ROP-chain generation using Genetic Programming : GENROP

Branting, Jonatan

January 2022

Return Oriented Programming (ROP) is the de-facto technique used to exploit most of today’s native-code vulnerabilities hiding in old and newly developed software alike. By reusing bits and pieces of already existing code (gadgets), ROP can be used to bypass the ever-present Write ⊕ eXecute (W⊕X) security feature, which enforces memory to only be marked as either executable or writable; never both at the same time. Even with its widespread use, crafting more advanced ROP-chains is mostly left as a manual task. This paper attempts to explore the viability of automating ROP-chain generation by leveraging genetic programming (GP), and describes the implementation and design of the ROP-compiler GENROP in this endeavour. We introduce a novel approach to adapt GP to work within the environment of ROP, which attempts to guide the algorithm and preemptively remove pathways which are known ahead of time to be unable to generate a solution. GENROP is tested by attempting to generate a working payload against a number of binaries, and is then evaluated based on success rate and payload size when compared to angrop (another ROP-compiler). The results show that the algorithm is able to generate functioning payloads in most of the tested cases, although it does perform worse than angrop. This can partly be explained by the fact that GENROP uses gadget definitions generated by angrop, which reduces the potential viability of the ROP-compiler, as more unwieldy but potentially usable gadgets are not available. Additionally, it was found that extensively guiding the algorithm has negative consequences in terms of solution diversity. Relying on faster execution times and more iterations might produce better results. Further work is required to assess whether or not generating ROP-chains using genetic programming is a viable approach.

return oriented programming

genetic programming

binary exploitation

ROP

GP

Computer Sciences

Datavetenskap (datalogi)

INFERENCE OF RESIDUAL ATTACK SURFACE UNDER MITIGATIONS

Kyriakos K Ispoglou (6632954)

14 May 2019

<div>Despite the broad diversity of attacks and the many different ways an adversary can exploit a system, each attack can be divided into different phases. These phases include the discovery of a vulnerability in the system, its exploitation and the achieving persistence on the compromised system for (potential) further compromise and future access. Determining the exploitability of a system –and hence the success of an attack– remains a challenging, manual task. Not only because the problem cannot be formally defined but also because advanced protections and mitigations further complicate the analysis and hence, raise the bar for any successful attack. Nevertheless, it is still possible for an attacker to circumvent all of the existing defenses –under certain circumstances.</div><div><br></div><div>In this dissertation, we define and infer the Residual Attack Surface on a system. That is, we expose the limitations of the state-of-the-art mitigations, by showing practical ways to circumvent them. This work is divided into four parts. It assumes an attack with three phases and proposes new techniques to infer the Residual Attack Surface on each stage.</div><div><br></div><div>For the first part, we focus on the vulnerability discovery. We propose FuzzGen, a tool for automatically generating fuzzer stubs for libraries. The synthesized fuzzers are target specific, thus resulting in high code coverage. This enables developers to expose and fix vulnerabilities (that reside deep in the code and require initializing a complex state to trigger them), before they can be exploited. We then move to the vulnerability exploitation part and we present a novel technique called Block Oriented Programming (BOP), that automates data-only attacks. Data-only attacks defeat advanced control-flow hijacking defenses such as Control Flow Integrity. Our framework, called BOPC, maps arbitrary exploit payloads into execution traces and encodes them as a set of memory writes. Therefore an attacker’s intended execution “sticks” to the execution flow of the underlying binary and never departs from it. In the third part of the dissertation, we present an extension of BOPC that presents some measurements that give strong indications of what types of exploit payloads are not possible to execute. Therefore, BOPC enables developers to test what data an attacker would compromise and enables evaluation of the Residual Attack Surface to assess an application’s risk. Finally, for the last part, which is to achieve persistence on the compromised system, we present a new technique to construct arbitrary malware that evades current dynamic and behavioral analysis. The desired malware is split into hundreds (or thousands) of little pieces and each piece is injected into a different process. A special emulator coordinates and synchronizes the execution of all individual pieces, thus achieving a “distributed execution” under multiple address spaces. malWASH highlights weaknesses of current dynamic and behavioral analysis schemes and argues for full-system provenance.</div><div><br></div><div>Our envision is to expose all the weaknesses of the deployed mitigations, protections and defenses through the Residual Attack Surface. That way, we can help the research community to reinforce the existing defenses, or come up with new, more effective ones.</div>

Applied Computer Science

systems security

attack surface

binary analysis

binary exploitation

stealthy malware

fuzzing

whole system analysis