Article Preview
TopIntroduction
Mining and exploitation of software vulnerabilities have become popular issues with the development of information technology. Many protection mechanisms for different types of exploit technologies are also emerging. However, many methods can be used to bypass the mechanisms given the limitations of these mechanisms.
Control-flow hijacking attack occurs due to the vulnerability of an overflow because computers cannot distinguish whether a binary number in the memory page is a code or data, thus resulting in the injected data being executed as a code (Shao & Gao, n.d.). Linux system first introduced the W⊕X mechanism in 2000 to address the abovementioned problem (Executable Space Protection, 2018); then, Windows system introduced Data Execution Prevention in XP SP2 and its subsequent products. The basic principle of this mechanism is to distinguish a code segment from a data segment by marking the memory pages as executable/non-executable. The shellcode located in the data segment cannot be executed with the W⊕X (Wei et al., n.d.).
In 2000, a solar designer proposed the ret2libc. The ret2libc hijacks the program control flow and controls the program that jumps to an existing system function because W⊕X does not intercept the code that is located on an executable page. Schacham (Shacham, 2007)[6](Roemer et al., 2012) proposed the ROP based on ret2libc. Compared with ret2libc, ROP uses a smaller assembly instruction fragment called gadget, which improves the generality of the method. Checkoway (Checkoway et al., 2010) proposed an ROP construction method without return instruction and extended the use of the ROP. Lu (Lu et al., 2011) proposed a squeezable, printable, and implementable method on the basis of RIX method and improved the flexibility of an ROP payload.
Various automatic analysis and test case generation techniques for binary program vulnerabilities have emerged in recent years with the development of program analysis techniques (Chipounov et al., 2012). Avgerinos proposed an automatic exploit generation (AEG) (Avgerinos et al., 2012) to determine whether the input can trigger the unsafe state of the program through program verification techniques. Cha proposed the Mayhem for an automatic generation of an exploit (Sang et al., 2011). The Mayhem uses a symbolic execution technology to automatically mine vulnerabilities and generate an exploit. However, these methods do not consider the impact of the W⊕X.
Huang proposed an automatic exploit generation method based on symbolic execution called CRAX (Huang et al., 2012). This method uses a selective symbolic execution, utilizes binary files that can be directed to the vulnerability point as an input, boots the program to run and triggers control-flow hijacking, and generates an exploit. The CRAX method uses the ret2libc with the influence of the W⊕X. CRAX checks the controllable space in the memory and injects the address of a system function while analyzing the state of the control-flow hijacking. The hijacked program reads the address, and its control flow is directed to the system function. However, this method cannot achieve the automatic construction and layout of the ROP, and the exploit can only perform limited functions under the W⊕X.
Schwartz proposed an ROP automatic construction method Q (Schwartz et al., 2011) (Brumley, D., Jager, I., & Avgerinos, T. 2011). This method implements an automatic search of gadgets and automatically constructs ROP chains through gadget-oriented programming languages. Its workflow is as follows: First, an executable program or library file is provided to Q, and a gadget set with a specific function is searched; second, the program used to build intermediate statement sequences is analyzed; finally, the sequence of intermediate statements is evaluated, and a suitable set of gadgets is assigned for each intermediate statement to form an ROP chain. Q (He & Su, 2016) has the following limitations: (1) The payload generated through this method only continue on the basis of the perspective of a functional implementation and disregard the requirements of the ROP layout on the controllability conditions of the memory. (2) In the process of allocating gadgets for the intermediate statement sequence, this method has a record of the program stack location modification, which resulting in a low space efficiency of the ROP.
This paper proposes an ROP automatic generation method on the basis of the fragmented layout to address the problems of ROP automatic generation technologies. The contributions of this papers are shown as following: