Block Oriented Programming: Automating Data-Only Attacks

05/12/2018
by   Kyriakos Ispoglou, et al.
0

With the wide deployment of Control-Flow Integrity (CFI), control-flow hijacking attacks, and consequently code reuse attacks, are significantly harder. CFI limits control flow to well-known locations, severely restricting arbitrary code execution. Assessing the remaining attack surface of an application under advanced control-flow hijack defenses such as CFI and shadow stacks remains an open problem. We introduce BOPC, a mechanism to assess whether an attacker can execute arbitrary code on a CFI/shadow stack hardened binary automatically. BOPC leverages SPL, a Turing-complete high-level language that abstracts away architecture and program-specific details, such as register mappings, to express exploit payloads. SPL payloads are compiled into a program trace that executes the desired behavior on top of the target binary. The input for BOPC is an SPL payload, a starting point (e.g., from a fuzzer crash), and an arbitrary read/write primitive that allows application state corruption. To map SPL payloads to a program trace, BOPC introduces Block Oriented Programming (BOP), a new code reuse technique that utilizes entire basic blocks as gadgets along valid execution paths in the program, i.e., without violating CFI policies. We find that the problem of mapping payloads to program traces is NP-hard, so BOPC first reduces the search space by pruning infeasible paths and then uses heuristics to guide the search to probable paths. BOPC encodes the BOP payload as a set of memory writes. We execute 13 SPL payloads applied to 10 popular applications. BOPC successfully finds payloads and complex execution traces -- which would likely not have been found through manual analysis -- while following the target's Control-Flow Graph under an strict CFI policy in 81

READ FULL TEXT

page 1

page 2

page 3

page 4

research
11/05/2021

A practical analysis of ROP attacks

Control Flow Hijacking attacks have posed a serious threat to the securi...
research
02/22/2019

Exploitation Techniques and Defenses for Data-Oriented Attacks

Data-oriented attacks manipulate non-control data to alter a program's b...
research
07/10/2018

Speculative Buffer Overflows: Attacks and Defenses

Practical attacks that exploit speculative execution can leak confidenti...
research
12/20/2018

Automated CFI Policy Assessment with Reckon

Protecting programs against control-flow hijacking attacks recently has ...
research
10/02/2019

Analyzing Control Flow Integrity with LLVM-CFI

Control-flow hijacking attacks are used to perform malicious com-putatio...
research
03/25/2023

GPT is becoming a Turing machine: Here are some ways to program it

We demonstrate that, through appropriate prompting, GPT-3 family of mode...
research
10/04/2021

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

Proving secure compilation of partial programs typically requires back-t...

Please sign up or login with your details

Forgot password? Click here to reset