Category: ROP

ROP attacks bear much similarity to return-to-libc attacks in so much as they utilise code that already exists, however, ROP attacks do not need to rely upon complete functions, such as calling the libc function system(). Further, due to x86 processors using a variable length instruction set, a potential hacker needn’t rely on instructions originally intended by the compiler. To perform a ROP attack, a hacker must first identify enough gadgets(that is, sequences of assembly instructions within an application that accomplish a specific goal, usually very short and comprising a few instructions and ending with a control transfer instruction – typically a RET) to chain together to perform arbitrary tasks unintended by the original application. Usually this is accomplished with a buffer overflow to the call stack, overwriting it with addresses of the desired gadgets. Note that this is just a sequence of addresses not the hacker’s shellcode as with a normal buffer overflow!

Once the addresses are chained together, arbitrary sequences of instructions can be effectively executed (see the figure below).

The left side of the diagram shows a normal stack frame of a function. Labels indicate the bounds of the stack frame with the ESP and EBP registers as well as the layout of the passed-in functions and the local variables.

On the right-hand side, conversely, we can see the stack frame after a ROP attack has been performed. Utilising standard buffer overflow techniques, the hacker overwrites, with random data, all of the data on the stack leading up to the return address (old EBP value and local variables). Next, the hacker chains together all of the addresses of the gadgets.

This way, once a function has completed and the RET instruction is executed, program control is transferred to Gadget Address 1. As subsequent RET instructions are encountered at the end of each of the gadgets, the next gadget address will be used.

ROP does not need to execute any code from the stack, all it needs is to be able to write the chained gadgets to the stack and be able to read those addresses later on. The easiest targets for ROP attacks are apps that have not been designed with security in mind and apps that are just poorly written and can therefore have their security holes exploited. The most common protective mechanism used by CPU manufacturers and the like is DEP (Data Execution Prevention), DEP utilises the cooperation of an OS and CPU to enforce policies designed to prevent execution of arbitrary data contained in marked segments of memory. Another popular method is Address Space Layout Randomization (ASLR) which randomises the starting address of memory within which libraries are loaded as well as the location of the apps stack. ASLR is useful for preventing return-to-libc attacks able to bypass DEP restrictions. With return-to-libc, a hacker can modify the return address of a function so that the program continues execution within another function which is already loaded (typically within libc). ASLR causes the address of the desired function to be non-constant, thereby limiting the success rates of attacks.

These defences are not effective in preventing ROP, however. DEP is completely bypassed as ROP does not need to execute any code from the stack. ASLR has also been demonstrated to be insufficient in defeating ROP, the major Operating Systems including Linux, Windows, and OS X, each have their own shortcomings implementing ASLR which can be exploited.

Academics and security researchers are actively exploring new ROP protection methods that utilise on-the-fly encryption and decryption of return addresses at runtime. The focus should be on preventing A ROP attack by stopping a hacker from launching arbitrary commands, in the first place, to gain control of a system (rather than stopping buffer overflows). This can be achieved with the DynamoRIO Dynamic Instrumentation Tool Platform.

****************************Written by Alg3sic**********Feel free to reuse WITH CREDIT TO ME AND A LINK TO https://twitter.com/FidgetRoller**********