rop is still dangerous - usenix · pop rbx pop rbp ret . normal execution and [rax],0xfd mov...
TRANSCRIPT
![Page 1: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/1.jpg)
ROP is Still Dangerous:Breaking Modern Defenses
Nicholas Carlini and David WagnerUniversity of California, Berkeley
![Page 2: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/2.jpg)
Background
![Page 3: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/3.jpg)
Background
Code Injection
(
![Page 4: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/4.jpg)
Background
(
Code Injection Data Execution Prevention
![Page 5: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/5.jpg)
Background
(
Code Injection Data Execution Prevention
(
Return Oriented Programming
![Page 6: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/6.jpg)
Background
(
Return Oriented Programming
![Page 7: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/7.jpg)
Background
(
Return Oriented Programming
Address SpaceLayout Randomization
kBouncer/ROPecker
Control FlowIntegrity
![Page 8: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/8.jpg)
Return Oriented Programming
![Page 9: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/9.jpg)
Return Oriented Programmingmov (%rcx),%rbxtest %rbx,%rbxje 41c523 <main+0x803>mov %rbx,%rdicallq 42ab00mov %rax,0x2cda9d(%rip)cmpb $0x2d,(%rbx)je 41c4ac <main+0x78c>mov 0x2cda8d(%rip),%raxrettest %rbx,%rbxmov $0x4ab054,%eaxcmove %rax,%rbxmov %rbx,0x2cda6a(%rip)test %rdi,%rdije 41c0c2 <main+0x3a2>mov $0x63b,%edxmov $0x4ab01d,%esicallq 46cab0 <sh_xfree>ret
mov %rax,0x2d2945(%rip)mov 0x2cda16(%rip),%raxtest %rax,%raxje 41c112 <main+0x3f2>movzbl (%rax),%edxcallq 41b640 <time@plt>mov 0xb8(%rsp),%r15dcmp 0xc(%rsp),%r15dmov %rax,0x2d2670(%rip)je 41c214 <main+0x4f4>xchg %ax,%axmov (%rsp),%rdxmovslq %r15d,%raxmov (%rdx,%rax,8),%r14retje 41c214 <main+0x4f4>cmpb $0x2d,(%r14)jne 41c214 <main+0x4f4>movzbl 0x1(%r14),%r12dmovl $0x0,0x18(%rsp)cmp $0x2d,%r12b
je 41c440 <main+0x720>xor %ebp,%ebpmov $0x4c223a,%ebxadd $0x1,%r14jmp 41c1a3 <main+0x483>cmp (%rbx),%r12bmov %ebp,%r13djne 41c188 <main+0x468>mov %rbx,%rsitest %eax,%eaxxchg %ax,%axjne 41c188 <main+0x468>movslq %ebp,%raxretcmpl $0x1,0x4ab3c8(%rax)je 41c461 <main+0x741>mov (%rsp),%rcxadd $0x1,%r15dmovslq %r15d,%rdxmov (%rcx,%rdx,8),%rdxtest %rdx,%rdxje 41cefd <main+0x11dd>
![Page 10: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/10.jpg)
Return Oriented Programmingmov (%rcx),%rbxtest %rbx,%rbxje 41c523 <main+0x803>mov %rbx,%rdicallq 42ab00mov %rax,0x2cda9d(%rip)cmpb $0x2d,(%rbx)je 41c4ac <main+0x78c>mov 0x2cda8d(%rip),%raxrettest %rbx,%rbxmov $0x4ab054,%eaxcmove %rax,%rbxmov %rbx,0x2cda6a(%rip)test %rdi,%rdije 41c0c2 <main+0x3a2>mov $0x63b,%edxmov $0x4ab01d,%esicallq 46cab0 <sh_xfree>ret
mov %rax,0x2d2945(%rip)mov 0x2cda16(%rip),%raxtest %rax,%raxje 41c112 <main+0x3f2>movzbl (%rax),%edxcallq 41b640 <time@plt>mov 0xb8(%rsp),%r15dcmp 0xc(%rsp),%r15dmov %rax,0x2d2670(%rip)je 41c214 <main+0x4f4>xchg %ax,%axmov (%rsp),%rdxmovslq %r15d,%raxmov (%rdx,%rax,8),%r14retje 41c214 <main+0x4f4>cmpb $0x2d,(%r14)jne 41c214 <main+0x4f4>movzbl 0x1(%r14),%r12dmovl $0x0,0x18(%rsp)cmp $0x2d,%r12b
