|
Vol: 58(72) No: 2 / June 2013 Comparison of Different Control Gadgets for Jump Oriented Programming László Erdődi Institute of Software Technology, Óbuda University, John von Neumann Faculty of Informatics, Bécsi út 96/b, 1036 Budapest, Hungary, phone: (+361) 666-5574, e-mail: erdodi.laszlo@nik.uni-obuda.hu, web: http://nik.uni-obuda.hu Keywords: Jump, Oriented, Gadget, Control, Attack Abstract The tendency of code reuse in computer security has been continuously increasing in case of memory corruption attacks. In order to bypass Data Execution Prevention the available attacking methods such as the Return Oriented and Jump Oriented Programming should place only data to the process memory. Using these techniques the attacking code can be composed only from the linked shared code of the process. The Jump Oriented Programming uses a control gadget which supervises the malicious code running in the process by continuously reading the next address of the attacking code and directing the execution there. Since the control gadget is the most critical part of the jump oriented program, this study analyses the available control gadgets in different operating system libraries. An analysis is also provided, so that the different behaviors of control gadgets can be compared from the practical point of view. References [1] T. Bletsch, X. Jiang, and V. W. Freeh, “Jump-oriented programming: a new class of code-reuse attack,” Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS \'11), ACM New York, NY, USA, 2011, pp. 30-40. [2] R. Roemer, E. Buchanan, H. Shacham and S Savage, “Return- oriented programming: systems, languages and applications,” ACM Transactions on Information and System Security, vol. 15, no. 1, pp. 1-34, March 2012. [3] P. Chen, X. Xing, B. Mao, L Xie, X. Shen and X. Yin, “Automatic construction of jump-oriented programming shellcode (on the x86),” Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS \'11), ACM New York, NY, USA, 2011, pp. 20-29. [4] L. Davi, A. Sadeghi and M. Winandy, “ROPdefender: A detection tool to defend against return-oriented programming attacks,” Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS \'11), ACM New York, NY, USA, 2011, pp. 40-51. [5] M. Kayaalp, M. Ozsoy, N. Abu-Ghazaleh and D. Ponomarev, “Branch regulation: low-overhead protection from code reuse attacks,” Proceedings of 39th Annual International Symposium on Computer Architecture (ISCA \'12), IEEE Computer Society Washington, DC, USA, 2012, pp 94-105. [6] J. Li, Z. Wang, X. Jiang, M. Grace and S. Bahram, “Defeating return-oriented rootkits with \"return-less\" kernels,”, Proceedings of 5th ACM European Conference on Computer Systems, Paris, France, 2010, pp. 195-208. [7] J. Min, S. Jung, D. Lee, T. Chung, “Jump oriented programming on Windows platform (on the x86)”, ICCSA 2012, Part III, LNCS 7335, pp. 376-390, Springer Verlag, 2012. [8] L. Erdődi, “Finding dispatcher gadgets for jump oriented programming code reuse attacks”, Proceedings of IEEE 17th International Conference on Intelligent Engineering Systems (INES 2013), Costa Rica, 2013, pp. 333-338. [9] L. Erdődi, “Attacking X86 windows binaries by jump oriented programming”, Proceedings of 8th IEEE International Symposium on Applied Computational Intelligence and Informatics (SACI 2013), Timisoara, Romania, 2013, pp. 321-325. |