Advertisement

Evaluating the Effectiveness of Current Anti-ROP Defenses

  • Felix Schuster
  • Thomas Tendyck
  • Jannik Pewny
  • Andreas Maaß
  • Martin Steegmanns
  • Moritz Contag
  • Thorsten Holz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)

Abstract

Recently, many defenses against the offensive technique of return-oriented programming (ROP) have been developed. Prominently among them are kBouncer, ROPecker, and ROPGuard which all target legacy binary software while requiring no or only minimal binary code rewriting.

In this paper, we evaluate the effectiveness of these Anti-ROP defenses. Our basic insight is that all three only analyze a limited number of recent (and upcoming) branches in an application’s control flow on certain events. As a consequence, an adversary can perform dummy operations to bypass all employed heuristics. We show that it is possible to generically bypass kBouncer, ROPecker, and ROPGuard with little extra effort in practice. In the cases of kBouncer and ROPGuard on Windows, we show that all required code sequences can already be found in the executable module of a minimal 32-bit C/C++ application with an empty main() function. To demonstrate the viability of our attack approaches, we implemented several proof-of-concept exploits for recent vulnerabilities in popular applications; e.g., Internet Explorer 10 on Windows 8.

Keywords

ROP Exploit Mitigation Memory Corruptions 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Mplayer (r33064 lite) buffer overflow + ROP exploit (2011), http://www.exploit-db.com/exploits/17124/
  2. 2.
    Microsoft BlueHat Prize (2012), http://www.microsoft.com/security/bluehatprize/
  3. 3.
    Advanced Micro Devices. AMD64 Architecture Programmers Manual Volume 2: System Programming, Publication no. 24593 Rev. 3.24 (December 2013)Google Scholar
  4. 4.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: A new class of code-reuse attack. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 30–40. ACM, New York (2011)CrossRefGoogle Scholar
  5. 5.
    Checkoway, S.: Return-oriented programming’s status is unchanged. Blog (October 2013), https://www.cs.jhu.edu/~s/musings/rop.html
  6. 6.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 559–572. ACM, New York (2010)Google Scholar
  7. 7.
    Chen, W.: Here’s that FBI Firefox exploit for you (CVE-2013-1690) (August 2013), https://community.rapid7.com/community/metasploit/blog/2013/08/07/heres-that-fbi-firefox-exploit-for-you-cve-2013-1690
  8. 8.
    Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: ROPecker: A generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security, NDSS (2014)Google Scholar
  9. 9.
    Dullien, T., Kornau, T., Weinmann, R.-P.: A framework for automated architecture-independent gadget search. In: USENIX Workshop on Offensive Technologies, WOOT (2010)Google Scholar
  10. 10.
    Fratric, I.: Runtime Prevention of Return-Oriented Programming Attacks, http://ropguard.googlecode.com/svn-history/r2/trunk/doc/ropguard.pdf
  11. 11.
    Fratric, I.: My BlueHat prize entry: ROPGuard – runtime prevention of return-oriented programming attacks. Blog (August 2012), http://ifsec.blogspot.de/2012/08/my-bluehat-prize-entry-ropguard-runtime.html
  12. 12.
    Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
  13. 13.
    Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming. In: USENIX Workshop on Offensive Technologies, WOOT (2012)Google Scholar
  14. 14.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium (2009)Google Scholar
  15. 15.
    Intel. Intel 64 and IA-32 architectures software developers manual, volume 1, 2A, 2B, 2C, 3A, 3B and 3C, 325462-048US (September 2013)Google Scholar
  16. 16.
    Joly, N.: Advanced exploitation of Internet Explorer 10 / Windows 8 overflow, Pwn2Own 2013 (2013), http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php
  17. 17.
    Krahmer, S.: x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005), http://users.suse.com/~krahmer/no-nx.pdf
  18. 18.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: SIGPLAN Not., vol. 40(6), pp. 190–200. ACM, New York (2005)Google Scholar
  19. 19.
    Microsoft Corporation. Enhanced mitigation experience toolkit 4.1—user guide (2013)Google Scholar
  20. 20.
    Microsoft Developer Network. Argument passing and naming conventions, http://msdn.microsoft.com/en-us/library/984x0h58.aspx
  21. 21.
    Microsoft Developer Network. C run-time library reference: _onexit (2012), http://msdn.microsoft.com/en-us/library/zk17ww08.aspx
  22. 22.
    Microsoft Security Research & Defense. Introducing enhanced mitigation experience toolkit (EMET) 4.1 (November 2013), http://www.microsoft.com/security/bluehatprize/
  23. 23.
    Nergal. The advanced return-into-lib(c) exploits: PaX case study (2001), http://phrack.org/issues/58/4.html
  24. 24.
    Pappas, V.: kBouncer: Efficient and transparent ROP mitigation, http://www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf
  25. 25.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security Symposium (2013)Google Scholar
  26. 26.
  27. 27.
    Rapid7 Vulnerability & Exploit Database. Nginx HTTP server 1.3.9–1.4.0 chunked encoding stack buffer overflow (2013), http://www.rapid7.com/db/modules/exploit/linux/http/nginx_chunked_size
  28. 28.
    Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security 15(1), 2:1–2:34 (2012)Google Scholar
  29. 29.
    Russinovich, M., Solomon, D.A., Ionescu, A.: Windows Internals, Part 1, 6th edn. Microsoft Press (2012)Google Scholar
  30. 30.
    Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current anti-ROP defenses. Technical Report TR-HGI-2014-001, Ruhr-Universität Bochum (May 2014), http://syssec.rub.de/research/publications/Evaluating-Anti-ROP-Defenses/
  31. 31.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: USENIX Security Symposium (2011)Google Scholar
  32. 32.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Felix Schuster
    • 1
  • Thomas Tendyck
    • 1
  • Jannik Pewny
    • 1
  • Andreas Maaß
    • 1
  • Martin Steegmanns
    • 1
  • Moritz Contag
    • 1
  • Thorsten Holz
    • 1
  1. 1.Horst Görtz Institute for IT-Security (HGI)Ruhr-Universität BochumBochumGermany

Personalised recommendations