Framework for Automated Construction of Object-Oriented Code Reuse Attacks
Framework for Automated Construction of Object-Oriented Code Reuse Attacks
Supervisor(s): | Paul Muntean |
Status: | finished |
Topic: | Others |
Author: | Richard Viehoever |
Submission: | 2018-12-17 |
Type of Thesis: | Bachelorthesis |
DescriptionControl-Flow Integrity (CFI) is an effective technique to protect programs,
and it significantly increases the difficulty to deploy control-flow hijacking attacks.
CFI based techniques protect control-flow graph’s (CFG) forward and
backward edges by imposing pre-computed sets of legal target addresses for
indirect transfers, considerably restricting usable targets during an attack. Still,
determining whether an attack remains possible when indirect control flow
transfers are protected by advanced control-flow checking defences remains
an open research question.
In this thesis, I present JTOP, a framework for automatically determining
whether a binary hardened with CFI-like defences is still vulnerable to controlflow
hijacking attacks. JTOP builds an exploit payload for a vulnerable target
program, respecting the control flow integrity constraints specified by the
analyst. Using the Turing complete payload specification language ESL, the
analyst can precisely specify payload layout and effects. ESL abstracts away
the underlying program and architecture details, allowing specification of exploits
without the need for any previous knowledge. Using the ESL payload
specification, JTOP generates a chain of viable gadgets and SMT-based memory
constraints to generate the payload. The resulting exploit does not necessarily
respect the original control flow graph, depending on the selected CFI protection
policy. JTOP combines virtual and non-virtual gadgets using COOP-
like dispatchers, constituting a new type of attack. When searching for gadget
chains, JTOP respects the provided CFI constraints, only following legal control
flow transfers. Depending on the policy selected, JTOP prevents violation of the
original program’s control flow graph, thus honoring any applied CFI policies.
Searching for gadget chains can quickly lead to a search space explosion when
control flow is not followed, as all available functions are candidate successors.
As such, JTOP first reduces the set of successors, and then uses heuristics to
guide the search for gadget chains. JTOP operates using an ESL payload, CFI
constraints and a target binary with a newly detected or well known arbitrary
write primitive allowing the application to be corrupted. JTOP is tested on a set
of 7 widely used programs, generating exploits for 13 ESL payloads on each of
them. JTOP successfully generates a payload in 66% of the cases, and manages
to build an exploit to spawn a shell for 100% of the tested programs, finding
complex gadget chains which are hard to find using manual analysis.
|