UP | HOME
2018-11-04

ROP (Return Oriented Programming) Exploits

1 Background

  1. Code Injection and ../ASLR/

2 ROP Exploit Idea

  1. A gadget is a sequence of CPU instructions ending in the RETurn- to- caller instruction. Apllicable to all CPUs.
  2. A chain of gadgets can be constructed, off-line, so that it is malicious code. A chain is a sequence of code addresses.
  3. Gadgets are harvested from the user written code of the process, and the libraries.
  4. Theorem: Given a large enough process code segments, any arbitrary computation can be performed by a chain of gadgets.
  5. We do not need to inject shell code. Instead, build a chain to invoke a shell. We do need to place the chain on the stack.
  6. None of the ASLR, NX, DEP mitigation techniques can prevent this exploit.

3 ROP Detection and Mitigation

  1. Control Flow Integrity
  2. kBouncer: Efficient and Transparent ROP Mitigation 2012 Reference
  3. Ropnn: Detection of ROP Payloads Using Deep Neural Networks 2018 Reference

4 ROP is Still Dangerous

  1. Nicholas Carlini and David Wagner, "ROP is Still Dangerous: Breaking Modern Defenses", University of California, Berkeley, 2014. PDF 90- slides. Required Reading. Related full paper is In USENIX Security Symposium. 2014. Recommended Reading. [Abstract Return Oriented Programming (ROP) has become the exploitation technique of choice for modern memory-safety vulnerability attacks. Recently, there have been multiple attempts at defenses to prevent ROP attacks. In this paper, we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and ROPecker, two recent low-overhead defenses that can be applied to legacy software on existing hardware. We examine several recent ROP attacks seen in the wild and demonstrate that our techniques successfully cloak them so they are not detected by these defenses. Our attacks apply to many CFI-based defenses which we argue are weaker than previously thought. Future defenses will need to take our attacks into account.]
  2. Summary of the above: Includes an intro to ROP. "… we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and ROPecker … We … demonstrate that our techniques successfully cloak them so they are not detected by these defenses."
  3. Watch the video: https://www.usenix.org/node/184508, Video 17:12, PDF 80+ slides, 80+ mainly because of PPT-animated to PDF conversion.

5 ROP Exploits in Android

  1. Hanan Be'er, "Metaphor: A (Real) RealĀ­Life Stagefright Exploit", https://www.exploit-db.com/docs/39527.pdf, 38pp. Mar 2016. Uses ROP. Recommended Reading
  2. Project Zero team at Google, Return to libstagefright: Exploiting libutils on Android, 9pp, Sep 2016. Recommended Reading
  3. Drake, Joshua. "Stagefright: Scary Code in the Heart of Android." BlackHat USA (2015). [To my taste: A little too sensational. Not scary, but a coding bug, caused by C language misunderstanding, that went unnoticed because of a lack of code auditing. Discussed later in this course.] Recommended Reading

6 References

  1. Roemer, Ryan, Erik Buchanan, Hovav Shacham, and Stefan Savage. (University of California, San Diego) "Return-Oriented Programming: Systems, Languages, and Applications." ACM Transactions on Information and System Security (TISSEC), Vol 15, no. 1 (2012): https://cseweb.ucsd.edu/~hovav/dist/rop.pdf 42pp. Rigorous. Reference. PDF Slides 50+ from BlackHat US 2008. Uses x86 instructions. Required Reading.
  2. Jonathan Salwan, "An introduction to the Return Oriented Programming and ROP Chain Generation", PDF, slides Nov 2014. https://github.com/JonathanSalwan/ROPgadget is a tool written in Py that searches for gadgets in a program binary. Recommended Reading.
  3. https://www.corelan.be/index.php/security/rop-gadgets/ A collection of ROP gadgets that can be found in Windows OS DLLs and applications. 2011. Recommended Reading.
  4. Andrei Homescu, Michael Stewart, Per Larsen, Stefan Brunthaler, and Michael Franz, Microgadgets: Size Does Matter In Turing-complete Return-Oriented Programming, University of California, Irvine, 201x. Recommended Reading.
  5. A DEP/ASLR-bypassing exploit ropasaurusrex. A detailed tutorial. 2013 Recommended Reading.
  6. Barrebas, http://barrebas.github.io/blog/2015/06/28/rop-primer-level0/. The ROP VM made for this exercise can be downloaded from vulnhub.com. https://www.vulnhub.com/entry/rop-primer-02,114/. 2015. Encouraged to try this out.
  7. https://ocw.cs.pub.ro/courses/cns/labs/lab-10 Lab on Return Oriented Programming. Reference.
  8. Dai Zovi, Dino. "Practical return-oriented programming." SOURCE Boston (2010). PDF 40+ slides. Recommended Reading.
  9. https://software.intel.com/en-us/articles/introduction-to-x64-assembly
  10. Borrello, Pietro, Emilio Coppa, Daniele Cono D'Elia, and Camil Demetrescu. "The ROP Needle: Hiding Trigger-Based Injection Vectors via Code Reuse." In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pp. 1962-1970. ACM, 2019.
  11. LeMay, Michael. "Hardened safe stack for return oriented programming attack mitigation." U.S. Patent Application 15/629,458, filed December 27, 2018.

7 End

Copyright © 2018 www.wright.edu/~pmateti • 2018-11-04