南京大学：《软件安全 Software Security》课程教学资源（PPT课件讲稿）Return-Orinted Programming（ROP Attack）

京大 NANJING UNIVERSITY Return-Orinted Programming 2023/2/7 1

2023/2/7 1 Return-Orinted Programming

校绵鼎 月 Introduction The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham.ACM CCS 2007 2023/2/7 2

2023/2/7 2 Introduction The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, ACM CCS 2007

效绵熟 Introduction "WX"ensures that no memory location in a process image is marked both writable ("W")and executable ("X").With "WX",there is no location in memory into which the attacker can inject code to execute. Now that the attackers cannot inject code,their response was to use,for their own purposes,code that already exists in the process image they are attacking 2023/2/7 3

2023/2/7 3 Introduction ⚫ "W⊕X" ensures that no memory location in a process image is marked both writable ("W") and executable ("X"). With "W⊕X", there is no location in memory into which the attacker can inject code to execute. ⚫ Now that the attackers cannot inject code, their response was to use, for their own purposes, code that already exists in the process image they are attacking

效绵县 Introduction Since the standard C library,libe,is loaded in nearly every Unix program,and since it contains routines of the sort that are useful for an attacker (e.g.,wrappers for system calls),it is libc that is the usual target,and such attacks are therefore known as return into-libc attacks.But in principle any available code,either from the program's text segment or from a library it links to, could be used 2023/2/7 4

2023/2/7 4 Introduction Since the standard C library, libc, is loaded in nearly every Unix program, and since it contains routines of the sort that are useful for an attacker (e.g., wrappers for system calls), it is libc that is the usual target, and such attacks are therefore known as return into-libc attacks. But in principle any available code, either from the program's text segment or from a library it links to, could be used

“绵县 Introduction The building blocks for the traditional return-into-libc attack are functions and these can be removed by the maintainers of libc. By contrast,the building blocks for ROP are short code sequences,each just two or three instructions long,end in a return instruction(gadgets).Some are present in libc as a result of the code-generation choices of the compiler.Others are found in libc despite not having been placed there at all by the compiler.In either case,these code sequences would be very difficulty to eliminate without extensive modifications to the compiler and assembler. 2023/2/7 5

2023/2/7 5 Introduction ◼ The building blocks for the traditional return-into-libc attack are functions and these can be removed by the maintainers of libc. ◼ By contrast, the building blocks for ROP are short code sequences, each just two or three instructions long, end in a return instruction(gadgets). Some are present in libc as a result of the code-generation choices of the compiler. Others are found in libc despite not having been placed there at all by the compiler. In either case, these code sequences would be very difficulty to eliminate without extensive modifications to the compiler and assembler

效绵 Ability enough gadgets for attack? English words vary in length,and there is no particular position on the page where a word must end and another start. Intel x86 code is like English written without punctuation or spaces,so that the words all run together. One can make out more words on the page than were intentionally placed there.Some words will be suffixes of other words,as "dress"is a suffix of "address";others will consist of the end of one word and the beginning of the next,as "head"can be found in "theaddress";and so on. 2023/2/7 6

2023/2/7 6 Ability ⚫ enough gadgets for attack? English words vary in length, and there is no particular position on the page where a word must end and another start. Intel x86 code is like English written without punctuation or spaces, so that the words all run together. One can make out more words on the page than were intentionally placed there. Some words will be suffixes of other words, as "dress" is a suffix of "address"; others will consist of the end of one word and the beginning of the next, as "head" can be found in "theaddress"; and so on

效绵鼎 Abilit女y Here is a concrete example for the x86,taken from the GNU C Library distributed with Fedora Core Release 4:libc-2.3.5.so. Two instructions in the entrypoint ecb_crypt are encoded as follows: f7c707000000 test$0x00000007,%ed 0f9545c3 setnzb-61(%ebp) Starting one byte later,the attacker instead obtains: c7070000000f movl $OxOf000000,(%edi) 9 xchg %ebp,%eax inc %ebp 3 ret 2023/2/7 7

2023/2/7 7 Ability Here is a concrete example for the x86, taken from the GNU C Library distributed with Fedora Core Release 4: libc-2.3.5.so. Two instructions in the entrypoint ecb_crypt are encoded as follows: Starting one byte later, the attacker instead obtains:

效绵 Abilit女y The set of gadgets described is Turing complete by inspection,so return-oriented programs can do anything possible with x86 code. 2023/2/7 8

2023/2/7 8 Ability The set of gadgets described is Turing complete by inspection, so return-oriented programs can do anything possible with x86 code

效绵县 Discovering Useful Instruction Sequences in Libc The Galileo Algorithm: Algorithm GALILEO: create a node,root,representing the ret instruction; place root in the trie; for pos from 1 to textseg len do: if the byte at pos is c3,i.e.,a ret instruction,then: call BUILDFROM(pos,root). Procedure BUILDFROM(index pos,instruction parent_insn): for step from 1 to max insn_len do: if bytes [(pos-step)...(pos-1)decode as a valid instruction insn then: ensure insn is in the trie as a child of parent insn; if insn isn't boring then: call BUILDFROM(pos-step,insn). 2023/2/7 9

2023/2/7 9 Discovering Useful Instruction Sequences in Libc The Galileo Algorithm:

校绵鼎 Discovering Useful Instruction Sequences in Libc The definition of "boring instructions" 1.the instruction is a leave instruction and is followed by a ret instruction;or 2. the instruction is a pop %ebp instruction and is immediately followed by a ret instruction;or 3. the instruction is a return or an unconditional jump. 2023/2/7 10

2023/2/7 10 Discovering Useful Instruction Sequences in Libc The definition of "boring instructions" : 1. the instruction is a leave instruction and is followed by a ret instruction; or 2. the instruction is a pop %ebp instruction and is immediately followed by a ret instruction; or 3. the instruction is a return or an unconditional jump