Return-oriented Programming (ROP) is a powerful exploitation technique used in nearly every exploit today. It maliciously combines short code snippets (gadgets) residing in shared libraries and the executable to bypass data execution prevention (DEP). As a consequence, several new control-flow integrity (CFI) mechanisms and tools have been recently proposed to thwart ROP attacks. For instance, kBouncer and ROPGuard both restrict return instructions to target a call-preceded instruction. In addition, ROPecker and kBouncer force the adversary to invoke a long instruction sequence after a pre-defined number of short gadgets thereby preventing an attacker to execute a sequence of ROP gadgets. Some of the proposed mechanisms have already been integrated in Microsoft's Windows EMET tool. In general, these mechanisms significantly reduce the gadget space and make it challenging for an attacker to mount ROP attacks.
While others have hypothesized or even exploited weaknesses in some of these emerging CFI techniques, we provide the first comprehensive analysis thereof. Specifically, we conducted a security analysis of various recently proposed CFI solutions (including kBouncer, ROPGuard, ROPecker, and CFI for COTS binaries). Our key contribution is in demonstrating that these techniques can be effectively undermined even when all their protection mechanisms are combined. In particular, we transformed existing (publicly available) exploits against Windows (which are detected by Microsoft EMET) into more stealthy attacks that bypass all recently proposed CFI techniques. We show that our performed transformations require no specific assumptions, and demonstrate that a 1MB Windows library (kernel32.dll) is already sufficient to derive a (turing-) complete gadget set using only call-preceded gadgets.
Daniel Lehmann is studying computer science with focus on IT-Security at Technische Universitt Darmstadt, Germany. His research focuses on return-oriented programming attacks and defenses.
Ahmad-Reza Sadeghi is a full professor of Computer Science at Technische Universitt Darmstadt, Germany. He is the head of the System Security Lab at the Center for Advanced Security Research Darmstadt (CASED) and the Director of the Intel Collaborative Research Institute for Secure Computing (ICRI-SC) at TU-Darmstadt. He holds a PhD in Computer Science from the University of Saarland in Saarbrcken Germany. Prior to academia, he worked in Research and Development of Telecommunications enterprises, amongst others Ericsson Telecommunications. He has been continuously contributing to the research community and serving as general or program chair as well as program committee member of many established conferences and workshops in information security and privacy. He is on the editorial board of ACM Books for Security and Privacy, and has served on the Editorial Board of the ACM Transactions on Information and System Security.