Jump-oriented Programming Research Articles

Control Flow Integrity: Embedded System Code Reuse Defence

Hardware-based program Control Flow Integrity (CFI) components, centering on the state-of- the-art usage innovations. Control Stream Keenness may be a significant security degree pointed at moderating control- flow capturing assaults, such as Return Oriented Programming (ROP) and Jump Oriented Programming (JOP). Whereas software-based CFI arrangements have been compelling to a few degree, their restrictions have impelled the improvement of hardware-based approaches for improved security. This survey analyzes unmistakable innovations in this space, counting Intel CET (Control-flow Requirement Innovation), ARM Pointer Verification, AMD SEV-SNP (Secure Settled Paging), and RISC-V CFI Expansions. Each technology's highlights, usage strategies, and contributions to fortifying cyber security are analyzed to supply bits of knowledge into the current scene of hardware-based computer program CFI. By leveraging hardware-level protections, these progressions offer strong security against advanced control-flow capturing assaults, subsequently reinforcing the security pose of computing frameworks. As cyber dangers proceed to advance, the require for vigorous security components to ensure against control-flow capturing assaults gets to be progressively basic. This audit digs into the state-of-the-art execution innovations for hardware-based computer program Control Stream Astuteness

FASLR: Function-Based ASLR via TrustZone-M and MPU for Resource-Constrained IoT Systems

The address space layout randomization (ASLR) has been widely deployed on modern operating systems against code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP). However, porting ASLR to resource-constrained IoT devices is a great challenge due to the limited memory space for randomization. We propose a function-based ASLR scheme (fASLR) for IoT runtime security utilizing the ARM TrustZone-M technology and the memory protection unit (MPU) supported by ARM Cortex-M processors. fASLR loads a function from the flash and randomizes its base address in a randomization region in RAM when the function is being called. We design novel mechanisms on cleaning up finished functions from the RAM and memory addressing to tackle the complexity of function relocation and randomization. Optimizations are applied to effectively reduce overhead introduced by runtime memory management. We also formally prove that user applications will run correctly with fASLR enabled. Compared with the related work, a prominent advantage of fASLR is that fASLR can run an application even if the application code cannot be completely loaded into RAM for execution. We test fASLR with 21 applications. The experimental results show that fASLR achieves a high randomization entropy and incurs a runtime overhead of less than 10%.

FH-CFI: Fine-grained hardware-assisted control flow integrity for ARM-based IoT devices

Code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP) attacks, have become a great threat to the runtime security of ARM-based Internet of Things (IoT) devices. Attackers can utilize CRAs to hijack the control flow of programs in ARM-based IoT devices to make them perform malicious actions without injecting any codes. Control flow integrity (CFI) is an important cornerstone for the security of ARM-based IoT devices, as it enforces the correct control flow of devices and defends against CRAs. However, coarse-grained CFI schemes suffer from security issues, like key leakage and coarse-grained protection, which allows attackers to bypass their defenses. Meanwhile, fine-grained CFI schemes bring high overhead and have the multi-to-one problem. In this paper, we propose FH-CFI, a fine-grained hardware-assisted CFI scheme to help ARM-based IoT devices resist refined CRAs without leaking their encryption/decryption keys. We utilize hash-based message authentication codes to protect the return addresses from being changed, thus resisting ROP attacks without key leakage. Moreover, we encrypt instructions at target sites with the call sites’ information to defeat JOP attacks in fine-grained. Additionally, we have designed a diverter to solve the multi-to-one problem that exists in fine-grained CFI schemes. Theoretical analyses demonstrate the security of our FH-CFI. Experimental evaluations on ARM-based IoT devices show that FH-CFI has greater effectiveness and stronger security than existing state-of-the-art CFI schemes, with few additional overheads.

