SeBROP: blind ROP attacks without returns

doi:10.1007/s11704-021-0342-8

Front. Comput. Sci.

2022, Vol. 16

Issue (4) : 164818 https://doi.org/10.1007/s11704-021-0342-8

RESEARCH ARTICLE

SeBROP: blind ROP attacks without returns

Tianning ZHANG¹(

), Miao CAI², Diming ZHANG³, Hao HUANG¹

¹. Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China
². School of Computer and Information, Hohai University, Nanjing 211106, China
³. College of Computer Engineering, Jiangsu University of Science and Technology, Zhenjiang 212008, China

Download: PDF(9694 KB) HTML
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract

Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like Return-oriented Programming(ROP) attacks. Moreover, in these victim programs, most syscall instructions lack the following ret instructions, which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell. Lacking this kind of gadget greatly constrains the capability of code-reuse attacks. This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming(SeBROP) to address these challenges. Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability. By leveraging a side-channel that exists in the victim program, we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment. Then, we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent. Our technique can stitch a number of system calls without returns, which is more superior to conventional ROP attacks. Finally, the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set. SeBROP attack can defeat almost all state-of-the-art defense techniques. The SeBROP attack is compatible with both modern 64-bit and 32-bit systems. To validate its effectiveness, We craft three exploits of the SeBROP attack for three real-world applications, i.e., 32-bit Apache 1.3.49, 32-bit ProFTPD 1.3.0, and 64-bit Nginx 1.4.0. Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx, ProFTPD, and Apache with less than 8500/4300/2100 requests, respectively.

Keywords code-reuse attack ROP signal

Corresponding Author(s): Tianning ZHANG

Just Accepted Date: 26 January 2021 Issue Date: 30 December 2021

Cite this article:

Tianning ZHANG,Miao CAI,Diming ZHANG, et al. SeBROP: blind ROP attacks without returns[J]. Front. Comput. Sci., 2022, 16(4): 164818.

URL:

https://academic.hep.com.cn/fcs/EN/10.1007/s11704-021-0342-8
https://academic.hep.com.cn/fcs/EN/Y2022/V16/I4/164818

Attack	Precondition		Environment			Protections
Attack	Dump code	Syscall gadget	32-bit	64-bit	JIT compiler	DEP	Fine-grained ASLR	XOM	Readactor
BROP [4]	Yes	No	No	Yes	No	$×$	$×$	$√$	$√$
SROP [6]	Yes	Yes	No	Yes	No	$×$	$√$	$√$	$√$
JIT-ROP [11]	Yes	Yes	No	No	Yes	$×$	$×$	$√$	$√$
SeBROP	No	No	Yes	Yes	No	$×$	$×$	$×$	$×$

Tab.1 Comparison of four ROP attacks. Syscall gadget means the gadget in the form of

< syscall; ret >

< int 0x80; ret >

×

means the attack can bypass the protection.

√

means that the protection can defend the attack

Fig.1 The number of syscall gadgets in x86_64 libraries and binaries

Catagory	Gadgets
Set register	$< sigreturn >$
Load/Store	$< mov reg1, [reg2+off]; ret >$
Load/Store	$< mov [reg1+off], reg2; ret >$
Arithmetic	$< add [reg1+off], reg2; ret >$
	$< adc [reg1+off], reg2; ret >$
	$< neg rax; ret >$
Logical	$< xor [reg1+off], reg2; ret >$
	$< or [reg1+off], reg2; ret >$
	$< and [reg1+off], reg2; ret >$
	$< rol [reg1+off], reg2; ret >$
	$< not rax; ret >$
Branching	$< sigreturn >$ (unconditional jump)
Branching	$< i n s t r 1 . . . i n s t r n, sigreturn >$ (conditional jump)
System Call	$< syscall; ret >$

Tab.2 Turing-complete gadget set. The sigreturn gadget consists of

pop rax; ret

and syscall instruction and a counterfeit signal frame. The sigreturn can set all registers’ value, including rsp, eflags. reg1 and reg2 represents any general registers, off represents the immediate offset in the gadget.

