Title | ROP is still Dangerous: Breaking Modern Defenses [link] | ||
Author | Nicholas Carlini and David Wagner from University of California, Berkeley | Contact | N/A |
Publishing | 23rd USENIX Security Symposium | Year | 2014 |
Abstract | Return Oriented Programming (ROP) has become the ex- ploitation technique of choice for modern memory-safety vulnerability attacks. Recently, there have been multi- ple attempts at defenses to prevent ROP attacks. In this paper, we introduce three new attack methods that break many existing ROP defenses. Then we show howto break kBouncer and ROPecker, two recent low-overhead de- fenses that can be applied to legacy software on existing hardware. We examine several recent ROP attacks seen in the wild and demonstrate that our techniques successfully cloak them so they are not detected by these defenses. Our attacks apply to many CFI-based defenses which we argue are weaker than previously thought. Future defenses will need to take our attacks into account. | ||
Summary |
1. Careful observation on previous the-state-of-the-art defense mechanism
(1) kBouncer:
(2) ROPecker
(3) Evaluation of two previous defense mechanism ()
2. Key attack primitives
(1) Call-preceded ROP gadgets: Both defenses check if gadget is non-call-preceded
(2) Evasion attack: Both defenses use a length-based classifier
(3) History Flushing: Both defenses keep only a limited amount of history inspection
3. Implication for defenses (Lessons Learned)
(1) Do not rely on limited amount of history
(2) Choosing call-preceded ROP (6%) is feasible (in >70K text) (3) Classifying code as “gadget” vs “non-gadget” is challenging (4) What is fundamental properties to determine ROP attacks? (Open question in Research)
|
||
Note |
This paper illustrates how even cutting-edge defense mechanism against ROP attack could be broken with carefully chosen gadgets from an attacker’s perspective. The authors shows that even intuitively less potential gadgets from call-preceded ones are sufficient to mount a valid attack. Also, heuristic-based approach to classify gadgets VS non-gadgets can be evaded. History flushing and evasion technique make it possible to defeat all meticulous inspections as well. They remains a question that it is time to consider the fundamental attributes of ROP attack for further exploits. I made a presentation with this paper in a security reading group at Stony Brook University. The material is available here. |