Ping Chen,Zhisheng Hu,Jun Xu,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.1186/s42400-018-0003-x

2018-01-01

Abstract:In the wake of the research community gaining deep understanding about control-hijacking attacks, data-oriented attacks have emerged. Among data-oriented attacks, data structure manipulation attack (DSMA) is a major category. Pioneering research was conducted and shows that DSMA is able to circumvent the most effective defenses against control-hijacking attacks - DEP, ASLR and CFI. Up to this day, only two defense techniques have demonstrated their effectiveness: Data Flow Integrity (DFI) and Data Structure Layout Randomization (DSLR). However, DFI has high performance overhead, and dynamic DSLR has two main limitations. L-1: Randomizing a large set of data structures will significantly affect the performance. L-2: To be practical, only a fixed sub-set of data structures are randomized. In the case that the data structures targeted by an attack are not covered, dynamic DSLR is essentially noneffective.To address these two limitations, we propose a novel technique, feedback-control-based adaptive DSLR and build a system named SALADSPlus. SALADSPlus seeks to optimize the trade-off between security and cost through feedback control. Using a novel feedback-control-based adaptive algorithm extended from the Upper Confidence Bound (UCB) algorithm, the defender (controller) uses the feedbacks (cost-effectiveness) from previous randomization cycles to adaptively choose the set of data structures to randomize (the next action). Different from dynamic DSLR, the set of randomized data structures are adaptively changed based on the feedbacks. To obtain the feedbacks, SALADSPlus inserts canary in each data structure at the time of compilation. We have implemented SALADSPlus based on gcc-4.5.0. Experimental results show that the runtime overheads are 1.8%, 3.7%, and 5.3% when the randomization cycles are selected as 10s, 5s, and 1s respectively.

Ping Chen,Jun Xu,Zhiqiang Lin,Dongyan Xu,Bing Mao,Peng Liu

DOI: https://doi.org/10.1007/978-3-319-24174-6_4

2015-01-01

Abstract:Attackers often corrupt data structures to compromise software systems. As a countermeasure, data structure layout randomization has been proposed. Unfortunately, existing techniques require manual designation of randomize-able data structures without guaranteeing the correctness and keep the layout unchanged at runtime. We present a system, called SALADS, that automatically translates a program to a DSSR Data Structure Self-Randomizing program. At runtime, a DSSR program dynamically randomizes the layout of each security-sensitive data structure by itself autonomously. DSSR programs regularly re-randomize a data structure when it has been accessed several times after last randomization. More importantly, DSSR programs automatically determine the randomizability of instances and randomize each instance independently. We have implemented SALADS based on gcc-4.5.0 and generated DSSR user-level applications, OS kernels, and hypervisors. Our experiments show that the DSSR programs can defeat a wide range of attacks with reasonable performance overhead.

Xun Zhan,Tao Zheng,Shixiang Gao

DOI: https://doi.org/10.1109/sere-c.2014.28

2014-01-01

Abstract:Code reuse attacks such as return-oriented programming, one of the most powerful threats to software system, rely on the absolute address of instructions. Therefore, address space randomization should be an effective defending method. However, current randomization techniques either are lack of enough entropy or have significant time or space overhead. In this paper, we present a novel fine-grained randomization technique at basic block level. In contrast to previous work, our technique dealt with critical technical challenges including indirect branches, callbacks and position independent codes properly at least cost. We implement an efficient prototype randomization system which supports Linux ELF file format and x86 architecture. Our evaluation demonstrated that it can defend ROP attacks with tiny performance overhead (4% on average) successfully.

Alex Yao Chu Zhu,Wei Qi Yan,Roopak Sinha

DOI: https://doi.org/10.4018/ijdcf.20211101.oa7

2021-01-01

International Journal of Digital Crime and Forensics

Abstract:Most Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS) cannot defend the attacks from a Return Oriented Program (ROP) which applies code reusing and exploiting techniques without the need for code injection. Malicious attackers chain a short sequence as a gadget and execute this gadget as an arbitrary (Turing-complete) behavior in the target program. Lots of ROP defense tools have been developed with satisfactory performance and low costs overhead, but malicious attackers can evade ROP tools. Therefore, it needs security researchers to continually improve existing ROP defense tools, because the defense ability of target devices, such as smartphones is weak, and such devices are being increasingly targeted. Our contribution in this paper is to propose an ROP defense method that has provided a better performance of defense against ROP attacks than existing ROP defense tools.

