changes

blt.sty

@@ -105,4 +105,5 @@
 \newcommand{\bltRegex}[1]{\mbox{\colorbox{red!30}{\lowercase{#1}}}}
 \newcommand{\bltResult}[3]{
     \lstinputlisting[style=result, caption=#2, captionpos=t, label=#3]{#1}
-}
+}
+\newcommand{\bltInlineVerb}[1]{\lstinline[breaklines=true,basicstyle=\ttfamily,breakindent=0pt]{#1}}

paper.tex

@@ -5,7 +5,7 @@
 
 
 %%%% 1. DOCUMENTCLASS %%%%
-\documentclass[journal=tosc,submission]{iacrtrans}
+\documentclass[journal=tosc,submission, notanonymous]{iacrtrans}
 %%%% NOTES:
 % - Change "journal=tosc" to "journal=tches" if needed
 % - Change "submission" to "final" for final version
@@ -22,7 +22,7 @@
 
 
 %%%% 3. AUTHOR, INSTITUTE %%%%
-\author{Maximilian Heim}
+\author{Maximilian Heim\inst{1}}
 \institute{
   University Albstadt-Sigmaringen, Albstadt, Germany, \email{[email protected]}
 }
@@ -34,7 +34,7 @@
 
 
 %%%% 4. TITLE %%%%
-\title{Return Oriented Programming}
+\title{An Introduction to Return Oriented Programming}
 %%%% NOTES:
 % - If the title is too long, or includes special macro, please
 %   provide a "running title" as optional argument: \title[Short]{Long}
@@ -75,11 +75,11 @@ \section{Gadgets}
 These are only 10 Lines out of the 8244 lines found by the tool though and i purposefully filtered out some good and bad ones for demonstration. It is clearly visible that many candidates for ROP can be found, even in a file with a relatively small size of 72 kB. Though most of these gadgets are not all that useful because they often modify a lot of registers, possibly messing up the desired state or they use a fixed return address. In most cases we can find suitable candidates using regular expressions though, this will be demonstrated later in this section.
 \paragraph{Overview of powerful gadgets}
 \paragraph{pop}
-\Verb+pop+ allows us to write arbitrary values into registers. For that we search for a \Verb+pop <reg>+ instruction inside our gadgets, in the payload we can then place the value that we want to insert after the address of the \Verb+pop+ instruction. If we can not find a suitable gadget we can try to get creative and achieve the desired state another way. For example if we want to modify \Verb+ecx+ but do not have a \Verb+pop ecx+ instruction available we could achieve it with something like this: \Verb+xor ecx, ecx ; pop eax ; xor ecx, eax+. Provided that we have these gadgets available.
+\Verb+pop+ allows us to write arbitrary values into registers. For that we search for a \Verb+pop <reg>+ instruction inside our gadgets, in the payload we can then place the value that we want to insert after the address of the \Verb+pop+ instruction. If we can not find a suitable gadget we can try to get creative and achieve the desired state another way. For example if we want to modify \Verb+ecx+ but do not have a \Verb+pop ecx+ instruction available we could achieve it with something like this: \bltInlineVerb{xor ecx, ecx ; pop eax ; xor ecx, eax}. Provided that we have these gadgets available.
 \paragraph{mov}
-\Verb+mov+ allows us to write arbitrary values into memory. For that we search for a \Verb+mov dword ptr [<reg1>], <reg2>+ instruction inside our gadgets, we can then, in combination with two pops write arbitrary values at arbitary memory locations. The following example writes the value in \Verb+ecx+ to where \Verb+eax+ points to: \Verb+pop ecx ; pop eax ; mov dword ptr [eax], ecx+
+\Verb+mov+ allows us to write arbitrary values into memory. For that we search for a \Verb+mov dword ptr [<reg1>], <reg2>+ instruction inside our gadgets, we can then, in combination with two pops write arbitrary values at arbitary memory locations. The following example writes the value in \Verb+ecx+ to where \Verb+eax+ points to: \bltInlineVerb{pop ecx ; pop eax ; mov dword ptr [eax], ecx}
 \paragraph{arithmetics, boolean algebra}
-Arithmetic operations like \Verb+add+, \Verb+sub+, \Verb+inc+, \Verb+xor+, \Verb+or+, and can be useful to bring registers into our desired state. For that we search for the corresponding gadget with the required operands. For example \Verb+xor+ can be used to clear a register or copy its contents. It often occurs in the following forms: \Verb+xor eax, eax+ or \Verb+xor eax, edx+. The first case clears the register since \Verb+xor+ computes a non-equivalence, formally $a \oplus a = 0$ and the second one copies the value of the 2nd operand into the 1st operand when the target register is \Verb+0x00+ since \Verb+0x00+ is the neutral element of the \Verb+xor+ operation, formally $a \oplus 0 = a$.