Fig.2 Indentifying immediate offset of the load gadget. For instance, the gadget is

mov rax, [rax+40]; ret

. If we set the rax register value bigger than end_addr minus 0x40, the gadget will cause the program crash. Otherwise the program won't crash. The end_addr minus 0x40 is the critical point. If we find this value, it can reveal the immediate offset. The start_addr and end_addr represents the memory mapping upper and lower boundaries

Fig.3

Fig.4 Implementing conditional jump. We describe steps to realize the conditional jump with the gadgets we found. When we perform neg rax operation, two situations will happen according to the rax value. We show these two situations in dotted box. Ultimately, we use a sigreturn system call to divert the control flow

Fig.5 Stitching a sequence of system calls

Fig.6 Stack layout change. Here we demonstrate how our malicious signal handler works. We describe the stack layout change of the signal receiving process in eight stages

Fig.7

Fig.8

Fig.9

Fig.10 The whole attack procedue in Ruby Script

Attack phase	ROP chain length
Searching for stop gadget	1 (8 bytes)
Looking for the $< p o p; r e t >$ gadget	3 (24 bytes)
Fingerprinting the syscall instruction	51
Testing for a normal memory gadget	57
Differentiating a memory gadget	around 57 and 118
Launching the final attack	376

Tab.3 ROP chain length per attack phase in Nginx

Catagory	Gadgets
Set register	$< sigreturn >$
	$< pop rax; add rsp, 8; ret >$
	$< pop rsi; pop rdi; ret >$
	$< pop rdx; ret >$
	$< pop rcx; ret >$
Load/Store	$< mov dword ptr [rax], edi; ret >$
	$< mov qword ptr [rsi + 8], rax; ret >$
	$< mov rax, qword ptr [rax + 8]; ret >$
Arithmetic	$< add dword ptr [rcx], eax; ret >$
	$< adc byte ptr [r8 - 0x77], r9b; ret >$
	$< add dword ptr [rdx + 8], eax; ret >$
	$< neg rax; ret >$
Logical	$< and byte ptr [rcx], al; ret >$
	$< xor byte ptr [rax - 0x77], cl; ret >$
	$< not rax; add rsp, 8; ret >$
Branching	$< sigreturn >$
System Call	$< syscall >$ instr

Tab.4 An excerpt of the gadgets we collect. We only list the most frequently used gadgets

Tab.5 Cumulative number of requests per attack phase

Fig.11 Gadgets found in Apache, ProFTPD and Nginx. (a) Apache; (b) ProFTPD; (c) Nginx

