Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Reveal Return-Oriented Programming Tactics for Breaking Security Defenses

Two researchers from the University of California, Berkeley, released a paper introducing new attack techniques they contend break existing defenses against return-oriented programming (ROP).

Two researchers from the University of California, Berkeley, released a paper introducing new attack techniques they contend break existing defenses against return-oriented programming (ROP).

The researchers, Nicholas Carlini and David Wagner, are slated to present their research this week at the 23rd USENIX Security Symposium in San Diego. According to Carlini and Wagner, the widespread adoption of Data Execution Prevention (DEP) as a security feature killed classic code injection attacks, and made ROP the attacker tactic of choice for modern exploits of memory-safety vulnerabilities.

“In a ROP attack, the attacker does not inject new code; instead, the malicious computation is performed by chaining together existing sequences of instructions (called gadgets),” the paper explained.

In response to this reality, defenses have been designed that fall into two broad categories, they argued. The first relies on recompilation to remove potential gadgets from the program binary or to enforce the control flow integrity (CFI) of the binary. The second category of defenses attempts to protect legacy binaries using run-time protections.

To defeat these defenses, they have developed three attack strategies.

“Our first method breaks the conventional wisdom that it is difficult to mount attacks in a fully call-preceded manner… where the instruction before each gadget is a call,” according to the paper. “Many CFI-based policies rely upon policies similar to this. Next, we show that while most existing ROP attacks consist entirely of short gadgets, it is possible to mount attacks which consist of lone gadgets as well. Therefore, defenses that distinguish a ROP attack from normal execution by looking for a series of short gadgets are not secure.”

“Finally, we examine defenses that record a limited history of the execution state of a process,” the paper continues. “We show it is possible to effectively clear out any history kept by these defenses, rendering them ineffective.”

The research in particular targets kBouncer and ROPecker, and seeks to demonstrate ways of modifying ROP attacks to slip by those defenses.

Advertisement. Scroll to continue reading.

“Future defenses must take care to guard against attacks similar to ours,” according to the paper. “Specifically, we suggest two particular requirements for future defenses. First, defenses should argue either that they can inspect all relevant past history or, if they have a limited history, that their limited view of history cannot be effectively cleared out by an attacker. Second, defenses that defend against one specific aspect of ROP must argue that is a necessary component of one.”

The paper can be read here

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.