Classification of ROP gadgets

Return-oriented programming (ROP) is a dangerous exploitation technique which can be used to bypass modern defense mechanisms. ROP reuses code chunks ending with control transfer instruction from a program binary to form a chain corresponding some payload. These code chunks are called gadgets. Though, a certain set of gadgets should be available to exploit a vulnerability. Determining gadgets that can be used to form a ROP chain can be done by gadgets search and classification. This paper introduces a method for ROP gadgets classification that allows one to evaluate whether or not ROP technique can be used to exploit a program vulnerability. Classification is based on side-effects analysis of gadget execution with concrete inputs. Gadget instructions are translated into IR which is interpreted to track registers and memory usage. Initial registers and memory values are randomly generated. According to initial and final values of registers and memory gadget semantics can be explored. Classification performs several executions to determine gadget semantics. Proposed method is applied to program binaries and its capabilities were demonstrated on 32-bit and 64-bit binaries from Ubuntu 14.04. Using classification results program exploitability was confirmed for several examples. Furthermore, a possible exploitation of stack buffer overflow vulnerability in presence of write-what-where condition was shown on a model example demonstrating a bypass of canary, DEP and ASLR.

vulnerability, ROP, classification

1. One A. Smashing the stack for fun and profit. Phrack magazine, vol. 7, №. 49, pp. 14-16.

2. Hovav Shacham. The Geometry of Innocent Flash on the Bone: Return-into-libc without Function Calls (on the x86). 2007 ACM Conference on Computer and Communications Security (CCS), Proceedings of CCS 2007, pp. 552-561.

3. Edward J. Schwartz, Thanassis Avgerinos, David Brumley. Q: Exploit Hardening Made Easy. 2011 Usenix Security Symposium (SEC), Proceedings of SEC 2011.

4. ROPgadget. https://github.com/JonathanSalwan/ROPgadget

5. V. A. Padaryan, M. A. Solovyev, A. I. Kononov. Simulation of operational semantics of machine instructions. Program. Comput. Software, vol. 37, № 3, 2011, pp. 161-170. DOI: 10.1134/S0361768811030030

6. G. F. Roglia, L. Martignoni, R. Paleari, D. Bruschi. Surgically Returning to Randomized lib(c). 2009 Annual Computer Security Applications Conference (ACSAC), Proceedings of ACSAC 2009, pp. 60-69.

7. CWE-123: Write-what-where Condition. http://cwe.mitre.org/data/definitions/123.html