In simpler times, if an attacker wanted to do something malicious on your system, he would have to find a way to put code in a privileged location on your system and then execute it. Fortunately, the good guys have largely countered this threat with protective measures, for instance, by preventing data from being able to be executed. As a result, the attackers have evolved, and now they can use your own well-intentioned code against you.
How? Return Oriented Programming.
Well, the first round involves leveraging short sequences of instructions in your code that occur before return instructions. This is the so-called Return Oriented Programming (ROP) approach, which is achieved by placing a sequence of return addresses and data on the stack. These small code fragments, called gadgets, are chained together by the processor’s return mechanism to create the functionality needed for the exploit. The addresses on the stack take the place of a sequence of instructions, and each represents the entry point to one of the gadgets.
For this approach, the attacker needs to do four things:
- Study the system’s code to identify a useful set of gadgets.
- Decide on the sequence of gadgets needed for the exploit.
- Prepare a stack full of return addresses that implement this sequence.
- Use any one of a number of approaches to get the process to switch to this stack.
Upon doing this, the exploit will run and the attacker will win – so now we have to watch our return statements, right? Perhaps we will create protections such as shadow stacks which monitor these returns. Or maybe not – Turing complete gadget collections have been found which do not use returns at all.[1] So we have to be smarter still.
Anything Systematic can be Automated
The hard part of creating these attacks might be the process of finding the gadgets and creating higher-level functionality from these fragments. Well, “hard” might not be the best word to describe it, because it’s actually very straightforward. All the attacker needs to do is to look through all of the assembly code on the target system and recognize when something might be useful. Then, any determined programmer can figure out how to string the pieces together into an attack.
But that is still a lot of work, although not necessarily difficult, and it would be nicer for a hacker if a computer could automate such mundane things. At the recent BlackHat conference in Las Vegas, a presentation was given in one of the smaller conference rooms, announcing software relief for attackers that want to work smarter not harder.[2]
The tool is called OptiROP, and it arms the attacker with more than just manual or semi-automated syntactic searches for gadgets. Instead, it uses an off-the-shelf tool chain (LLVM) and an SMT solver (Z3) to semantically search for gadgets. The tool provides automatic chaining of gadgets to produce requested functionality. And of course, all of this code is readily available, in this age of open-source, to anyone interested.
No Hacker Required
So now the attacker is armed with:
- An entry point.
- Software to find a Turing complete set of primitives based on the desired semantics.
Just Another Step
A good deal of work had already been done in automatic exploit generation. Years ago, Carnegie Mellon University produced “Q,” an end-to-end ROP system, which used a custom language for automatically developing exploits.[3] They also demonstrated the weaknesses of existing Address Space Layout Randomization (ASLR) protections.
The Battle Continues
Attacks which leverage existing good code for exploits are very real. These approaches are simple enough to be automated, which greatly reduces the effort required to launch an attack. There are tools in existence and undoubtedly more on the way to make these attacks even easier to develop. Unfortunately, early efforts to thwart these attacks, such as gadget elimination, shadow stacks, ASLR, and even Instruction Location Randomization (ILR), are not 100% effective in stopping such attacks.
That’s why security-conscious companies like GrammaTech are deeply engaged in developing solutions to render these types of attacks – and others – powerless against your system. GrammaTech is currently leveraging technologies developed for KATE and PEASOUP to address these and many other software security issues.
References:
[1] “Return-Oriented Programming without Returns”, Checkoway, 2010, et. al.
[2] “OPTIROP: Hunting For ROP Gadgets In Style”, Quynh, Nguyen, BlackHat 2013
[3] “Q: Exploit Hardening Made Easy”, Schwartz, et. al., Carnegie Mellon Univ., 2011 Usenix Security Symposium