1	R Roemer , E Buchanan , H Shacham , S Savage . Return-oriented programming: systems, languages, and applications. ACM Transactions on Information and System Security, 2012, 15( 1): 2:1– 2:34
2	Whitehouse. An analysis of address space layout randomization on windows vista. Symantec Advanced Threat Research, 2007, 1– 14
3	D Lie, C A Thekkath, M Mitchell, P Lincoln, D Boneh, J C Mitchell, M Horowitz. Architectural support for copy and tamper resistant software. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems. 2000, 168– 177
4	A Bittau, A Belay, A J Mashtizadeh, D Mazières, D. Hacking blind Boneh. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 227– 242
5	K Lu, C Song, B Lee, S P Chung, T Kim, W Lee. Aslr-guard: Stopping address space leakage for code reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 280– 291
6	E Bosman, H Bos. Framing signals - a return to portable shellcode. In: Proceedings of IEEE Symposium on Security and Privacy. 2014, 243– 258
7	C Cowan, C Pu, D Maier. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of USENIX Security Symposium. 1998, 98: 63− 78
8	C Kil, J Jun, C Bookholt, J Xu, P Ning. Address space layout permutation aslp: Towards fine-grained randomization of commodity software. In: Proceedings of Annual Computer Security Applications Conference. 2006, 339– 348
9	S Crane, C Liebchen, A Homescu, L Davi, P Larsen, A Sadeghi, S Brunthaler, M Franz. Readactor: practical code randomization resilient to memory disclosure. In: Proceedings of IEEE Symposium on Security and Privacy. 2015, 763– 780
10	S J Crane, S Volckaert, F Schuster, C Liebchen, P Larsen, L Davi, A Sadeghi, T Holz, B D Sutter, M Franz. It’s a trap: table randomization and protection against function-reuse attacks. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 243– 255
11	K Z Snow, F Monrose, L Davi, A Dmitrienko, C Liebchen, A Sadeghi. Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2013, 574– 588
12	G Maisuradze, M Backes, C Rossow. What cannot be read, cannot be leveraged? revisiting assumptions of jit-rop defenses. In: Proceedings of USENIX Security Symposium. 2016, 139– 156
13	S Bhatkar, D C DuVarney, R Sekar. Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of USENIX Security Symposium. 2005, 255– 270
14	L V Davi, A Dmitrienko, S Nürnberger, A Sadeghi. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In: Proceedings of ACM Symposium on Information, Computer and Communications Security. 2013, 299– 310
15	R Wartell, V Mohan, K W Hamlen, Z Lin. Binary stirring: selfrandomizing instruction addresses of legacy x86 binary code. In: Proceedings of the ACM Conference on Computer and Communications Security. 2012, 157– 168
16	J Hiser, A Nguyen-Tuong, M Co, M Hall, J W Davidson. Ilr: where’d my gadgets go? In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 571– 585
17	V Pappas, M Polychronakis, A D Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 601– 615
18	M Backes, T Holz, B Kollenda, P Koppe, S Nürnberger, J Pewny. You can run but you can’t read: preventing disclosure exploits in executable code. In: Proceedings of ACM Conference on Computer and Communications Security. 2014, 1342– 1353
19	M Backes, S Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In: Proceedings of USENIX Security Symposium. 2014, 433– 447
20	M Zhang, R Sahita, D Liu. executable-only-memory switch(xom-switch): Hiding your code from advanced code reuse attacks in one shot. Black Hat Asia, 2018
21	M Pomonis, T Petsios, A D Keromytis, M Polychronakis, V P Kemerlis. krˆx: Comprehensive kernel protection against just-in-time code reuse. In: Proceedings of European Conference on Computer Systems. 2017, 420– 436
22	A Tang, S Sethumadhavan, S J Stolfo. Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of ACM Conference on Computer and Communications Security. 2015, 256– 267
23	H Shacham, M Page, B Pfaff, E Goh, N Modadugu, D Boneh. On the effectiveness of address-space randomization. In: Proceedings of ACM Conference on Computer and Communications Security. 2004, 298– 307
24	T Petsios, V P Kemerlis, M Polychronakis, A D Keromytis. Dynaguard: Armoring canary-based protections against brute-force attacks. In: Proceedings of Annual Computer Security Applications Conference. 2015, 351– 360
25	D Williams-King, G Gobieski, K Williams-King, J P Blake, X Yuan, P Colp, M Zheng, V P Kemerlis, J Yang, W Aiello. Shuffler: fast and deployable continuous code re-randomization. In: Proceedings of USENIX Symposium on Operating Systems Design and Implementation. 2016, 367– 382
26	Z Wang, C Wu, J Li, Y Lai, X Zhang, W Hsu, Y Cheng. Reranz: A light-weight virtual machine to mitigate memory disclosure attacks. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 2017, 143– 156
27	C Giuffrida, A Kuijsten, A S Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In: Proceedings of USENIX Security Symposium. 2012, 475– 490
28	K Lu, W Lee, S Nürnberger, M Backes. How to make aslr win the clone wars: runtime re-randomization. In: Proceedings of Annual Network and Distributed System Security Symposium. 2016
29	M Abadi, M Budiu, Ú Erlingsson, J Ligatti. Control-flow integrity. In: Proceedings of ACM Conference on Computer and Communications Security. 2005, 340– 353
30	N Christoulakis, G Christou, E Athanasopoulos, S Ioannidis. Hcfi: hardware-enforced control-flow integrity. In: Proceedings of ACM Conference on Data and Application Security and Privacy. 2016, 38– 49
31	V Pappas, M Polychronakis, A D Keromytis. Transparent rop exploit mitigation using indirect branch tracing. In: Proceedings of USENIX Security Symposium. 2013, 447– 462
32	Y Cheng, Z Zhou, M Yu, X Ding, R H Deng. Ropecker: A generic and practical approach for defending against rop attacks. In: Proceedings of Annual Network and Distributed System Security Symposium. 2014, 1– 14
33	L Davi, A Sadeghi, D Lehmann, F Monrose. Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of USENIX Security Symposium. 2014, 401– 416
34	V Kuznetsov, L Szekeres, M Payer, G Candea, R Sekar, D Song. Codepointer integrity. In: The Continuing Arms Race: Code-Reuse Attacks and Defenses, Code-Pointer Integrity. Association for Computing Machinery and Morgan Claypool, 2018