je 41c440 <main+0x720>xor %ebp,%ebpmov $0x4c223a,%ebxadd $0x1,%r14jmp 41c1a3 <main+0x483>cmp (%rbx),%r12bmov %ebp,%r13djne 41c188 <main+0x468>mov %rbx,%rsitest %eax,%eaxxchg %ax,%axjne 41c188 <main+0x468>movslq %ebp,%raxretcmpl $0x1,0x4ab3c8(%rax)je 41c461 <main+0x741>mov (%rsp),%rcxadd $0x1,%r15dmovslq %r15d,%rdxmov (%rcx,%rdx,8),%rdxtest %rdx,%rdxje 41cefd <main+0x11dd>
![Page 11: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/11.jpg)
Return Oriented Programmingmov (%rcx),%rbxtest %rbx,%rbxje 41c523 <main+0x803>mov %rbx,%rdicallq 42ab00mov %rax,0x2cda9d(%rip)cmpb $0x2d,(%rbx)je 41c4ac <main+0x78c>mov 0x2cda8d(%rip),%raxrettest %rbx,%rbxmov $0x4ab054,%eaxcmove %rax,%rbxmov %rbx,0x2cda6a(%rip)test %rdi,%rdije 41c0c2 <main+0x3a2>mov $0x63b,%edxmov $0x4ab01d,%esicallq 46cab0 <sh_xfree>ret
mov %rax,0x2d2945(%rip)mov 0x2cda16(%rip),%raxtest %rax,%raxje 41c112 <main+0x3f2>movzbl (%rax),%edxcallq 41b640 <time@plt>mov 0xb8(%rsp),%r15dcmp 0xc(%rsp),%r15dmov %rax,0x2d2670(%rip)je 41c214 <main+0x4f4>xchg %ax,%axmov (%rsp),%rdxmovslq %r15d,%raxmov (%rdx,%rax,8),%r14retje 41c214 <main+0x4f4>cmpb $0x2d,(%r14)jne 41c214 <main+0x4f4>movzbl 0x1(%r14),%r12dmovl $0x0,0x18(%rsp)cmp $0x2d,%r12b
je 41c440 <main+0x720>xor %ebp,%ebpmov $0x4c223a,%ebxadd $0x1,%r14jmp 41c1a3 <main+0x483>cmp (%rbx),%r12bmov %ebp,%r13djne 41c188 <main+0x468>mov %rbx,%rsitest %eax,%eaxxchg %ax,%axjne 41c188 <main+0x468>movslq %ebp,%raxretcmpl $0x1,0x4ab3c8(%rax)je 41c461 <main+0x741>mov (%rsp),%rcxadd $0x1,%r15dmovslq %r15d,%rdxmov (%rcx,%rdx,8),%rdxtest %rdx,%rdxje 41cefd <main+0x11dd>
![Page 12: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/12.jpg)
Return Oriented Programmingmov (%rcx),%rbxtest %rbx,%rbxje 41c523 <main+0x803>mov %rbx,%rdicallq 42ab00mov %rax,0x2cda9d(%rip)cmpb $0x2d,(%rbx)je 41c4ac <main+0x78c>mov 0x2cda8d(%rip),%raxrettest %rbx,%rbxmov $0x4ab054,%eaxcmove %rax,%rbxmov %rbx,0x2cda6a(%rip)test %rdi,%rdije 41c0c2 <main+0x3a2>mov $0x63b,%edxmov $0x4ab01d,%esicallq 46cab0 <sh_xfree>ret
mov %rax,0x2d2945(%rip)mov 0x2cda16(%rip),%raxtest %rax,%raxje 41c112 <main+0x3f2>movzbl (%rax),%edxcallq 41b640 <time@plt>mov 0xb8(%rsp),%r15dcmp 0xc(%rsp),%r15dmov %rax,0x2d2670(%rip)je 41c214 <main+0x4f4>xchg %ax,%axmov (%rsp),%rdxmovslq %r15d,%raxmov (%rdx,%rax,8),%r14retje 41c214 <main+0x4f4>cmpb $0x2d,(%r14)jne 41c214 <main+0x4f4>movzbl 0x1(%r14),%r12dmovl $0x0,0x18(%rsp)cmp $0x2d,%r12b
je 41c440 <main+0x720>xor %ebp,%ebpmov $0x4c223a,%ebxadd $0x1,%r14jmp 41c1a3 <main+0x483>cmp (%rbx),%r12bmov %ebp,%r13djne 41c188 <main+0x468>mov %rbx,%rsitest %eax,%eaxxchg %ax,%axjne 41c188 <main+0x468>movslq %ebp,%raxretcmpl $0x1,0x4ab3c8(%rax)je 41c461 <main+0x741>mov (%rsp),%rcxadd $0x1,%r15dmovslq %r15d,%rdxmov (%rcx,%rdx,8),%rdxtest %rdx,%rdxje 41cefd <main+0x11dd>
Gadget
![Page 13: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/13.jpg)
![Page 14: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/14.jpg)
kBouncer
If we could inspect the past execution …… maybe we could detect ROP attacks
Transparent ROP exploit mitigation using indirect branch tracing. Vasilis Pappas, Michalis Polychronakis, and Angelos D Keromytis.
