Brace Yourselves - Exploit Automation is Coming!

Presented at DeepSec 2016 „Ten“, Unknown date/time (Unknown duration).

After W^X/DEP was widely adopted, taking away the fun of simple code injection attacks, return-oriented programming (ROP) has become the cornerstone of modern, low-level, memory-corruption exploits. ROP relies on short, existing code fragments called "gadgets", which are arranged in a specific way so they execute consecutively. This is a cumbersome process: gadgets have to be found, categorized, their usefulness assessed, intertwined with data, and chained together. Many tools that support this process exist, but they are often outdated, not supporting modern 64-bit platforms, and usually limited to gadget discovery, making exploit developers sift through tens of thousands of gadgets. Some tools claim they can automate the full process of building ROP chains, however, their search algorithms are simple, pattern-based, and if a specific gadget is not present, the whole process fails. Academic tools only work on synthetic examples but not on real binaries. Overall, ROP exploit development is a predominantly manual task. In this talk, I will review the basic concept of ROP, give an overview over tools that assist ROP exploit development, and show what they can do -  and especially what they cannot do. Afterwards, I will discuss what kinds of features would be useful in such tools and present a tool our research group has developed. It greatly assists ROP exploit development and provides two distinct features: semantic gadget summaries, which show the effects of a gadget on registers and memory in a condensed way; and an auto-ropping engine that actually works, which automatically builds a ROP chain to invoke an arbitrary API with arbitrary parameters. Lastly, I will give an outlook on future mitigations and attacks, discussing state of the art research.

Presenters:

  • Andreas Follner - TU Darmstadt / CRISP
    Andreas Follner received his Master's degree in IT security from the University of Applied Sciences Technikum Wien in 2012. He is currently working towards his PhD at TU Darmstadt (Germany), where his key research interests are exploitation, exploit mitigation and binary analysis. As the main author of three peer-reviewed publications, he likes research that is not purely academic and has a practical impact.

Links:

Similar Presentations: