DeepAI AI Chat
Log In Sign Up

Block Oriented Programming: Automating Data-Only Attacks

by   Kyriakos Ispoglou, et al.

With the wide deployment of Control-Flow Integrity (CFI), control-flow hijacking attacks, and consequently code reuse attacks, are significantly harder. CFI limits control flow to well-known locations, severely restricting arbitrary code execution. Assessing the remaining attack surface of an application under advanced control-flow hijack defenses such as CFI and shadow stacks remains an open problem. We introduce BOPC, a mechanism to assess whether an attacker can execute arbitrary code on a CFI/shadow stack hardened binary automatically. BOPC leverages SPL, a Turing-complete high-level language that abstracts away architecture and program-specific details, such as register mappings, to express exploit payloads. SPL payloads are compiled into a program trace that executes the desired behavior on top of the target binary. The input for BOPC is an SPL payload, a starting point (e.g., from a fuzzer crash), and an arbitrary read/write primitive that allows application state corruption. To map SPL payloads to a program trace, BOPC introduces Block Oriented Programming (BOP), a new code reuse technique that utilizes entire basic blocks as gadgets along valid execution paths in the program, i.e., without violating CFI policies. We find that the problem of mapping payloads to program traces is NP-hard, so BOPC first reduces the search space by pruning infeasible paths and then uses heuristics to guide the search to probable paths. BOPC encodes the BOP payload as a set of memory writes. We execute 13 SPL payloads applied to 10 popular applications. BOPC successfully finds payloads and complex execution traces -- which would likely not have been found through manual analysis -- while following the target's Control-Flow Graph under an strict CFI policy in 81


page 1

page 2

page 3

page 4


A practical analysis of ROP attacks

Control Flow Hijacking attacks have posed a serious threat to the securi...

Exploitation Techniques and Defenses for Data-Oriented Attacks

Data-oriented attacks manipulate non-control data to alter a program's b...

Speculative Buffer Overflows: Attacks and Defenses

Practical attacks that exploit speculative execution can leak confidenti...

Automated CFI Policy Assessment with Reckon

Protecting programs against control-flow hijacking attacks recently has ...

Analyzing Control Flow Integrity with LLVM-CFI

Control-flow hijacking attacks are used to perform malicious com-putatio...

GPT is becoming a Turing machine: Here are some ways to program it

We demonstrate that, through appropriate prompting, GPT-3 family of mode...

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

Proving secure compilation of partial programs typically requires back-t...