Jannik Pewny,Philipp Koppe,Thorsten Holz

DOI: https://doi.org/10.48550/arXiv.2007.02308

2020-07-05

Cryptography and Security

Abstract:The wide-spread adoption of system defenses such as the randomization of code, stack, and heap raises the bar for code-reuse attacks. Thus, attackers utilize a scripting engine in target programs like a web browser to prepare the code-reuse chain, e.g., relocate gadget addresses or perform a just-in-time gadget search. However, many types of programs do not provide such an execution context that an attacker can use. Recent advances in data-oriented programming (DOP) explored an orthogonal way to abuse memory corruption vulnerabilities and demonstrated that an attacker can achieve Turing-complete computations without modifying code pointers in applications. As of now, constructing DOP exploits requires a lot of manual work. In this paper, we present novel techniques to automate the process of generating DOP exploits. We implemented a compiler called Steroids that compiles our high-level language SLANG into low-level DOP data structures driving malicious computations at run time. This enables an attacker to specify her intent in an application- and vulnerability-independent manner to maximize reusability. We demonstrate the effectiveness of our techniques and prototype implementation by specifying four programs of varying complexity in SLANG that calculate the Levenshtein distance, traverse a pointer chain to steal a private key, relocate a ROP chain, and perform a JIT-ROP attack. Steroids compiles each of those programs to low-level DOP data structures targeted at five different applications including GStreamer, Wireshark, and ProFTPd, which have vastly different vulnerabilities and DOP instances. Ultimately, this shows that our compiler is versatile, can be used for both 32- and 64-bit applications, works across bug classes, and enables highly expressive attacks without conventional code-injection or code-reuse techniques in applications lacking a scripting engine.

HUANG Zhi-jun,ZHENG Tao

2012-01-01

Computer Science

Abstract:With the adoption of W♁X technology,the traditional code injection attacks have been almost eliminated,so the return-to-lib attack has been greatly restrained.Under this circumstance,Doc.Hovav Shacham promoted the ROP idea,which is short for Return-Oriented Programming.Based on the theory of stack overflow,making using of the valid short instruction sequences that end with ret instructions to construct gadget collections with Turning-Complete features,the ROP idea can accomplish the task of compute and attack.In this paper,we presented achievements in ROP field and ROP's ability of attack since its promotion,and then illustrated the direction for development of the automation of ROP attack and its current achievements,after that,analyzed and predicted the future development of ROP automation.Simultaneously,we discussed strategies and methods aiming at eliminating this attack based on its characteristics,introduced exisiting achievements of defending this attack by comparing their merits and demerits,gave our own perspectives of these defending strategies and methods about how to change and improve them.

Bingchen Lan,Yan Li,Hao Sun,Chao Su,Yao Liu,Qingkai Zeng

DOI: https://doi.org/10.1109/trustcom.2015.374

2015-01-01

Abstract:Code reuse attacks have become one of the most popular exploitation techniques, and coarse-grained control flow integrity (CFI) is a practical approach used to prevent such attacks. Recently, some new approaches have been proposed to construct call-preceded-ROP attacks to bypass coarse-grained CFI, however, we find that they still fail to bypass shadow stack, which enforces caller-callee semantics to strengthen CFI that constrains the control flow in a much stricter way. Therefore, in this paper, we propose a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack. Quite different from previous code reuse attacks, LOP collects entire functions as basic building blocks (i.e., gadgets), and chains these gadgets in a way that the control flows strictly follow the process of call-ret-pairing. Specifically, LOP selects a particular function with a loop statement, called loop gadget, to chain all the available gadgets. To demonstrate the effectiveness of LOP, we construct a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.

Ping Chen,Jin Wei,Jiwei Chen,Zhuyang Yu

DOI: https://doi.org/10.1051/sands/2024015

2024-01-01

Security and Safety

Abstract:As modern systems widely deploy protective measures for control data in memory, such as Control-Flow Integrity (CFI), attackers’ ability to manipulate control data is greatly restricted. Consequently, attackers are turning to opportunities to manipulate non-control data in memory (known as Data-Oriented Attacks, or DOAs), which have been proven to pose significant security threats to memory. However, existing techniques to mitigate DOAs often introduce significant overhead due to the indiscriminate protection of a large range of data objects. To address this challenge, this paper adopts a Cyberspace Mimic Defense (CMD) strategy, a generic framework for addressing endogenous security vulnerabilities, to prevent attackers from executing DOAs using known or unknown security flaws. Specifically, we introduce a formalized expression algorithm that assesses whether DOA-attackers can construct inputs to exploit vulnerability points. Building on this, we devise a key-area CMD strategy that modifies the code pathway from input to the vulnerability point, thereby effectively thwarting the activation of the vulnerability. Finally, our simulation experiments demonstrate that the key-area CMD strategy can effectively prevent DOAs by selectively diversifying parts of the program code.

