Two researchers from the University of California, Berkeley, released a paper introducing new attack techniques they contend break existing defenses against return-oriented programming (ROP).
The researchers, Nicholas Carlini and David Wagner, are slated to present their research this week at the 23rd USENIX Security Symposium in San Diego. According to Carlini and Wagner, the widespread adoption of Data Execution Prevention (DEP) as a security feature killed classic code injection attacks, and made ROP the attacker tactic of choice for modern exploits of memory-safety vulnerabilities.
“In a ROP attack, the attacker does not inject new code; instead, the malicious computation is performed by chaining together existing sequences of instructions (called gadgets),” the paper explained.
In response to this reality, defenses have been designed that fall into two broad categories, they argued. The first relies on recompilation to remove potential gadgets from the program binary or to enforce the control flow integrity (CFI) of the binary. The second category of defenses attempts to protect legacy binaries using run-time protections.
To defeat these defenses, they have developed three attack strategies.
“Our first method breaks the conventional wisdom that it is difficult to mount attacks in a fully call-preceded manner… where the instruction before each gadget is a call,” according to the paper. “Many CFI-based policies rely upon policies similar to this. Next, we show that while most existing ROP attacks consist entirely of short gadgets, it is possible to mount attacks which consist of lone gadgets as well. Therefore, defenses that distinguish a ROP attack from normal execution by looking for a series of short gadgets are not secure.”
“Finally, we examine defenses that record a limited history of the execution state of a process,” the paper continues. “We show it is possible to effectively clear out any history kept by these defenses, rendering them ineffective.”
The research in particular targets kBouncer and ROPecker, and seeks to demonstrate ways of modifying ROP attacks to slip by those defenses.
“Future defenses must take care to guard against attacks similar to ours,” according to the paper. “Specifically, we suggest two particular requirements for future defenses. First, defenses should argue either that they can inspect all relevant past history or, if they have a limited history, that their limited view of history cannot be effectively cleared out by an attacker. Second, defenses that defend against one specific aspect of ROP must argue that is a necessary component of one.”
The paper can be read here.