changes

paper.bbl

@@ -1,11 +1,24 @@
-\begin{thebibliography}{Pix16}
+\begin{thebibliography}{RBSS12}
 
 \bibitem[ES]{el-sherei}
 Saif El-Sherei.
 \newblock Return oriented programming (rop ftw) - exploit-db.com.
+\newblock
+  \url{https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}.
 
 \bibitem[Pix16]{pixis}
 Pixis.
-\newblock Rop - return oriented programming, Oct 2016.
+\newblock Rop - return oriented programming.
+\newblock \url{https://en.hackndo.com/return-oriented-programming/}, Oct 2016.
+
+\bibitem[pro]{proggen-rop}
+Return-oriented programming (rop).
+\newblock
+  \url{https://www.proggen.org/doku.php?id=security%3Amemory-corruption%3Aexploitation%3Arop}.
+
+\bibitem[RBSS12]{ropsla}
+Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage.
+\newblock Return-oriented programming: Systems, languages, and applications.
+\newblock {\em ACM Trans. Inf. Syst. Secur.}, 15(1), mar 2012.
 
 \end{thebibliography}

paper.blg

@@ -3,44 +3,46 @@ Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
 The top-level auxiliary file: paper.aux
 The style file: alpha.bst
 Database file #1: refs.bib
-You've used 2 entries,
+Warning--to sort, need author or key in proggen-rop
+You've used 4 entries,
             2543 wiz_defined-function locations,
-            568 strings with 4605 characters,
-and the built_in function-call counts, 534 in all, are:
-= -- 45
-> -- 16
+            582 strings with 5167 characters,
+and the built_in function-call counts, 1177 in all, are:
+= -- 111
+> -- 48
 < -- 2
-+ -- 4
-- -- 4
-* -- 25
-:= -- 89
-add.period$ -- 4
-call.type$ -- 2
-change.case$ -- 10
-chr.to.int$ -- 2
-cite$ -- 2
-duplicate$ -- 22
-empty$ -- 51
-format.name$ -- 7
-if$ -- 109
++ -- 16
+- -- 16
+* -- 71
+:= -- 192
+add.period$ -- 11
+call.type$ -- 4
+change.case$ -- 22
+chr.to.int$ -- 4
+cite$ -- 6
+duplicate$ -- 45
+empty$ -- 99
+format.name$ -- 20
+if$ -- 242
 int.to.chr$ -- 1
 int.to.str$ -- 0
-missing$ -- 0
-newline$ -- 11
-num.names$ -- 6
-pop$ -- 20
+missing$ -- 1
+newline$ -- 22
+num.names$ -- 9
+pop$ -- 34
 preamble$ -- 1
-purify$ -- 12
+purify$ -- 26
 quote$ -- 0
-skip$ -- 26
+skip$ -- 46
 stack$ -- 0
-substring$ -- 14
-swap$ -- 2
+substring$ -- 29
+swap$ -- 4
 text.length$ -- 2
 text.prefix$ -- 1
 top$ -- 0
-type$ -- 16
-warning$ -- 0
-while$ -- 4
-width$ -- 3
-write$ -- 21
+type$ -- 32
+warning$ -- 1
+while$ -- 7
+width$ -- 5
+write$ -- 47
+(There was 1 warning)

