Presentation is loading. Please wait.

Presentation is loading. Please wait.

Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]

Published byYuliana Agusalim Modified over 5 years ago

Similar presentations

Presentation on theme: "Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]"— Presentation transcript:

1 Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Return-Oriented Programming: Systems, Languages, and Applications -- Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage, UCSD Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]

2 Contents 1. Introduction 2. Background: Attacks and Defenses
3. The X86 And SPARC Architectures 4. Return-Oriented Programming 5. X86 Gadget Catalog 6. Conclusion

3 1.Introduction The problem of malicious code is one that has long troubled the security community. Since we cannot accurately predict whether a particular execution will be benign or not, most work over the past two decades has focused on preventing the introduction and execution of new malicious code. Most of this activity falls into two categories: Efforts attempting to guarantee the integrity of control flow in existing programs. Efforts attempting to isolate “bad” code that has been introduced into the system.

4 1.Introduction In this article, we present a new form of attack, return-oriented programming. Each snippet ends in a ret instruction, which allows an attacker who controls the stack to chain them together. The organizational unit of a return-oriented attack is the gadget. Each gadget is an arrangement of words on the stack

5 2.Background: Attacks and Defenses
Traditional way of attacker : injecting code in the memory Example of Defense: W⊕X protections W⊕X, ensures that no memory location in a process image is marked both writable (W) and executable (X). With W⊕X, there is no location in memory into which the attacker can inject code to execute.

6 2.Background: Attacks and Defenses
With return-oriented programming An attacker who has diverted a program’s control flow can induce it to undertake arbitrary behavior without introducing any new code.

7 2.Background: Attacks and Defenses
The most familiar vulnerability class is the stack buffer overflow Other classes have been considered: buffer overflows on the heap integer overflows format string vulnerabilities

8 2.Background: Attacks and Defenses
Consider an attacker who has discovered a vulnerability in some program and wishes to exploit it. To achieve his goal, the attacker must (1) subvert the program’s control flow from its normal course stack-smashing(stack buffer overflow ) (2) redirect the program’s execution. injecting code into the stack using shellcode;

9 3. The X86 And SPARC Architectures
The two architectures (1) variable-length instructions vs. fixed-length instructions (2) complex instructions (CISC) vs. a concise set of simple instructions(RISC) (3) very few general-purpose registers vs. so many general-purpose registers

10 3.1 The x86 Architecture Eight general-purpose integer registers:
%eax, %ebx, %ecx, %edx, %esi, %edi,%ebp, %esp Six segment registers: %ES、%CS、%SS、%DS、%FS and %GS An instruction pointer register : %eip An flag register : %eflags

11 3.1 The x86 Architecture

12 3.2 The x86 and Return-Oriented Programming
x86 is suitble for return-oriented programming 1. Few general-purpose registers coordinate dataflow 2. Use of stack attacker can often overwrite instruction sequences ending in %ret can generally be chained together

13 4.Return Oriented Programming
Program Layout : ordinary program program’s text segment return-oriented program stack segment

14 4.1 Ordinary Execution inst inst inst inst inst inst %eip %eip %eip %eip %eip EIP points after the current instruction to the next one to be executed.

15 4.2 Return-Oriented Programming
pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp

16 4.2 Return-Oriented Programming
pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp

17 4.2 Return-Oriented Programming
pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp

18 4.2 Return-Oriented Programming
pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp

19 4.2 Return-Oriented Programming
pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp

20 4.2 Return-Oriented Programming
pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp

21 4.3 Ordinary and return-oriented immediates

22 4.4 Ordinary and return-oriented direct jumps

23 4.5 A memory-load gadget

24 4.6 Return-Oriented Exploitation
A return-oriented program is one or more gadgets arranged. When they are executed, they will effect the behavior the attacker intends.

25 5. X86 Gadget Catalog Catalog of gadgets on the --------x86 platform.
Load Store

26 5.1 Loading a Constant

27 5.2 Loading from Memory

28 5.3 Storing to Memory

29 5.4 Control Flow----Unconditional Jump

30 5.5 Control Flow----Conditional Jumps

31 5.5 Control Flow----Conditional Jumps
(1) Undertake some operation that sets (or clears) flags of interest. (2) Transfer the flag of interest from %eflags to a general-purpose register. (3) Use the flag of interest to perturb %esp conditionally by the desired jump amount.

32 6. Conclusion We have introduced return-oriented programming, a technique by which an attacker who subverts a program’s control flow can induce it to take arbitrary computation, without injecting any new code.

33 References 1. Difference between AT&T and Intel instructions:
2. Return-Oriented Programming: 3. Assembly Language: 4. Return-Oriented Programming: Exploitation Without Code Injection

34 Questions & Feedback? Thanks!

Download ppt "Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]"

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola 68000.

CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola
Assembly Language for Intel-Based Computers, 4 th Edition Chapter 2: IA-32 Processor Architecture (c) Pearson Education, 2002. All rights reserved. You.

Assembly Language for Intel-Based Computers, 4 th Edition Chapter 2: IA-32 Processor Architecture (c) Pearson Education, All rights reserved. You.
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Hello ASM World: A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 3.0 September 28, 2013.

Hello ASM World: A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 3.0 September 28, 2013.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks

Similar presentations

Ads by Google