Type of Publication: Article in Collected Edition
The Beast is in Your Memory: Return-Oriented Programming Attacks Against Modern Control-Flow Integrity Protection Techniques
- Davi, Lucas; Lehmann, Daniel; Sadeghi, Ahmad-Reza
- Title of Anthology:
- Black Hat USA
- Publication Date:
- Link to complete version:
- Download BibTeX
Return-oriented Programming (ROP) is a powerful exploitation technique used in nearly every exploit today. It maliciously combines short code snippets (gadgets) residing in shared libraries and the executable to bypass data execution prevention (DEP). As a consequence, several new control-flow integrity (CFI) mechanisms and tools have been recently proposed to thwart ROP attacks. For instance, kBouncer and ROPGuard both restrict return instructions to target a call-preceded instruction. In addition, ROPecker and kBouncer force the adversary to invoke a long instruction sequence after a pre-defined number of short gadgets thereby preventing an attacker to execute a sequence of ROP gadgets. Some of the proposed mechanisms have already been integrated in Microsoft's Windows EMET tool. In general, these mechanisms significantly reduce the gadget space and make it challenging for an attacker to mount ROP attacks.
While others have hypothesized or even exploited weaknesses in some of these emerging CFI techniques, we provide the first comprehensive analysis thereof. Specifically, we conducted a security analysis of various recently proposed CFI solutions (including kBouncer, ROPGuard, ROPecker, and CFI for COTS binaries). Our key contribution is in demonstrating that these techniques can be effectively undermined even when all their protection mechanisms are combined. In particular, we transformed existing (publicly available) exploits against Windows (which are detected by Microsoft EMET) into more stealthy attacks that bypass all recently proposed CFI techniques. We show that our performed transformations require no specific assumptions, and demonstrate that a 1MB Windows library (kernel32.dll) is already sufficient to derive a (turing-) complete gadget set using only call-preceded gadgets.