Steroids for DOPed Applications: A Compiler for Automated Data-Oriented Programming

07/05/2020
by   Jannik Pewny, et al.
0

The wide-spread adoption of system defenses such as the randomization of code, stack, and heap raises the bar for code-reuse attacks. Thus, attackers utilize a scripting engine in target programs like a web browser to prepare the code-reuse chain, e.g., relocate gadget addresses or perform a just-in-time gadget search. However, many types of programs do not provide such an execution context that an attacker can use. Recent advances in data-oriented programming (DOP) explored an orthogonal way to abuse memory corruption vulnerabilities and demonstrated that an attacker can achieve Turing-complete computations without modifying code pointers in applications. As of now, constructing DOP exploits requires a lot of manual work. In this paper, we present novel techniques to automate the process of generating DOP exploits. We implemented a compiler called Steroids that compiles our high-level language SLANG into low-level DOP data structures driving malicious computations at run time. This enables an attacker to specify her intent in an application- and vulnerability-independent manner to maximize reusability. We demonstrate the effectiveness of our techniques and prototype implementation by specifying four programs of varying complexity in SLANG that calculate the Levenshtein distance, traverse a pointer chain to steal a private key, relocate a ROP chain, and perform a JIT-ROP attack. Steroids compiles each of those programs to low-level DOP data structures targeted at five different applications including GStreamer, Wireshark, and ProFTPd, which have vastly different vulnerabilities and DOP instances. Ultimately, this shows that our compiler is versatile, can be used for both 32- and 64-bit applications, works across bug classes, and enables highly expressive attacks without conventional code-injection or code-reuse techniques in applications lacking a scripting engine.

READ FULL TEXT
research
11/05/2021

A practical analysis of ROP attacks

Control Flow Hijacking attacks have posed a serious threat to the securi...
research
07/24/2023

Execution at RISC: Stealth JOP Attacks on RISC-V Applications

RISC-V is a recently developed open instruction set architecture gaining...
research
05/10/2023

SafeLLVM: LLVM Without The ROP Gadgets!

Memory safety is a cornerstone of secure and robust software systems, as...
research
07/03/2019

Towards Automated Application-Specific Software Stacks

Software complexity has increased over the years. One common way to tack...
research
05/25/2020

The never ending war in the stack and the reincarnation of ROP attacks

Return Oriented Programming (ROP) is a technique by which an attacker ca...
research
11/10/2021

MAJORCA: Multi-Architecture JOP and ROP Chain Assembler

Nowadays, exploits often rely on a code-reuse approach. Short pieces of ...
research
06/02/2020

Vyasa: A High-Performance Vectorizing Compiler for Tensor Convolutions on the Xilinx AI Engine

Xilinx's AI Engine is a recent industry example of energy-efficient vect...

Please sign up or login with your details

Forgot password? Click here to reset