USENIX Security, 2013.
![Page 15: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/15.jpg)
kBouncer
Normal Execution Syscall
Time
![Page 16: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/16.jpg)
kBouncer
Normal Execution} Syscall
Time
Visible History(Last Branch Record)
![Page 17: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/17.jpg)
kBouncer
Normal Execution Syscall ROP Attack Syscall
Time
![Page 18: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/18.jpg)
kBouncer
Normal Execution } Syscall
Visible History(Last Branch Record)
ROP Attack Syscall
Time
![Page 19: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/19.jpg)
kBouncer Observation (1):
![Page 20: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/20.jpg)
kBouncer Observation (1):
ROP attacks issue returns to non-Call-Preceded addresses.
![Page 21: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/21.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
![Page 22: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/22.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
![Page 23: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/23.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
![Page 24: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/24.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
![Page 25: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/25.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
![Page 26: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/26.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
![Page 27: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/27.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 28: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/28.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 29: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/29.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 30: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/30.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 31: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/31.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 32: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/32.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 33: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/33.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 34: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/34.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 35: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/35.jpg)
Normal Execution
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 36: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/36.jpg)
Call-Preceded Return
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 37: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/37.jpg)
Non-Call-Preceded Return
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 38: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/38.jpg)
Non-Call-Preceded Return
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 39: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/39.jpg)
Non-Call-Preceded Return
and [rax],0xfdmov edx,0x768mov esi,0x4ab632mov rdi,rbxcall 0x2b2130test rbp,rbpcmov [rbp],0x0add rsp,0x8pop rbxpop rbpret
0x2b2130:
push rbx mov ebx, eax add ebx, ebx add ebx, eax pop rbx ret
![Page 40: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/40.jpg)
Defense (1):
All return instructions targetCall-Preceded addresses.
![Page 41: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/41.jpg)
Defense (1): Restrict returns to only target Call-Preceded addresses.
![Page 42: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/42.jpg)
kBouncer Observation (2):
![Page 43: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/43.jpg)
kBouncer Observation (2):
ROP attacks are built of longsequences of short gadgets.
“gadget”: sequence of <20 instructions, ending in ret“long sequence”: 8 gadgets occurring sequentially
![Page 44: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/44.jpg)
Defense (2):Do not allow long sequences
of short gadgets.
![Page 45: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/45.jpg)
Detecting Attacks
ROP AttackIssue Syscall
![Page 46: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/46.jpg)
Detecting Attacks
ROP Attack } Issue Syscall
Visible History
![Page 47: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/47.jpg)
Detecting Attacks
ROP Attack } Issue Syscall
Visible History
- Call-Preceded?- No long chain?
![Page 48: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/48.jpg)
Detecting Attacks
ROP Attack } Issue Syscall
Visible History
- Call-Preceded? X- No long chain?
![Page 49: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/49.jpg)
Detecting Attacks
ROP Attack } Issue Syscall
Visible History
- Call-Preceded? X- No long chain? X
![Page 50: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/50.jpg)
kBouncer is exciting
![Page 51: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/51.jpg)
But does it work?
![Page 52: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/52.jpg)
![Page 53: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/53.jpg)
Breaking kBouncerwith History Flushing
![Page 54: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/54.jpg)
Breaking kBouncerwith History Flushing
Goal: issue a single system call
![Page 55: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/55.jpg)
Large NOP Gadget
● It must be Call-Preceded
● It must be long (>20 instructions)
● It must act as an effective no-op
add [esp+17Ch],ebx mov ebx,[esp+17Ch] sub ebx,ebp jmp A ...A: add [esp+64h],ebx jmp B ...B: mov esi,[esp+1C0h] lea eax,[esi*8-4] sub eax,[esp+64] and eax,7h mov edi,[esp+64] lea eax,[edi+eax+4] shr eax,3 cmp eax,esi jbe C ...C: mov eax,[esp+1C0h] add esp,19Ch pop ebx pop esi pop edi pop ebp ret
![Page 56: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/56.jpg)
History Flushing
Traditional ROP Attack
![Page 57: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/57.jpg)
History Flushing
Traditional ROP Attack } Issue Syscall
Visible History
- Call-Preceded?- No long chain?