Ping Chen,Jun Xu,Zhisheng Hu,Xinyu Xing,Minghui Zhu,Bing Mao,Peng Liu

DOI: https://doi.org/10.1109/DSN.2017.47

2017-01-01

Abstract:Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.

Xiaoqi Song,Wenjie Lv,Haipeng Qu,Lingyun Ying

2023-03-22

Abstract:Code-reuse attacks have become a kind of common attack method, in which attackers use the existing code in the program to hijack the control flow. Most existing defenses focus on control flow integrity (CFI), code randomization, and software debloating. However, most fine-grained schemes of those that ensure such high security suffer from significant performance overhead, and only reduce attack surfaces such as software debloating can not defend against code-reuse attacks completely. In this paper, from the perspective of shrinking the available code space at runtime, we propose LoadLord, which dynamically loads, and timely unloads functions during program running to defend against code-reuse attacks. LoadLord can reduce the number of gadgets in memory, especially high-risk gadgets. Moreover, LoadLord ensures the control flow integrity of the loading process and breaks the necessary conditions to build a gadget chain. We implemented LoadLord on Linux operating system and experimented that when limiting only 1/16 of the original function. As a result, LoadLord can defend against code-reuse attacks and has an average runtime overhead of 1.7% on the SPEC CPU 2006, reducing gadgets by 94.02%.

Cryptography and Security

ZhiJun Huang,Tao Zheng,Yunxiu Shi,Ang Li

DOI: https://doi.org/10.1109/icsai.2012.6223219

2012-01-01

Abstract:As the proposition of the idea of Return-Oriented Programming (ROP), programs will face new challenges from viruses, and many of current defense measures will be ineffective. With fine granularity, covert virus features, deliberate and sophisticated construction and rare static characteristics, ROP attack can circumvent many traditional defense measures and its variant Jump-Oriented Programming (JOP) attack makes lots of current special ROP defense tools lose their effects. Under this circumstance, it's imperative to discover the dynamic features of ROP exploits. At this time, bringing in the technology of Dynamic Binary Instrumentation (DBI) provides powerful support for dynamic analysis of ROP attack. In this paper, we will introduce a defense measure to ROP attack. By identifying malicious program execution flow and restricting the function call specification of general program libraries, we will prevent the turning-complete features of ROP attack. Our detection method can restrain malicious use of shared libraries by ROP and defend a large part of ROP attacks.

Ping Chen,Jun Xu,Jun Wang,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1507.02786

2015-07-10

Abstract:Fine-grained Address Space Randomization has been considered as an effective protection against code reuse attacks such as ROP/JOP. However, it only employs a one-time randomization, and such a limitation has been exploited by recent just-in-time ROP and side channel ROP, which collect gadgets on-the-fly and dynamically compile them for malicious purposes. To defeat these advanced code reuse attacks, we propose a new defense principle: instantly obsoleting the address-code associations. We have initialized this principle with a novel technique called virtual space page table remapping and implemented the technique in a system CHAMELEON. CHAMELEON periodically re-randomizes the locations of code pages on-the-fly. A set of techniques are proposed to achieve our goal, including iterative instrumentation that instruments a to-be-protected binary program to generate a re-randomization compatible binary, runtime virtual page shuffling, and function reordering and instruction rearranging optimizations. We have tested CHAMELEON with over a hundred binary programs. Our experiments show that CHAMELEON can defeat all of our tested exploits by both preventing the exploit from gathering sufficient gadgets, and blocking the gadgets execution. Regarding the interval of our re-randomization, it is a parameter and can be set as short as 100ms, 10ms or 1ms. The experiment results show that CHAMELEON introduces on average 11.1%, 12.1% and 12.9% performance overhead for these parameters, respectively.

