Andrei Homescu Michael Stewart Stefan Brunthaler Per Larsen Michael Franz University of California Irvine Return-oriented Programming Gadget 1 Simplified ROP jailbreak attack ... OPEN 0x080 RETURN Gadget 3 Gadget 2 ... ... CONNECTION ADD EAX, EBX Gadget 3 RETURN POP EBP ... RETURN TO THE Stack growth RETURN Gadget 4 ... WHITEHOUSE 0x1C0 RETURN 2 Return-oriented Programming Original version: hand-picked set of gadgets from libc; downside: specific to library (Debian 5 libc) Later work uses automated scanners: Scan for 1-instruction gadgets Match using expression trees Use postconditions Formulate gadget outputs as boolean functions SMT solver 3 Complicated Gadgets More than one instruction per gadget Complex instruction operands (memory offsets, immediates) Interference between instructions 4 Gadget Examples ADD EAX, [EBX+0x35CFE022] 03 83 22 E0 CF 35 LEA EAX, [EBX+2*EAX+0x20] 8D 44 43 20 INC [0x98560F0E] FF 05 0E 0F 56 98 ADD EAX, EBX 01 D8 INC EAX 40 ADD EAX, 0x20 83 C0 20 POP EBP 5D 5 Goals for Our Gadget Set Ubiquity In as many binaries as possible Computational Power Turing-complete Simplicity 6 Key Insight for Ubiquity Smaller gadgets occur more frequently 7 Microgadget Set Focus on very small gadgets (2-3 bytes) Grouped into classes, by operation 1 instruction + RET in each gadget Expectation: find this set very frequently in large binaries (ubiquity) 8 Smallest Gadget RET C3 9 2 Byte Microgadgets XCHG EAX,reg for register-to-register moves POP reg for loading constants LAHF / PUSHF for loading flags INC / DEC reg CLC /SAHF / DAA / ... to clear carry flag PUSHA to copy ESP into another register LEAVE to change ESP LODSD / STOSD for memory accesses PUSH reg for control flow (function calls) 10 2 Byte Microgadgets XCHG EAX,reg for register-to-register moves POP reg for loading constants LAHF / PUSHF for loading flags INC / DEC reg CLC /SAHF / DAA / ... to clear carry flag PUSHA to copy ESP into another register LEAVE to change ESP LODSD / STOSD for memory accesses PUSH reg for control flow (function calls) 13 AFack example Gadget 1 load addr of mmap Gadget 2 into reg load return ESP No into EBP ASLR! arg 1 Gadget 3 arg 2 arg 3 PUSH reg arg 4 RET Gadget 5 arg 5 Stack growth arg 6 load word Gadget 4 of payload LEAVE Gadget 6 RET ... STOSD Gadget N RET PUSH EAX RET 15 3 Byte Microgadgets ADD / ADC / SUB / SBB XOR / NOT / NEG AND / OR One memory load, if 2-byte version not available One memory store, if 2-byte version not available One operation to copy ESP at the beginning For ASLR-proof mmap call: just add given value to ESP 16 CondiIonal Branches Needed for Turing-completeness; tricky Supported operation: “branch if A < B” Addition/subtraction => CF => branch Branch target is loaded from a table pointer$to$address$table CF 0 1 ROP$program$ Condi3onal$ True(case( False(case( …more$code… …more$code… False(address True(address code branch code code 17 Turing-completeness Model implements subneg variant of OISC (one- instruction set computer) Only needed 3 operations: Subtraction Less-than comparison Conditional branching subneg and subleq are known to be Turing-complete Bonus operations: Addition Boolean operations Extra memory load/stores 20 Evaluaon Total binaries Distribution All no XCHG XCHG no XCHG XCHG mmap mmap c-mode c-mode i-mode i-mode no ASLR ASLR Kubuntu 1337 404 262 27 8 17 9 7.10 Ubuntu 1492 434 212 31 4 21 6 9.04 Ubuntu 1587 497 164 35 10 24 12 10.04 Kubuntu 1655 565 271 45 15 39 15 11.10 21 AFack Example Gadget 1 load addr of mmap Gadget 2 into reg copy ESP to EBP Gadget 3 add offset to EBP arg 1 arg 2 Gadget 4 arg 3 PUSH reg arg 4 RET Gadget 6 arg 5 Stack growth arg 6 load word Gadget 5 of payload LEAVE Gadget 7 RET ... STOSD Gadget N RET PUSH EAX RET 22 Conclusion - Goals Ubiquity In as many binaries as possible Simplicity Computational Power Turing-complete 23 Future Work Make classes larger Port to 64 bits: not trivial! Extend model to other return/jump instructions Measure probability of binary from given distribution to contain microgadgets Build distribution of n-grams in binaries 24 .