关键词: ROP,gadget,LBR寄存器,绕防

Abstract: ROP is a popular attacking technology used to exploit software vulnerability,and it is always updating to against the technology of defensing ROP.Both kBouncer and ROPecker are the state-of-the-art ROP defense tools,and they are effective in detecting traditional ROP and JOP,and they can trace the process of indirect jump instructions by detecting ROP characters and using LBR register.The bypassing method proposed by Nicholas has the disadvantage that it is hard to find available ROP gadgets.This paper proposed a novel method to organize ROP gadgets.The ROP frame was constructed to execute traditional gadgets in loops by multipath dispatcher.Using this ROP frame,attackers can use plenty of traditional gadgets to execute a complete and efficient ROP chain.The test results show that this method is easy to implement,and it is able to perform complex functions.More importantly,the proposed ROP frame can bypass ROPecker and kBouncer because it has small enough characters.

Key words: ROP,Gadget,LBR register,Bypassing defense