COMMSEC: EasyROP: Automatic Generation of ROP Chains Using a Turing-Complete Instruction Set

Return-Oriented Programming (ROP) attacks allow to hijack the control-flow execution of a vulnerable process using instructions already present in its memory map. Thus, the attacker concatenates sequences of instructions (named ROP gadgets) redirecting the control-flow execution to perform whatever computation he/she wants. Those instruction sequences, when executed, perform a well-defined operation, such as a XOR or an addition between two registers.

A Turing machine is an abstract concept to define a theoretical model able to solve any computational problem using a set of minimal operations. A system is said to be Turing-complete whether simulates a Turing machine, that is, if it is able to perform the same set of minimal operations. In particular, these operations are: to load a constant, to move values, to load and to store a value from/to memory, and to perform arithmetic and logic operations.

In this talk, we introduce a tool named EasyROP, which seeks the gadgets in a given binary file that are semantically equivalent to each of those operations. Hence, EasyROP helps to automate the development of ROP attacks. We analyzed the main dynamic-link libraries of most flavours of Windows OS, in 32 and 64-bit modes, to study the feasibility of an attack on these systems. We found that shell32.dll is the best candidate in 32-bit systems. In the case of 64-bit systems, none DLL allows to build a Turing machine. We also show the applicability with a real case study, building a ROP chain for CVE-2010-3333 to defeat a Windows 7 OS with DEP enabled.

COMMSEC TRACK
Location: Track 4 / CommSec Date: April 13, 2018 Time: 12:00 pm - 12:30 pm Ricardo J. Rodríguez Daniel Uroz