryan.

Additional information

Translated by A. Klimontovich

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Vishnyakov, A.V., Nurmukhametov, A.R., Kurmangaleev, S.F. et al. A Method for Analyzing Code-Reuse Attacks. Program Comput Soft 45, 473–484 (2019) doi:10.1134/S0361768819080061

Download citation