Cryptography and Security

Yi Zhuang,Tao Zheng,Zhitian Lin

2014-01-01

Abstract:Fine-grained address space layout randomization has recently been proposed as a method of efficiently mitigating ROP attacks. In this paper, we introduce a design and implementation of a framework based on a runtime strategy that undermines the benefits of fine-grained ASLR. Specifically, we abuse a memory disclosure to map an application’s memory layout on-the-fly, dynamically discover gadgets and construct the desired exploit payload, and finish our goals by using virtual function call mechanism—all with a script environment at the time an exploit is launched. We demonstrate the effectiveness of our framework by using it in conjunction with a real-world exploit against Internet Explorer and other applications protected by fine-grained ASLR. Moreover, we provide evaluations that demonstrate the practicality of run-time code reuse attacks. Our work shows that such a framework is effective and fine-grained ASLR may not be as promising as first thought. Keywords-code reuse; security; dynamic; fine-grained ASLR

Jannik Pewny,Philipp Koppe,Lucas Davi,Thorsten Holz

DOI: https://doi.org/10.48550/arXiv.2007.03548

2020-07-05

Abstract:Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, destructive code reads (DCR) provide a trade-off between security and legacy compatibility. The common belief is that DCR provides strong protection if combined with a high-entropy code randomization. The contribution of this paper is twofold: first, we demonstrate that DCR can be bypassed regardless of the underlying code randomization scheme. To this end, we show novel, generic attacks that infer the code layout for highly randomized program code. Second, we present the design and implementation of BGDX (Byte-Granular DCR and XOM), a novel mitigation technique that protects legacy binaries against code inference attacks. BGDX enforces memory permissions on a byte-granular level allowing us to combine DCR and XOM for legacy, off-the-shelf binaries. Our evaluation shows that BGDX is not only effective, but highly efficient, imposing only a geometric mean performance overhead of 3.95% on SPEC.

Cryptography and Security

Chenyu Wang,Bihuan Chen,Yang Liu,Hongjun Wu

DOI: https://doi.org/10.1109/tifs.2018.2855648

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Vtable reuse attack, as a novel type of code reuse attacks, is introduced to bypass most binary-level control flow integrity enforcement and vtable integrity enforcement. So far, two binary-level defenses (TypeArmor and vfGuard) are proposed to defend against vtable reuse attacks. Both techniques use semantic information as the control flow integrity enforcement policy, i.e., TypeArmor and vfGuard utilize argument register count and dispatch offset at virtual callsite as the signature to check the validity of target functions, respectively. In this paper, we propose layered object-oriented programming (LOOP), an advanced vtable reuse attack, to show that the coarse-grained control flow integrity strategies are still vulnerable to vtable reuse attacks. In LOOP, we introduce argument expansion gadgets and transfer gadgets to, respectively, bypass TypeArmor and vfGuard. We generalize the characteristics of both gadgets and develop a tool to discover them at the binary level. We demonstrated that under the protection of TypeArmor and vfGuard, Firefox, Adobe Flash Player, and Internet Explorer are all vulnerable to LOOP attacks. Furthermore, we show the availability of argument expansion gadgets and transfer gadgets in common software or libraries.

Liu Ke,Wang Jing-Yi,Wei Qiang,Guizhou University,Sun Jun,Ma Rong-Kuan,Deng Rui-Long

DOI: https://doi.org/10.1007/s11390-021-1647-7

2021-01-01

Abstract:Programmable logic controllers (PLCs) play a critical role in many industrial control systems, yet face increasingly serious cyber threats. In this paper, we propose a novel PLC-compatible software-based defense mechanism, called Heterogeneous Redundant Proactive Defense Framework (HRPDF). We propose a heterogeneous PLC architecture in HRPDF, including multiple heterogeneous, equivalent, and synchronous runtimes, which can thwart multiple types of attacks against PLC without the need of external devices. To ensure the availability of PLC, we also design an inter-process communication algorithm that minimizes the overhead of HRPDF. We implement a prototype system of HRPDF and test it in a real-world PLC and an OpenPLC-based device, respectively. The results show that HRPDF can defend against multiple types of attacks with 10.22% additional CPU and 5.56% additional memory overhead, and about 0.6 ms additional time overhead.

LIU Zhi,ZHANG Xiao-song,WU Yue

DOI: https://doi.org/10.3969/j.issn.1000-1220.2013.07.035

2013-01-01

Abstract:Return-Oriented-Programming(ROP) attacks can bypass traditional defenses such as DEP and W ⊕ X.Current detection techniques have high false positives w hich are unable to accurately distinguish attacks from normal instruction execution.ROP attacks need to invoke system calls to achieve attacking goal,before w hich registers must be set to correct values;also each x86 instruction corresponds to one or more gadgets.Bases on such characteristics,a new ROP attack defense technique on binary level w as proposed: it intercepts return instructions,from w hich counts the number of gadgets,then check w hether registers have been changed to correct values just before invoking system call.It does not rely on heuristics and provides accurate detection of ROP attacks by stack smashing.Prototype system is implemented w ith dynamic binary instrumentation tool,and w e evaluated the system w ith normal programs and ROP attacks.Experiment results show it causes low false positives and negatives w hile makes little overhead.

