ROP Exploits

1 Background

2 Lecture

2.1 ROP Exploit Idea

  1. A gadget is a sequence of CPU instructions ending in the RETurn- to- caller instruction. Apllicable to all CPUs.
  2. A chain of gadgets can be constructed so that it is malicious code.
  3. Gadgets are harvested from the user written code of the process, and the libraries.
  4. Theorem: Given a large enough process code segments, any arbitrary computation can be performed by a chain of gadgets.
  5. We do not need to inject shell code; instead, build a chain to invoke a shell.
  6. None of the ASLR, NX, DEP mitigation techniques can prevent this exploit.

2.2 ROP is Still Dangerous

  1. Nicholas Carlini and David Wagner, "ROP is Still Dangerous: Breaking Modern Defenses", University of California, Berkeley, 2014. https://www.usenix.org/node/184508 Paper Required Reading.
  2. Abstract: Includes an intro to ROP. "… we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and ROPecker … We … demonstrate that our techniques successfully cloak them so they are not detected by these defenses."
  3. Play the video: https://www.usenix.org/node/184508, Video 17:12, PDF 80+ slides, mainly because of PPT-animated to PDF conversion.

2.3 ROP Exploits in Android

  1. Hanan Be'er, "Metaphor: A (real) realĀ­life Stagefright exploit", https://www.exploit-db.com/docs/39527.pdf, 38pp. Mar 2016. Uses ROP. Recommended Reading
  2. Project Zero team at Google, Return to libstagefright: exploiting libutils on Android, 9pp, Sep 2016. Recommended Reading
  3. Drake, Joshua. "Stagefright: Scary Code in the Heart of Android." BlackHat USA (2015). [To my taste: A little too sensational. Not scary, but a coding bug, caused by C language misunderstanding, that went unnoticed because of a lack of code auditing. Discussed later in this course.] Recommended Reading

3 References

  1. Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham, University of California, San Diego, "Return-oriented Programming: Exploitation without Code Injection". (Related full paper is shown next.) Slides PDF from BlackHat US 2008. Roemer, Ryan, Erik Buchanan, Hovav Shacham, and Stefan Savage. "Return-oriented programming: Systems, languages, and applications." ACM Transactions on Information and System Security (TISSEC), Vol 15, no. 1 (2012): 2. https://cseweb.ucsd.edu/~hovav/dist/rop.pdf Rigorous. Reference
  2. Nicholas Carlini and David Wagner, "ROP is Still Dangerous: Breaking Modern Defenses", University of California, Berkeley, 2014. PDF 90- slides. Required Reading. Related full paper is In USENIX Security Symposium. 2014.
  3. Jonathan Salwan, "An introduction to the Return Oriented Programming and ROP Chain Generation", PDF, slides Nov 2014. https://github.com/JonathanSalwan/ROPgadget is a tool written in Py that searches for gadgets in a program binary. Recommended Reading.
  4. https://www.corelan.be/index.php/security/rop-gadgets/ A collection of rop gadgets that can be found in Windows OS DLLs and applications. 2011. Recommended Reading.
  5. Andrei Homescu Michael Stewart Per Larsen Stefan Brunthaler Michael Franz, Microgadgets: Size Does Matter In Turing-complete Return-oriented Programming, University of California, Irvine, 201x. Recommended Reading.
  6. A DEP/ASLR-bypassing exploit for ropasaurusrex. A detailed tutorial. 2013 Recommended Reading.
  7. Barrebas, http://barrebas.github.io/blog/2015/06/28/rop-primer-level0/. The ROP VM made for this exercise can be downloaded from vulnhub.com. https://www.vulnhub.com/entry/rop-primer-02,114/. 2015. Encouraged to try this out.

4 End

Copyright © 2016 www.wright.edu/~pmateti • 2016-10-20