Survey of methods for automated code-reuse exploit generation.

Вишняков, А.В.; Нурмухаметов, А.Р.

doi:10.15514/ispras-2019-31(6)-6

Cited by 1 publication

(3 citation statements)

References 53 publications

(142 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Classification does not guarantee that semantics hold for arbitrary input data. For the exact classification, formal verification must be performed [22]. We partially mitigate it by adding specific input data for corner cases [42] A. Gadget Preprocessing Gadget catalog does not represent gadgets that load multiple values from the stack to registers at once, e.g., pop rax ; pop rbx ; pop rdi ; ret 1 .…”

Section: Gadget Catalogingmentioning

confidence: 99%

“…At first, code-reuse exploits were constructed manually, but this process gradually became automated with time. At the moment, the literature presents a set of approaches to automated code-reuse exploit construction [9][10][11][12][13][14][15][16][17][18][19][20][21][22]. The tools are even available for some of them [23][24][25][26][27][28][29].…”

Section: Introductionmentioning

confidence: 99%

“…In the first stage, found gadgets constitute a gadget catalog [22]. After that, one derives the gadget semantics and catalogs them.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MAJORCA: Multi-Architecture JOP and ROP Chain Assembler

Nurmukhametov,

Vishnyakov,

Logunova

et al. 2021

Preprint

View full text Add to dashboard Cite

Nowadays, exploits often rely on a code-reuse approach. Short pieces of code called gadgets are chained together to execute some payload. Code-reuse attacks can exploit vulnerabilities in the presence of operating system protection that prohibits data memory execution. The ROP chain construction task is the code generation for the virtual machine defined by an exploited executable. It is crucial to understand how powerful ROP attacks can be. Such knowledge can be used to improve software security. We implement MAJORCA that generates ROP and JOP payloads in an architecture agnostic manner and thoroughly consider restricted symbols such as null bytes that terminate data copying via strcpy. The paper covers the whole code-reuse payloads construction pipeline: cataloging gadgets, chaining them in DAG, scheduling, linearizing to the ready-torun payload. MAJORCA automatically generates both ROP and JOP payloads for x86 and MIPS. MAJORCA constructs payloads respecting restricted symbols both in gadget addresses and data. We evaluate MAJORCA performance and accuracy with ropbenchmark and compare it with open-source compilers. We show that MAJORCA outperforms open-source tools. We propose a ROP chaining metric and use it to estimate the probabilities of successful ROP chaining for different operating systems with MAJORCA as well as other ROP compilers to show that ROP chaining is still feasible. This metric can estimate the efficiency of OS defences.

show abstract

Section: Gadget Catalogingmentioning

confidence: 99%