Constraint-based Diversification of JOP Gadgets

Modern software deployment process produces software that is uniform, and hence vulnerable to large-scale code-reuse attacks, such as Jump-Oriented Programming (JOP) attacks. Compiler-based diversification improves the resilience and security of software systems by automatically generating different assembly code versions of a given program. Existing techniques are efficient but do not have a precise control over the quality, such as the code size or speed, of the generated code variants. 
 This paper introduces Diversity by Construction (DivCon), a constraint-based compiler approach to software diversification. Unlike previous approaches, DivCon allows users to control and adjust the conflicting goals of diversity and code quality. A key enabler is the use of Large Neighborhood Search (LNS) to generate highly diverse assembly code efficiently. For larger problems, we propose a combination of LNS with a structural decomposition of the problem. To further improve the diversification efficiency of DivCon against JOP attacks, we propose an application-specific distance measure tailored to the characteristics of JOP attacks. 
 We evaluate DivCon with 20 functions from a popular benchmark suite for embedded systems. These experiments show that DivCon's combination of LNS and our application-specific distance measure generates binary programs that are highly resilient against JOP attacks (they share between 0.15% to 8% of JOP gadgets) with an optimality gap of 10%. Our results confirm that there is a trade-off between the quality of each assembly code version and the diversity of the entire pool of versions. In particular, the experiments show that DivCon is able to generate binary programs that share a very small number of gadgets, while delivering near-optimal code. 
 For constraint programming researchers and practitioners, this paper demonstrates that LNS is a valuable technique for finding diverse solutions. For security researchers and software engineers, DivCon extends the scope of compiler-based diversification to performance-critical and resource-constrained applications.

Survey of Methods for Automated Code-Reuse Exploit Generation

This paper provides a survey of methods and tools for automated code-reuse exploit generation. Such exploits use code that is already contained in a vulnerable program. The code-reuse approach allows one to exploit vulnerabilities in the presence of operating system protection that prohibits data memory execution. This paper contains a description of various code-reuse methods: return-to-libc attack, return-oriented programming, jump-oriented programming, and others. We define fundamental terms: gadget, gadget frame, gadget catalog. Moreover, we show that, in fact, a gadget is an instruction, and a set of gadgets defines a virtual machine. We can reduce an exploit creation problem to code generation for this virtual machine. Each particular executable file defines a virtual machine instruction set. We provide a survey of methods for gadgets searching and determining their semantics (creating a gadget catalog). These methods allow one to get the virtual machine instruction set. If a set of gadgets is Turing-complete, then a compiler can use a gadget catalog as a target architecture. However, some instructions can be absent. Hence we discuss several approaches to replace missing instructions with multiple gadgets. An exploit generation tool can chain gadgets by pattern searching (regular expressions) or considering gadgets semantics. Furthermore, some chaining methods use genetic algorithms, while others use SMT-solvers. We compare existing open-source tools and propose a testing system rop-benchmark that can be used to verify whether a generated chain successfully opens a shell.

HoneyGadget: A Deception Based Approach for Detecting Code Reuse Attacks

Code reuse attacks such as Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) are the prevalent attack techniques which reuse code snippets named gadget in vulnerable applications and hijack control flow to achieve malicious behaviors. Existing defense techniques for code reuse attacks attempt to prevent illegal control flow transition or make locating gadgets a hard work. However, decades of the arms race proved the ability to detect and prevent advanced attacks is still outdated. In this paper, we propose HoneyGadget, a deception based approach for detecting code reuse attacks. HoneyGadget works by inserting honey gadgets into the application as decoys and keep track of their addresses once the application is loaded. During the execution phase, HoneyGadget traces the execution records using Last Branch Record (LBR), compares the LBR records with the maintained address list, and alarms code reuse attacks if some records match. HoneyGadget not only prevents code reuse attacks, but also provides LBR records for researchers to analyze patterns of these attacks. We have developed a fully functioning prototype of HoneyGadget. Our evaluation results show that HoneyGadget can capture code reuse attacks effectively and only incurs a modest performance overhead.

HCIC: Hardware-Assisted Control-Flow Integrity Checking

Recently, code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP), have emerged as a new class of ingenious security threats. Attackers can utilize CRAs to hijack the control flow of programs to perform malicious actions without injecting any codes. Many defenses, classed into software-based and hardware-based, have been proposed. However, software-based methods are difficult to be deployed in practical systems due to high performance overhead. Hardware-based methods can reduce performance overhead but may require extending instruction set architectures (ISAs) and modifying the compiler or suffer the vulnerability of key leakage. To tackle these issues, this paper proposes a new hardware-assisted control flow checking method to resist CRAs with negligible performance overhead without extending ISAs, modifying the compiler or leaking the encryption/decryption key. The key technique involves two control flow checking mechanisms. The first one is the encrypted Hamming distances matching between the physical unclonable function (PUF) response and the return addresses, which prevents attackers from returning between gadgets so long as the PUF response is secret, thus resisting ROP attacks. The second one is the linear encryption/decryption operation (XOR) between the PUF response and the instructions at target addresses of call and jmp instructions to defeat JOP attacks. Advanced return-based full-function reuse attacks will be prevented with the dynamic key-updating method. Experimental evaluations on benchmarks demonstrate that the proposed method introduces negligible 0.95% runtime overhead and 0.78% binary size overhead on average.

