“Return oriented programming without returns” (http://dl.acm.org/citation.cfm?id=1866370) by Checkoway et. al. is a fantastic paper which talks about how current strategies to thwart ROP are in-sufficient, and that only a comprehensive CFI solution is the savior.
How does an exploit based on ROP work ? Return oriented programming utilizes small sets of instruction (2-3 instructions called gadgets) ,present in existing codebase such as loaded from libraries, to leave the system in a vulnerable state. Via buffer-overflow attack, ROP injects addresses to these gadgets into the stack stack. On execution of these gadgets (for eg: pop %eax; jmp *%eax), the attacker can build (mostly) any function call such as : opening a shell, which can then be used to perform other malicious activities.
What could be the defenses against ROP? address space randomization so that attacker cannot determine the addresses of the gadgets (but some pieces of work show that a brute force attack can overcome this strategy; especially a 32-bit address space). Other Current small scale defenses against ROP include : look for instruction streams that look for frequent returns (Davi et. al.) by dynamic instrumentation; last-in first-out stack invariant (a compiler based strategy ) used in stack shield; avoiding RET (this is part of our strategy in our project).
But this paper (ROP without returns) renders all the above defenses useless except the comprehensive CFI (control flow integrity check) based solution. The paper is able to do this by exploiting the fact that returns are not necessary for moving through code regions. A ret instruction can be “emulated” by utilizing a small gadget such as “pop %eax; jmp %*eax”. Agreed, that it is difficult to find this gadget. But, we have to find only 1 instance of this gadget in a huge code region (created by us by calling into different libraries). The authors say that after 1 instance of this is found, the update-load-branch functions as a trampoline; each instruction seq used in the gadget set is made to end in an indirect jump to this trampoline, which then pushes it to other gadgets.
Emulating Attack on google android based ARM device:
In this attack, the authors utilized the fgets function which allows to read 0 bytes (ensure that there is a 0x00; used for initializing the SP ); this is needed as their gadget structure always starts at 0x00. The attack they perform is to make a call to the system command; the steps followed are as follows:
* initialize the registers r6 and sp with setjmp (these statements are almost stated-in-context from the paper)
* load r3 with the update-load-branch gadget address
* load address of interpreter in r0
*involve lib system function *(last 2 are gadgets with instruction sequences that can be found out from the paper).
Conclusion:
In light of this paper, we in our project are going to follow other approaches such as randomizing the order of optimization, and evaluate its usefulness in thwarting ROP attacks.