Return-oriented Programming Gadgets Research Articles

Ret-gadgets in RISC-V-based Binaries Resulting in Traps for Hijackers

The presence of instructions within executable programs is what makes the binaries executable. However, attackers leverage on the same to achieve some form of Control Flow Hijacking (CFH). Such code re-use attacks have also been found to lead to Denial of Service (DoS). An example of code re-use attack is Return Oriented Programming (ROP) which is caused by passing input crafted as chained sequences of instructions that are already existing as subroutines in the target program. The instructions are called gadgets and they would normally end with ret. The ret instructions enable the flow of hijacked execution from one set of instruction to another within the attacker’s control. There could however be exceptions depending on the structure of the chained gadgets where the chained gadget fails to run its course due to inability of specific gadgets to replace the value in the return address (ra) register. The dangers of chained gadgets are not a new idea but the possibility for an attacker’s gadget chain to fall into a trap during a ROP attack is not commonly addressed. In addition to this, recent studies have revealed that understanding the behaviours of gadgets would be useful for building information base in training machine learning (ML) models to combat ROP. This study explains the behaviour of certain ROP gadgets showing the possibility of occurrence of a loop in execution during exploitation. A sample program which accesses gadgets from the GNU C library (glibc) is used to demonstrate the findings. Gadgets identified with this possibility are poor for chaining as they do not contain instructions to load or move new values to the ra register and would produce unreliable exploits. This would result in a trap for the chained gadgets instead of arbitrary code execution, and DoS on the path of the user. This implies that the impact that a ROP chain could have on a targeted process does not only rely on the underlying system architecture but also on relies on the structure of the chained gadget. In this paper, the RISC-V architecture is the focus, new gadget finders (scripts are available) are presented, and sample of chained gadgets are analysed on a RISC-V -based binary.

ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets

Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.

Transforming malicious code to ROP gadgets for antivirus evasion

This study advances research in offensive technology by proposing return oriented programming (ROP) as a means to achieve code obfuscation. The key inspiration is that ROP's unique structure poses various challenges to malware analysis compared to traditional shellcode inspection and detection. The proposed ROP-based attack vector provides two unique features: (i) the ability to automatically analyse and generate equivalent ROP chains for a given code, and (ii) the ability to reuse legitimate code found in an executable in the form of ROP gadgets. To this end, a software tool named ROPInjector was developed which, given any piece of shellcode and any legitimate executable file, it transforms the shellcode to its ROP equivalent re-using the available code in the executable and finally patches the ROP chain infecting the executable. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service, making ROP an effective ingredient for code obfuscation. This attack vector poses a serious threat which malicious actors can take advantage to perform cyber-attack campaigns.

Классификация ROP гаджетов

Return-oriented programming (ROP) is a dangerous exploitation technique which can be used to bypass modern defense mechanisms. ROP reuses code chunks ending with control transfer instruction from a program binary to form a chain corresponding some payload. These code chunks are called gadgets. Though, a certain set of gadgets should be available to exploit a vulnerability. Determining gadgets that can be used to form a ROP chain can be done by gadgets search and classification. This paper introduces a method for ROP gadgets classification that allows one to evaluate whether or not ROP technique can be used to exploit a program vulnerability. Classification is based on side-effects analysis of gadget execution with concrete inputs. Gadget instructions are translated into IR which is interpreted to track registers and memory usage. Initial registers and memory values are randomly generated. According to initial and final values of registers and memory gadget semantics can be explored. Classification performs several executions to determine gadget semantics. Proposed method is applied to program binaries and its capabilities were demonstrated on 32-bit and 64-bit binaries from Ubuntu 14.04. Using classification results program exploitability was confirmed for several examples. Furthermore, a possible exploitation of stack buffer overflow vulnerability in presence of write-what-where condition was shown on a model example demonstrating a bypass of canary, DEP and ASLR.