ActiMon: Unified JOP and ROP Detection With Active Function Lists on an SoC FPGA

Field programmable gate arrays (FPGAs) have been increasingly mounted on commodity systems. As a matter of fact, such an emerging adoption of FPGAs in the commodity systems is attributed to their versatility came from the programmable property. Accordingly many industrial and academic attempts have been performed to exploit FPGAs in a variety of applications. In this paper, we note that FPGAs also can be used to protect the host CPU from a nasty security threat, called code reuse attacks (CRAs). Code reuse attack (CRA) is a powerful technique that allows attackers to execute arbitrary code. Control-flow integrity (CFI) has been popularly employed to mitigate CRAs. CFI entails CRA monitoring that checks if a program runs as directed by its control-flow graph. However, as monitoring naturally incurs non-negligible runtime overhead to the host CPU, many studies proposed hardware techniques to lessen the monitoring overhead. To facilitate the immediate deployment of a hardware-based solution, we propose a CRA monitor, called ActiMon , that can be implemented on an SoC FPGA where the host CPU and FPGA are manufactured together in a single platform. However, implementing the CRA monitor operating on FPGA arouses a new challenge that has never been addressed in the previous solutions: the operating clock of FPGA is many times slower than the CPU. By overcoming this speed difference, we ultimately purpose to evince the feasibility of FPGA as a computing device in the field of CRA defense. For this purpose, we have developed a highly efficient algorithm designed to run on FPGA whose goal is to monitor the existence of CRAs on the host CPU residing in the same SoC FPGA platform. Empirical results show that ActiMon runs on our target SoC FPGA platform efficiently enough to catch up to the speed of host code execution and promptly detects two important types of CRAs, JOP (Jump-Oriented Programming) and ROP (Return-Oriented Programming), as soon as they occurred in the host system. We assert that such results are encouraging thanks to our unified, lightweight ROP/JOP detection mechanism based on a list of active functions , and also to additional optimizations to leverage the inherent capabilities of FPGA for parallel computation.

Control Flow Integrity Based on Lightweight Encryption Architecture

Control-flow integrity (CFI) plays a very important role in defending against code reuse attacks by protecting the control flows of programs from being hijacked. However, previous CFI methods suffer from performance overheads, cost, or security issues. In this paper, we propose a new CFI based on a lightweight encryption architecture with advanced encryption standard (LEA-AES) to address the challenges above. The LEA exploits AES to encrypt and decrypt return addresses and instructions at indirect jump destinations, which protects function calls and indirect jumps from being reused by return-oriented programming (ROP) and jump-oriented programming (JOP) attacks. For ROP, the encryption and decryption of return addresses are performed when the call and ret instructions are executing; for JOP, the encryption of instructions are performed when programs are loading into memory and the decryption of instructions are performed right before they are executing. The LEA-AES does not need to revise instruction sets of CPU and its security is also guaranteed by the encryption mechanism in addition to its high performance. Experimental results showed that the run-time and loading time overheads of LEA-AES are both less than 4% and the memory overhead is 0.62%.

Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions

Return-oriented programming (ROP) and jump-oriented programming (JOP) are two well-known code-reuse attacks in which short code sequences ending in ret or jmp instructions are located and chained in a specific order to execute the attacker’s desired payload. JOP, comparing to ROP, is even more effective because it can be invoked without any reliance on the ret instruction and therefore it can bypass new defense mechanisms against ROP. In this paper, we continue this line of work by proposing Pure-Call Oriented Programming (PCOP). In PCOP, we drive the control flow by proposing special gadgets that all end in a call instruction rather than ret or jmp. We then propose techniques for chaining gadgets that removes the side-effects arise from the call-ending gadgets. The idea of having call-ending gadgets with the term Call Oriented Programming has been noted in some previous work but using call gadgets in these works, due to side-effects of the call instruction, was limited to one or two call-ending gadgets between other ret/jmp gadgets. Our work is the first that shows real code-reuse attacks solely based on call gadgets. We also show that our proposed approach is Turing-complete, meaning that any functionality can be driven by PCOP. We have successfully identified some call-oriented gadgets inside GNU libc library. Our experiments with the example shellcode show the practicality of the proposed approach. Finally, we propose a variant of PCOP named TinyCOP which resists detection by recent code-reuse defense mechanisms.

