Computer Science

Computer Science ›› 2018, Vol. 45 ›› Issue (1): 240-244.doi: 10.11896/j.issn.1002-137X.2018.01.042

Previous Articles     Next Articles

Construction Method of ROP Frame Based on Multipath Dispatcher

PENG Jian-shan, ZHOU Chuan-tao, WANG Qing-xian and DING Da-zhao   

  • Online:2018-01-15 Published:2018-11-13

PDF (PC)

693

Abstract: ROP is a popular attacking technology used to exploit software vulnerability,and it is always updating to against the technology of defensing ROP.Both kBouncer and ROPecker are the state-of-the-art ROP defense tools,and they are effective in detecting traditional ROP and JOP,and they can trace the process of indirect jump instructions by detecting ROP characters and using LBR register.The bypassing method proposed by Nicholas has the disadvantage that it is hard to find available ROP gadgets.This paper proposed a novel method to organize ROP gadgets.The ROP frame was constructed to execute traditional gadgets in loops by multipath dispatcher.Using this ROP frame,attackers can use plenty of traditional gadgets to execute a complete and efficient ROP chain.The test results show that this method is easy to implement,and it is able to perform complex functions.More importantly,the proposed ROP frame can bypass ROPecker and kBouncer because it has small enough characters.

Key words: ROP,Gadget,LBR register,Bypassing defense

[1] SHACMAM H.The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86) [C]∥ACM Conference on Computer and Communications Security(CCS).New York,USA,2007:552-561.
[2] ABADI M,BUDIU M,ERLINGSSON U,et al.Control-flow integrity[C]∥ACM Conference on Computer and Communications Security(CCS).2005:340-353.
[3] CHEN P,XIAO H,SHEN X,et al.DROP:Detecting Return-Oriented Programming Malicious Code[C]∥Information Systems Security,International Conference(ICISS 2009).Kolkata,India,2009:163-177.
[4] DAVI L,SADEGHI A R,WINANDY M.ROPdefender:a detection tool to defend against return-oriented programming attacks[C]∥ACM Symposium on Information Computer & Communication Security Cited on.2011:40-51.
[5] ONARLIOGLU K,BILGE L,LANZI A,et al.G-Free:defeating return-oriented programming through gadget-less binaries[C]∥Twenty-Sixth Computer Security Applications Conference(ACSAC 2010).Austin,Texas,USA,2010:49-58.
[6] PAPPAS V,POLYCHRONAKIS M,KEROMYTIS A D.Trans-parent ROP exploit mitigation using indirect branch tracing[C]∥Usenix Conference on Security.2013:447-462.
[7] CHENG Y,ZHOU Z,YU M,et al.ROPecker:A Generic andPractical Approach For Defending Against ROP Attacks[C]∥Network and Distributed System Security Symposium(NDSS14).2014.
[8] CHECKOWAY S,DAVI L,DMITRIENKO A,et al.Return-oriented programming without returns[C]∥ACM Conference on Computer and Communications Security(CCS 2010).Chicago,Illinois,USA,2010:559-572.
[9] BLETSCH T,JIANG X,FREEH V W,et al.Jump-orientedprogramming:a new class of code-reuse attack[C]∥ACM Symposium on Information,Computer and Communications Security(ASIACCS 2011).Hong Kong,China,2011:303-307.
[10] CARLINI N,WAGNER D.ROP is still dangerous:breakingmodern defenses[C]∥USENIX Conference on Security Symposium.USENIX Association,2014:385-399.
[11] Windows ISV Software Security Defenses[EB/OL].(2010-12-01) [2015-01-30].https://msdn.microsoft.com/en-us/library/bb430720.aspx.
[12] SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q:exploit hardening made easy[C]∥Usenix Conference on Security.USENIX Association,2011:25-25.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.