![Page 58: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/58.jpg)
History Flushing
Traditional ROP Attack } Issue Syscall
Visible History
- Call-Preceded?- No long chain?
![Page 59: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/59.jpg)
History Flushing
Traditional ROP Attack } Issue Syscall
Visible History
- Call-Preceded? ✔- No long chain? ✔
![Page 60: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/60.jpg)
So kBouncer is broken
![Page 61: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/61.jpg)
So kBouncer is brokenany limited history defense
![Page 62: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/62.jpg)
Can we fix it?
![Page 63: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/63.jpg)
Introducing kBouncer++
LBR with infinite entries
![Page 64: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/64.jpg)
Introducing kBouncer++
Defense runs continuously
![Page 65: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/65.jpg)
Introducing kBouncer++
Traditional ROP Attack}Visible History
- Call-Preceded?- No long chain?
![Page 66: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/66.jpg)
Introducing kBouncer++
Traditional ROP Attack}Visible History
- Call-Preceded?- No long chain?
![Page 67: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/67.jpg)
Introducing kBouncer++
Traditional ROP Attack}Visible History
- Call-Preceded?- No long chain?
![Page 68: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/68.jpg)
Does this work?
y
![Page 69: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/69.jpg)
Breaking kBouncer++
y
![Page 70: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/70.jpg)
Call-Preceded Detector Insufficient
● kBouncer: call-preceded ROP is not possible
● Our work: call-preceded ROP is possible
● 10 of 10 binaries of size 70k have sufficient text to mount a call-preceded ROP attack
![Page 71: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/71.jpg)
Defeating kBouncer++
Call-Preceded ROP Attack}Visible History
- Call-Preceded?- No long chain?
![Page 72: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/72.jpg)
Defeating kBouncer++
Call-Preceded ROP Attack}Visible History
- Call-Preceded? ✔- No long chain?
![Page 73: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/73.jpg)
Defeating kBouncer++
Call-Preceded ROP Attack}Visible History
- Call-Preceded? ✔- No long chain? X
![Page 74: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/74.jpg)
Large No-Op Gadgets
![Page 75: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/75.jpg)
Defeating kBouncer++
Call-Preceded ROP Attack}Visible History
- Call-Preceded? ✔- No long chain?
![Page 76: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/76.jpg)
Defeating kBouncer++
Call }Visible History
- Call-Preceded? ✔- No long chain?
Preceded ROP Attack
![Page 77: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/77.jpg)
Defeating kBouncer++
Call }Visible History
- Call-Preceded? ✔- No long chain? ✔
Preceded ROP AttackNO
P
NO
P
NO
P
![Page 78: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/78.jpg)
Even with unlimited history,ROP attacks are possible
![Page 79: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/79.jpg)
ROPecker is also broken
ROPecker: A generic and practical approach for defending against rop attacks.Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H Deng.
NDSS, 2014.
![Page 80: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/80.jpg)
![Page 81: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/81.jpg)
Results
Modified four real-world exploits so they won't be detected by kBouncer
![Page 82: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/82.jpg)
Results
Modified four real-world exploits so they won't be detected by kBouncer
Adobe Reader 9Adobe Flash 11Mplayer LiteInternet Explorer 8
![Page 83: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/83.jpg)
Related Work
● [Goktas, S&P14] discussed the existence of call-preceded ROP and use it to break many existing CFI defenses
● [Davi, Usenix14] and [Goktas, Usenix14] both independently and concurrently discovered very similar attacks on kBouncer & ROPecker
![Page 84: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/84.jpg)
Implication for Defenses
![Page 85: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/85.jpg)
Implication for Defenses
Do not rely on limited history
![Page 86: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/86.jpg)
Implication for Defenses
Call-Preceded ROP is possible
![Page 87: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/87.jpg)
Implication for Defenses
CFI needs to return to its roots
![Page 88: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/88.jpg)
Implication for Defenses
Classifying code as “gadget” vs. “non-gadget” is not easy
![Page 89: ROP is Still Dangerous - USENIX · pop rbx pop rbp ret . Normal Execution and [rax],0xfd mov edx,0x768 mov esi,0x4ab632 mov rdi,rbx call 0x2b2130 test rbp,rbp cmov [rbp],0x0 add rsp,0x8](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffcfe1846f16d3fff4c6e50/html5/thumbnails/89.jpg)
Defenses should focus on fundamental differences
between normal executionand ROP attacks.