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

스택 영역에서의 코드 재사용 공격 탐지 메커니즘

메모리 관련 취약점은 컴퓨터 시스템 상에서의 가장 위협적인 공격이며 메모리 취약점을 이용한 실제 공격의 또한 증가하고 있다. 따라서 다양한 메모리 보호 메커니즘이 연구되고 운영체제 상에서 구현되었지만, 보호 시스템들을 우회하기 위한 새로운 공격 기법들이 함께 발전하고 있다. 특히, 메모리 관련 공격 기법 중 버퍼 오버플로우 공격은 코드 재사용 공격이라 불리는 Return-Oriented Programming(ROP), Jump-Oriented Programming(JOP)등으로 발전하여 운영체제가 포함하는 메모리 보호 메커니즘을 우회하고 있다. 본 논문에서는 코드 재사용 공격 기법의 특징을 분석하고, 분석된 결과를 이용하여 바이너리 수준에서의 코드 재사용 공격을 탐지할 수 있는 메커니즘을 제안하며, 실험을 통해 제안하는 메커니즘이 코드 재사용 공격을 효율적으로 탐지할 수 있음을 증명한다. Vulnerabilities related to memory have been known as major threats to the security of a computer system. Actually, the number of attacks using memory vulnerability has been increased. Accordingly, various memory protection mechanisms have been studied and implemented on operating system while new attack techniques bypassing the protection systems have been developed. Especially, buffer overflow attacks have been developed as Return-Oriented Programing(ROP) and Jump-Oriented Programming(JOP) called Code Re-used attack to bypass the memory protection mechanism. Thus, in this paper, I analyzed code re-use attack techniques emerged recently among attacks related to memory, as well as analyzed various detection mechanisms proposed previously. Based on the results of the analyses, a mechanism that could detect various code re-use attacks on a binary level was proposed. In addition, it was verified through experiments that the proposed mechanism could detect code re-use attacks effectively.

Efficiently Securing Systems from Code Reuse Attacks

Code reuse attacks (CRAs) are recent security exploits that allow attackers to execute arbitrary code on a compromised machine. CRAs, exemplified by return-oriented and jump-oriented programming approaches, reuse fragments of the library code, thus avoiding the need for explicit injection of attack code on the stack. Since the executed code is reused existing code, CRAs bypass current hardware and software security measures that prevent execution from data or stack regions of memory. While software-based full control flow integrity (CFI) checking can protect against CRAs, it includes significant overhead, involves non-trivial effort of constructing a control flow graph, relies on proprietary tools and has potential vulnerabilities due to the presence of unintended branch instructions in architectures such as x86—those branches are not checked by the software CFI. We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI. BR enforces simple control flow rules in hardware at the function granularity to disallow arbitrary control flow transfers from one function into the middle of another function. This prevents common classes of CRAs without the complexity and run-time overhead of full CFI enforcement. BR incurs a slowdown of about 2% and increases the code footprint by less than 1% on the average for the SPEC 2006 benchmarks.

Branch regulation

Code reuse attacks (CRAs) are recent security exploits that allow attackers to execute arbitrary code on a compromised machine. CRAs, exemplified by return-oriented and jump-oriented programming approaches, reuse fragments of the library code, thus avoiding the need for explicit injection of attack code on the stack. Since the executed code is reused existing code, CRAs bypass current hardware and software security measures that prevent execution from data or stack regions of memory. While software-based full control flow integrity (CFI) checking can protect against CRAs, it includes significant overhead, involves non-trivial effort of constructing a control flow graph, relies on proprietary tools and has potential vulnerabilities due to the presence of unintended branch instructions in architectures such as x86---those branches are not checked by the software CFI. We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI. BR enforces simple control flow rules in hardware at the function granularity to disallow arbitrary control flow transfers from one function into the middle of another function. This prevents common classes of CRAs without the complexity and run-time overhead of full CFI enforcement. BR incurs a slowdown of about 2% and increases the code footprint by less than 1% on the average for the SPEC 2006 benchmarks.