Sanjeeu Das,Bihuan Chen,Mahintham Chandramohan,Yang Liu,Wei Zhang

DOI: https://doi.org/10.1016/j.cose.2017.11.011

IF: 5.105

2017-01-01

Computers & Security

Abstract:Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attacks at runtime. It is built on the observation that ROP exploits usually trigger different hardware events than normal programs generated by compilers. Hence, we leverage hardware performance counters to track such hardware events and analyze behavioral patterns of ROP attacks. ROPSentry has two approaches. The ROP-only defense approach detects ROP attacks via capturing the patterns of ROP exploits, where we propose to sample the hardware performance counters at mispredicted return events instead of at every microinstruction for a low performance overhead. To further reduce performance overhead, we propose a self-adaptive defense approach to dynamically switch between low and high sampling rates. It detects the patterns of spraying attacks (i.e., one common ROP payload delivery technique) at a low sampling rate, and then switches to a high sampling rate for detecting the patterns of ROP exploits. Our evaluation on 11 real-world ROP exploits, 50 synthetically generated ROP exploits and 1000 benign websites has shown that, the ROP-only and self-adaptive approaches are effective in detecting ROP attacks with low performance overhead (11% and 1% respectively) as well as low false positive; and they significantly outperform the state-of-the-art techniques in terms of performance overhead without losing the detection accuracy.

Tianning Zhang,Miao Cai,Diming Zhang,Hao Huang

DOI: https://doi.org/10.1109/TrustCom50675.2020.00045

2020-01-01

Abstract:Recently, many effective defensive methods (e.g., ASLR, execute-only-memory) have been proposed to defeat the code reuse attack in the software system. These approaches provide strong system protection through address randomization or memory access restriction. However, this paper identifies a new weak point in these approaches, i.e., missing time protection. We propose a new attack method called timing function attack, which can initiate a code reuse attack even against the state-of-the-art defense techniques. Previous solutions utilize various techniques to hide the spatial information. However, we still can obtain critical security information through the time channel. Specifically, we leverage the function execution time to conduct a side-channel attack. Further, we de-randomize the code segment layout with the timing-channel attack result. Finally, we perform a code-reuse attack with gadgets gathered in previous steps, compromising the whole system. To validate our timing function attack in the real world, we conduct two attacks on two JavaScript engines, i.e., ChakraCore and Chrome v8. Evaluation results show that our attack can successfully bypass the existing defense techniques, such as function-granularity ASLR and XOM, and escalate the privilege. Besides, we also discuss some solutions to prevent and defend our proposed timing function attack.

Jie Li,Weina Niu,Ran Yan,Zhiqin Duan,Beibei Li,Xiaosong Zhang

DOI: https://doi.org/10.1109/trustcom56396.2022.00033

2022-01-01

Abstract:Return-Oriented Programming (ROP) has become one of the most widely used attack techniques for software vulnerability exploitation. Existing ROP detection methods fall into two types: hardware-based methods and software-based methods. The former is strongly dependent on specific hardware architectures and difficult to deploy. Although the latter can alleviate these problems, limited by the selection of features and thresholds, it cannot effectively discover neither variant ROP nor delayed ROP. In this work, we propose an intelligent detection method at runtime and implement the corresponding prototype system, IDROP, which uses real-time execution flow and LSTM to discovery ROP and its variants. Specifically, IDROP analyzes the differences between program execution flows that are independent of the ROP feature thresholds. Firstly, the Aspect Oriented Programming (AOP) is utilized to instrument the tested program, and the sliding window mechanism is applied to screen out suspicious program execution flow snapshots. Then, these suspicious execution flow snapshots are vectorized through data representation techniques. Finally, we build and train an LSTM model to discover ROP. Furthermore, we evaluate the performance of IDROP on a dataset consisting of 6000+ samples. The experimental results show that IDROP is effective in detecting ROP attacks, variant ROP and delayed ROP with an accuracy of 98%, 93% and 80%, respectively. In addition, IDROP has negligible space overhead and low performance overhead, which is similar to that of only using Pin for detection (about additional 2.5 times the program execution time before instrumentation).