Nowadays, ensuring software security is of paramount importance. Software failures can have significant consequences, and malicious vulnerability exploitation can inflict immense losses. Large corporations pay particular attention to the investigation of computer security incidents. Code-reuse attacks based on return-oriented programming (ROP) are gaining popularity each year and can bypass even modern operating system protection mechanisms. Unlike ordinary shellcode, where instructions are placed sequentially in memory, a ROP chain consists of multiple small instruction blocks (called gadgets) and uses the stack to chain them together. This makes the analysis of ROP exploits more difficult. The main goal of this work is to simplify reverse engineering of ROP exploits. A method for analyzing code-reuse attacks that allows one to split the chain into gadgets, restore the semantics of each particular gadget, and restore the prototypes and parameter values of the system calls and functions invoked during the execution of the ROP chain is proposed. The semantics of each gadget is determined by its parameterized type. Each gadget type is defined by a postcondition (Boolean predicate) that must always be true after the gadget execution. The proposed method was implemented as a software tool and tested on real-world ROP exploits found on the Internet.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Belevantsev, A. and Avetisyan, A., Multi-level static analysis for finding error patterns and defects in source code, 2018. https://doi.org/10.1007/978-3-319-74313-4_3
Gerasimov, A.Y., Directed dynamic symbolic execution for static analysis warnings confirmation, Program. Comput. Software, 2018, vol. 44, no. 5, pp. 316-323. https://doi.org/10.1134/S036176881805002X
Gerasimov, A. and Kruglov, L., Reachability confirmation of statically detected defects using dynamic analysis, Proc. of the 11th International Conference on Computer Science and Information Technologies, CSIT 2017, pp. 60-64. https://doi.org/10.1109/CSITechnol.2017.8312141
Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org
Vulnerabilities (CVE) by year. https://www.cvedetails.com/browse-by-date.php
Nurmukhametov, A.R., Zhabotinskiy, E.A., Kurmangaleev, S.F., Gaissaryan, S.S., Vishnyakov, A.V., Fine-Grained Address Space Layout Randomization on Program Load, Program. Comput. Software, 2018, vol. 44, no. 5, pp. 363-370. https://doi.org/10.1134/S0361768818050080
CWE-121: Stack-based Buffer Overflow. https://cwe.mitre.org/data/definitions/121.html
Shacham, H., “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proc. of the 14th ACM Conf. on Computer and Communications Security, 2007, pp. 552–561.
Schwartz, E.J, Avgerinos, T., and Brumley, D. Q: Exploit hardening made easy, Proc. of the 20th USENIX Conference on Security, SEC’11, USENIX Association, 2011, p. 25.
Jager, I. and Brumley, D., Efficient directionless weakest preconditions. Technical Report CMU-CyLab-10-002, 2010.
Lu, K., Zou, D., Wen, W., and Gao, D., deRop: Removing return-oriented programming from malware, Proc. of the 27th Annual Computer Security Applications Conference, ACSAC’11, ACM, 2011, pp. 363–372.
Graziano, M., Balzarotti, D., and Zidouemba, A., ROPMEMU: A framework for the analysis of complex code-reuse attacks, Proc. of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS’16, ACM, 2016, pp. 47–58.
Roemer, R., Buchanan, E., Shacham, H., and Savage, S., “Return-oriented programming: Systems, languages, and applications,” ACM Trans. Inf. Syst. Secur., 2012, vol. 15, no. 1, pp. 2:1–2:34.
IDA Pro. https://www.hex-rays.com/products/ida/
Nethercote, N. and Seward, J., How to shadow every byte of memory used by a program, Proc. of the 3rd International Conference on Virtual Execution Environments, VEE’07, ACM, 2007, pp. 65–74.
Moser, A., Kruegel, C., and Kirda, E., Exploring multiple execution paths for malware analysis, Proc. of the 2007 IEEE Symposium on Security and Privacy, SP’07, IEEE Computer Society, 2007, pp. 231–245.
Vishnyakov, A.V., Classification of ROP gadgets, Trudy ISP RAN, 2016, vol. 28, no. 6, pp. 27–36.
VirtualProtect function (Windows). https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx
The Linux man-pages project. https://www.kernel.org/doc/man-pages/
API Monitor: Spy on API Calls and COM Interfaces. http://www.rohitab.com/apimonitor
Padaryan, V.A., Soloviev, M.A., and Kononov, A.I., Modeling operational semantics of machine instructions, Trudy ISP RAN, 2010, vol. 19, pp. 165–186.
Metasploit Framework. https://github.com/rapid7/metasploit-framework
Exploit Database. https://www.exploit-db.com
Salwan, J., An introduction to the Return Oriented Programming and ROP-chain generation, 2014. http://shell-storm.org/talks/ROP_course_lecture_jonathan_salwan_2014.pdf
This work was supported by the Russian Foundation for Basic Research, project no. 17-01-00600.
Translated by A. Klimontovich
About this article
Cite this article
Vishnyakov, A.V., Nurmukhametov, A.R., Kurmangaleev, S.F. et al. A Method for Analyzing Code-Reuse Attacks. Program Comput Soft 45, 473–484 (2019). https://doi.org/10.1134/S0361768819080061