+Arithmetic operations like \Verb+add+, \Verb+sub+, \Verb+inc+, \Verb+xor+, \Verb+or+, and can be useful to bring registers into our desired state. For that we search for the corresponding gadget with the required operands. For example \Verb+xor+ can be used to clear a register or copy its contents. It often occurs in the following forms: \bltInlineVerb{xor eax, eax} or \bltInlineVerb{xor eax, edx}. The first case clears the register since \Verb+xor+ computes a non-equivalence, formally $a \oplus a = 0$ and the second one copies the value of the 2nd operand into the 1st operand when the target register is \Verb+0x00+ since \Verb+0x00+ is the neutral element of the \Verb+xor+ operation, formally $a \oplus 0 = a$.
 \paragraph{int 0x80}
 \Verb+int+ stand for an interrupt, the interrupt \Verb+0x80+ causes a system call to be executed. System calls are kernelspace programs/operations that require higher privileges than what is available in a userspace program. Examples for system calls include io and \Verb+execve+ which allows to execute arbitary programs. In combination with \Verb+pop+, \Verb+mov+ and other instructions we can specify the concrete system call. One of the most powerful system calls for blackhats is bash since it allows permanently implementing malware or gain insight into files, it can be called with the argument \Verb+/bin/sh+. This will be demonstrated in~\cref{sec:attack}
 \subsection{Filtering the gadgets}
@@ -111,7 +111,7 @@ \subsection{Target Program}
 The following program is the target of our attack, it uses a command line argument to provide the payload and \Verb+strcpy+ for the buffer overflow, overwriting the return address after the 8 Byte buffer. Using vulnerable input functions also works though.
 \bltCode{vuln.c}{c}{The Target Program}{thetargetprogram}
 \paragraph{Compilation}
-We compile the target program with the following command. There are several important options given in this command. Most importantly the \Verb+-fno-stack-protector+ option disables stack canaries which would otherwise directly terminate the program when the canary is overwritten. The \Verb+-m32+ option compiles the binary as a 32 Bit executable, this makes the attack easier. The \Verb+-static+ option makes the binary statically linked. Without this option there are only 50 gadgets available, considering most of them are not useful for our attack it is practically impossible to perform the attack with just these gadgets. The \Verb+-static+ option includes the \Verb+libc+ library in the executable, increasing the gadget count to over 8000. However, it is possible to determine the address of the dynamically linked library at runtime and adding an offset for each gadget to this address. This has been described by Saif El-Sherei but will not be further discussed in this paper.
+We compile the target program with the following command. There are several important options given in this command. Most importantly the \bltInlineVerb{-fno-stack-protector} option disables stack canaries which would otherwise directly terminate the program when the canary is overwritten. The \Verb+-m32+ option compiles the binary as a 32 Bit executable, this makes the attack easier. The \Verb+-static+ option makes the binary statically linked. Without this option there are only 50 gadgets available, considering most of them are not useful for our attack it is practically impossible to perform the attack with just these gadgets. The \Verb+-static+ option includes the \Verb+libc+ library in the executable, increasing the gadget count to over 8000. However, it is possible to determine the address of the dynamically linked library at runtime and adding an offset for each gadget to this address. This has been described by Saif El-Sherei~\cite{el-sherei} but will not be further discussed in this paper
 \bltCommand{compilation.sh}{The compliation command}{thecompilationcommand}
 \subsection{Phases of developing the attack}
 \paragraph{Phases}
@@ -143,8 +143,9 @@ \section{Protection}
 
 \section{Discussion}
 Sources:
-\url{https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}
-\url{https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html}
+
+\bltInlineVerb{https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}
+\bltInlineVerb{https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html}
 %%%% 8. BILBIOGRAPHY %%%%
 \bibliographystyle{alpha}
 \bibliography{abbrev3,crypto,biblio}

refs.bib

@@ -0,0 +1,2 @@
+@misc{pixis, title={Rop - Return Oriented Programming}, url={https://en.hackndo.com/return-oriented-programming/}, journal={hackndo}, publisher={Pixis}, author={Pixis}, year={2016}, month={Oct}}
+@misc{el-sherei, title={Return oriented programming (ROP FTW) - exploit-db.com}, url={https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}, journal={Return-Oriented-Programming (ROP FTW)}, author={El-Sherei, Saif}}