[1]

Download

[1]	Hongjia RUAN, Huihui SONG, Bo LIU, Yong CHENG, Qingshan LIU. Intellectual property protection for deep semantic segmentation models[J]. Front. Comput. Sci., 2023, 17(1): 171306-.
[2]	Pengpai WANG, Mingliang WANG, Yueying ZHOU, Ziming XU, Daoqiang ZHANG. Multiband decomposition and spectral discriminative analysis for motor imagery BCI via deep neural network[J]. Front. Comput. Sci., 2022, 16(5): 165328-.
[3]	Tian WANG, Shiye LEI, Youyou JIANG, Choi CHANG, Hichem SNOUSSI, Guangcun SHAN, Yao FU. Accelerating temporal action proposal generation via high performance computing[J]. Front. Comput. Sci., 2022, 16(4): 164317-.
[4]	Qiang LIN, Yusheng HAO, Caihong LIU. Wi-Fi based non-invasive detection of indoor wandering using LSTM model[J]. Front. Comput. Sci., 2021, 15(6): 156505-.
[5]	Lele HUANG, Huifang MA, Xiangchun HE, Liang CHANG. Multi-affect(ed): improving recommendation with similarity-enhanced user reliability and influence propagation[J]. Front. Comput. Sci., 2021, 15(5): 155331-.
[6]	Jian SUN, Pu-Feng DU. Predicting protein subchloroplast locations: the 10th anniversary[J]. Front. Comput. Sci., 2021, 15(2): 152901-.
[7]	Panthadeep BHATTACHARJEE, Pinaki MITRA. A survey of density based clustering algorithms[J]. Front. Comput. Sci., 2021, 15(1): 151308-.
[8]	Hao LIN, Guannan LIU, Fengzhi LI, Yuan ZUO. Where to go? Predicting next location in IoT environment[J]. Front. Comput. Sci., 2021, 15(1): 151306-.
[9]	Je Sen TEH, Weijian TENG, Azman SAMSUDIN, Jiageng CHEN. A post-processing method for true random number generators based on hyperchaos with applications in audio-based generators[J]. Front. Comput. Sci., 2020, 14(6): 146405-.
[10]	Daian YUE, Vania JOLOBOFF, Frédéric MALLET. TRAP: trace runtime analysis of properties[J]. Front. Comput. Sci., 2020, 14(3): 143201-.
[11]	Kai LI, Guangyi LV, Zhefeng WANG, Qi LIU, Enhong CHEN, Lisheng QIAO. Understanding the mechanism of social tie in the propagation process of social network with communication channel[J]. Front. Comput. Sci., 2019, 13(6): 1296-1308.
[12]	Weinan ZHANG, Ting LIU, Qingyu YIN, Yu ZHANG. Neural recovery machine for Chinese dropped pronoun[J]. Front. Comput. Sci., 2019, 13(5): 1023-1033.
[13]	Linjun MEI, Dan FENG, Lingfang ZENG, Jianxi CHEN, Jingning LIU. Exploiting flash memory characteristics to improve performance of RAIS storage systems[J]. Front. Comput. Sci., 2019, 13(5): 913-928.
[14]	Zhibin YANG, Jean-Paul BODEVEIX, Mamoun FILALI. Towards a simple and safe Objective Caml compiling framework for the synchronous language SIGNAL[J]. Front. Comput. Sci., 2019, 13(4): 715-734.
[15]	Rizwan Ahmed KHAN, Alexandre MEYER, Hubert KONIK, Saida BOUAKAZ. Saliency-based framework for facial expression recognition[J]. Front. Comput. Sci., 2019, 13(1): 183-198.

Viewed

Full text

Abstract

Cited

Shared

Discussed