Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses

Lan, Bingchen; Li, Yan; Sun, Hong; Su, Chao; Liu, Yao; Zeng, Qingkai

doi:10.1109/trustcom.2015.374

Cited by 12 publications

(7 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Shacham further generalized this attack technique as return-oriented programming (ROP) [62]. Similar to control-flow-hijacking attacks that overwrite pointers [62], [11], [44], [30], [58], memory safety violations can also be abused in data-only attacks [57], [36].…”

Section: Runtime Attacksmentioning

confidence: 99%

SFIP: Coarse-Grained Syscall-Flow-Integrity Protection in Modern Systems

Canella¹,

Dörn²,

Gruss³

et al. 2022

Preprint

View full text Add to dashboard Cite

Growing code bases of modern applications have led to a steady increase in the number of vulnerabilities. Control-Flow Integrity (CFI) is one promising mitigation that is more and more widely deployed and prevents numerous exploits. CFI focuses purely on one security domain. That is, transitions between user space and kernel space are not protected by CFI. Furthermore, if user space CFI is bypassed, the system and kernel interfaces remain unprotected, and an attacker can run arbitrary transitions.In this paper, we introduce the concept of syscall-flowintegrity protection (SFIP) that complements the concept of CFI with integrity for user-kernel transitions. Our proof-of-concept implementation relies on static analysis during compilation to automatically extract possible syscall transitions. An application can opt-in to SFIP by providing the extracted information to the kernel for runtime enforcement. The concept is built on three fully-automated pillars: First, a syscall state machine, representing possible transitions according to a syscall digraph model. Second, a syscall-origin mapping, which maps syscalls to the locations at which they can occur. Third, an efficient enforcement of syscall-flow integrity in a modified Linux kernel. In our evaluation, we show that SFIP can be applied to large scale applications with minimal slowdowns. In a micro-and a macrobenchmark, it only introduces an overhead of 13.1 % and 1.8 %, respectively. In terms of security, we discuss and demonstrate its effectiveness in preventing control-flow-hijacking attacks in realworld applications. Finally, to highlight the reduction in attack surface, we perform an analysis of the state machines and syscallorigin mappings of several real-world applications. On average, SFIP decreases the number of possible transitions by 38.6 % compared to seccomp and 90.9 % when no protection is applied.

show abstract

Section: Runtime Attacksmentioning

confidence: 99%

SFIP: Coarse-Grained Syscall-Flow-Integrity Protection in Modern Systems

Canella¹,

Dörn²,

Gruss³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…By chaining multiple gadgets, it is generally possible to build arbitrary exploits. In addition to such control-flow-hijacking that overwrite pointers [83], [11], [54], [31], [77], data-only attacks [74], [42] can also violate memory safety.…”

Section: Runtime Attacksmentioning

confidence: 99%

Domain Page-Table Isolation

Canella¹,

Kogler²,

Giner³

et al. 2021

Preprint

View full text Add to dashboard Cite

Modern applications often consist of different security domains that require isolation from each other. While several solutions exist, most of them rely on specialized hardware, hardware extensions, or require less-efficient software instrumentation of the application.In this paper, we propose Domain Page-Table Isolation (DPTI), a novel mechanism for hardware-enforced security domains that can be readily used on commodity off-the-shelf CPUs. DPTI uses two novel techniques for dynamic, time-limited changes to the memory isolation at security-critical points, called memory freezing and stashing. We demonstrate the versatility and efficacy of DPTI in two scenarios: First, DPTI freezes or stashes memory to support faster and more fine-grained syscall filtering than state-of-the-art seccomp-bpf. With the provided memorysafety guarantees, DPTI can even securely support deep argument filtering, such as string comparisons. Second, DPTI freezes or stashes memory to efficiently confine potentially untrusted SGX enclaves, outperforming existing solutions by 14.6 %-22 % while providing the same security guarantees. Our results show that DPTI is a viable mechanism to isolate domains within applications using only existing mechanisms available on modern CPUs, without relying on special hardware instructions or extensions.

show abstract

“…Lan et al [78] propose a loop-oriented programming (LOP) method that uses whole functions as gadgets. This method was developed to bypass coarse-grained CFI and the shadow stack [79].…”

Section: Reuse Of Functionsmentioning

confidence: 99%

Survey of methods for automated code-reuse exploit generation.

Вишняков¹,

Нурмухаметов²

2019

Proceedings of ISP RAS

View full text Add to dashboard Cite

Аннотация. В работе приводится обзор существующих методов и инструментов автоматизированной генерации эксплойтов повторного использования кода. Такие эксплойты используют код, уже содержащийся в уязвимом приложении. Подход повторного использования кода (например, возвратно-ориентированное программирование) позволяет эксплуатировать уязвимости программного обеспечения при наличии защитного механизма операционной системы, который запрещает исполнение кода страниц памяти, помеченных в качестве данных. В статье дается определение базовых понятий таких, как гаджет, фрейм гаджета, каталог гаджетов. Кроме того, показывается, что гаджет по своей сути является инструкцией, а их набор задает некоторую виртуальную машину. Задача создания эксплойта сводится к задаче генерации кода для такой виртуальной машины. Набор команд виртуальной машины задается исполняемым кодом конкретной программы. В работе приводится обзор методов поиска гаджетов и определения их семантики (формирования каталога гаджетов). Они позволяют получить набор команд виртуальной машины. Если набор гаджетов в каталоге полон по Тьюрингу, то гаджеты из каталога можно использовать в качестве набора команд целевой архитектуры компилятора. Однако в каталоге гаджетов для конкретного приложения могут отсутствовать некоторые инструкции, поэтому в литературе было предложено несколько способов для замены отсутствующих инструкций несколькими гаджетами. Связывание гаджетов в цепочки может происходить как поиском гаджетов по шаблонам, задаваемым регулярными выражениями, так и с учетом семантики гаджета. Более того, существуют подходы конструирования ROP цепочек с использованием генетических алгоритмов, а также методы с использованием SMT-решателей. В статье проводится сравнение инструментов с открытым исходным кодом. Мы предлагаем тестовую систему rop-benchmark, с помощью которой была проведена экспериментальная проверка работоспособности генерируемых инструментами цепочек на специально сформированном наборе тестов.

show abstract

Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses

Cited by 12 publications

References 13 publications

SFIP: Coarse-Grained Syscall-Flow-Integrity Protection in Modern Systems

SFIP: Coarse-Grained Syscall-Flow-Integrity Protection in Modern Systems

Domain Page-Table Isolation

Survey of methods for automated code-reuse exploit generation.

Contact Info

Product

Resources

About