Advertisement

Packed, Printable, and Polymorphic Return-Oriented Programming

  • Kangjie Lu
  • Dabi Zou
  • Weiping Wen
  • Debin Gao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6961)

Abstract

Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W ⊕ X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

Keywords

Return-oriented programming packer printable shellcode polymorphic malware 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    W xor X, http://en.wikipedia.org/wiki/WXGoogle Scholar
  2. 2.
    Anagnostakis, K.G., Markatos, E.P.: An empirical study of real-world polymorphic code injection attacks. In: Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats (2009)Google Scholar
  3. 3.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium (USENIX Security 2003) (2003)Google Scholar
  4. 4.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium (USENIX Security 2005) (2005)Google Scholar
  5. 5.
    Bletsch, T., Jiang, X., Freeh, V.W.: Jump-oriented programming: A new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011 (2011)Google Scholar
  6. 6.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)Google Scholar
  7. 7.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010 (2010)Google Scholar
  8. 8.
    Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the avc advantage. In: Proceedings of the 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (2009)Google Scholar
  9. 9.
    Chen, P., Xiao, G., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Davi, L., Sadeghi, A., Winandy, M.: Ropdefender: A detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011 (2011)Google Scholar
  11. 11.
    Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.S.V.: Polymorphic shellcode engine using spectrum analysis. Phrack magazine 9(61) (August 2003), http://www.phrack.org/issues.html?issue=61&id=9
  12. 12.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)Google Scholar
  13. 13.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009 (2009)Google Scholar
  14. 14.
    Greuff: Writing utf-8 compatible shellcodes. Phrack magazine  9(62) (July 2004), http://www.phrack.org/issues.html?issue=62&id=9.
  15. 15.
    Hund, R., Holz, T., Freiling, F.C.: Returnoriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th USENIX Security Symposium (USENIX Security 2009) (2009)Google Scholar
  16. 16.
    Kornau, T.: Return oriented programming for the arm architecture. Master’s thesis. Ruhr-University Bochum, Germany (2009)Google Scholar
  17. 17.
    Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009 (2009)Google Scholar
  18. 18.
    Obscou. Building ia32 ’unicode-proof’ shellcodes. Phrack magazine 11(61) (August 2003), http://www.phrack.org/issues.html?issue=61&id=11
  19. 19.
    Onarlioglu, K., Bilge, L., Lanzi, A., Balzarottie, D., Kirda, E.: G-free: Defeating return-oriented programming through gadget-less binaries. In: Proceedings of The 26th Annual Computer Security Applications Conference, ACSAC (2010)Google Scholar
  20. 20.
    Pietrek, M.: A crash course on the depths of win32 structured exception handling. Microsoft Systems Journal (January 1997), http://www.microsoft.com/msj/0197/exception/exception.aspx
  21. 21.
    Rix: Writing ia32 alphanumeric shellcodes. Phrack magazine 15(57) (August 2001), http://www.phrack.org/issues.html?issue=57&id=15.
  22. 22.
    Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented program-ming: Systems, languages, and applications (2010), http://cseweb.ucsd.edu/~hovav/dist/rop.pdf
  23. 23.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007 (2007)Google Scholar
  24. 24.
    Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 (2004)Google Scholar
  25. 25.
    Stepan, A.: Improving proactive detection of packed malware. Virus Bulletin (2006)Google Scholar
  26. 26.
    Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (February 2005)Google Scholar
  27. 27.
    PaX Team. Pax address space layout randomization, http://pax.grsecurity.net/docs/aslr.txt
  28. 28.
    Wang, Z., Cheng, R., Gao, D.: Revisiting address space randomization. In: Proceedings of the 13th Annual International Conference on Information Security and Cryptology, ICISC 2010 (2010)Google Scholar
  29. 29.
    Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: Symposium on Reliable and Distributed Systems, SRDS (2003)Google Scholar
  30. 30.
    Zovi, D.A.D.: Practical return-oriented programming (2010), http://trailofbits.com/2010/04/26/practical-return-oriented-programming/

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Kangjie Lu
    • 1
    • 2
  • Dabi Zou
    • 1
  • Weiping Wen
    • 2
  • Debin Gao
    • 1
  1. 1.School of Information SystemsSingapore Management UniversitySingapore
  2. 2.School of Software and MicroelectronicsPeking UniversityChina

Personalised recommendations