paper.tex

@@ -76,13 +76,13 @@ \section{Gadgets}
 These are only 10 Lines out of the 8244 lines found by the tool though and i purposefully filtered out some good and bad ones for demonstration. It is clearly visible that many candidates for ROP can be found, even in a file with a relatively small size of 72 kB. Though most of these gadgets are not all that useful because they often modify a lot of registers, possibly messing up the desired state or they use a fixed return address. In most cases we can find suitable candidates using regular expressions though, this will be demonstrated later in this section.
 \paragraph{Overview of powerful gadgets}
 \paragraph{pop}
-\Verb+pop+ allows us to write arbitrary values into registers. For that we search for a \Verb+pop <reg>+ instruction inside our gadgets, in the payload we can then place the value that we want to insert after the address of the \Verb+pop+ instruction. If we can not find a suitable gadget we can try to get creative and achieve the desired state another way. For example if we want to modify \Verb+ecx+ but do not have a \Verb+pop ecx+ instruction available we could achieve it with something like this: \bltInlineVerb{xor ecx, ecx ; pop eax ; xor ecx, eax}. Provided that we have these gadgets available.
+\Verb+pop+ allows us to write arbitrary values into registers. For that we search for a \Verb+pop <reg>+ instruction inside our gadgets, in the payload we can then place the value that we want to insert after the address of the \Verb+pop+ instruction.~\cite{ropsla} If we can not find a suitable gadget we can try to get creative and achieve the desired state another way. For example if we want to modify \Verb+ecx+ but do not have a \Verb+pop ecx+ instruction available we could achieve it with something like this: \bltInlineVerb{xor ecx, ecx ; pop eax ; xor ecx, eax}. Provided that we have these gadgets available.
 \paragraph{mov}
-\Verb+mov+ allows us to write arbitrary values into memory. For that we search for a \Verb+mov dword ptr [<reg1>], <reg2>+ instruction inside our gadgets, we can then, in combination with two pops write arbitrary values at arbitary memory locations. The following example writes the value in \Verb+ecx+ to where \Verb+eax+ points to: \bltInlineVerb{pop ecx ; pop eax ; mov dword ptr [eax], ecx}
+\Verb+mov+ allows us to write arbitrary values into memory. For that we search for a \Verb+mov dword ptr [<reg1>], <reg2>+ instruction inside our gadgets, we can then, in combination with two pops write arbitrary values at arbitary memory locations.~\cite{ropsla} The following example writes the value in \Verb+ecx+ to where \Verb+eax+ points to: \bltInlineVerb{pop ecx ; pop eax ; mov dword ptr [eax], ecx}
 \paragraph{arithmetics, boolean algebra}
-Arithmetic operations like \Verb+add+, \Verb+sub+, \Verb+inc+, \Verb+xor+, \Verb+or+, and can be useful to bring registers into our desired state. For that we search for the corresponding gadget with the required operands. For example \Verb+xor+ can be used to clear a register or copy its contents. It often occurs in the following forms: \bltInlineVerb{xor eax, eax} or \bltInlineVerb{xor eax, edx}. The first case clears the register since \Verb+xor+ computes a non-equivalence, formally $a \oplus a = 0$ and the second one copies the value of the 2nd operand into the 1st operand when the target register is \Verb+0x00+ since \Verb+0x00+ is the neutral element of the \Verb+xor+ operation, formally $a \oplus 0 = a$.
+Arithmetic operations like \Verb+add+, \Verb+sub+, \Verb+inc+, \Verb+xor+, \Verb+or+, and can be useful to bring registers into our desired state.~\cite{ropsla} For that we search for the corresponding gadget with the required operands. For example \Verb+xor+ can be used to clear a register or copy its contents. It often occurs in the following forms: \bltInlineVerb{xor eax, eax} or \bltInlineVerb{xor eax, edx}. The first case clears the register since \Verb+xor+ computes a non-equivalence, formally $a \oplus a = 0$ and the second one copies the value of the 2nd operand into the 1st operand when the target register is \Verb+0x00+ since \Verb+0x00+ is the neutral element of the \Verb+xor+ operation, formally $a \oplus 0 = a$.
 \paragraph{int 0x80}
-\Verb+int+ stand for an interrupt, the interrupt \Verb+0x80+ causes a system call to be executed. System calls are kernelspace programs/operations that require higher privileges than what is available in a userspace program. Examples for system calls include io and \Verb+execve+ which allows to execute arbitary programs. In combination with \Verb+pop+, \Verb+mov+ and other instructions we can specify the concrete system call. One of the most powerful system calls for blackhats is bash since it allows permanently implementing malware or gain insight into files, it can be called with the argument \Verb+/bin/sh+. This will be demonstrated in~\cref{sec:attack}
+\Verb+int+ stands for interrupt, the interrupt \bltInlineVerb{int 0x80} causes a system call to be executed. System calls are kernelspace programs/operations that require higher privileges than what is available in a userspace program. Examples for system calls include io and \Verb+execve+ which allows to execute arbitary programs. In combination with \Verb+pop+, \Verb+mov+ and other instructions we can specify the concrete system call.~\cite{ropsla} One of the most powerful system calls for blackhats is bash since it allows permanently implementing malware or gain insight into files, it can be called with the argument \Verb+/bin/sh+. This will be demonstrated in~\cref{sec:attack}
 \subsection{Filtering the gadgets}
 \paragraph{Introduction}
 In order to find the gadgets we want we can use the tools directly or we can use regular expressions. In order to make this paper more general and easy to replicate i will be using regular expressions to find the desired gadgets.
@@ -93,16 +93,16 @@ \subsection{Filtering the gadgets}
 \item int 0x80  $\rightarrow$ \bltRegex{\^{}.\{0,20\}int 0x80\textbackslash{}n} 
 \item xor eax, eax  $\rightarrow$ \bltRegex{\^{}.\{0,20\}xor eax, eax.\{0,20\}ret\textbackslash{}n} 
 \end{itemize}
-for all of these regular expressions i was able to find at least a few suitable candidates. If there are no results the amount of possible characters before or after the gadget can be increased until results show up. It is however desirable to have gadgets with as few and noninterfering instructions as possible, if this is accomplished we can almost use the instructions we found like in assembly. Gadgets which do multiple things at once however can mess up the desired state and break the payload so it is important to thoroughly analyze the gadgets before using them.
+for all of these regular expressions there were gadgets for the given program in~\cref{sec:attack}. If there are no results the amount of possible characters before or after the gadget can be increased until results show up. It is however desirable to have gadgets with as few and noninterfering instructions as possible, if this is accomplished we can almost use the instructions we found like in assembly. Gadgets which do multiple things at once however can mess up the desired state and break the payload so it is important to thoroughly analyze the gadgets before generating the payload.
 
 \section{Theory}
 \subsection{Stack}
-The following graphic is an illustration of how the stack changes when injecting the payload. The buffer first has to be filled. In binary exploitation the letter \Verb+A+ is used for that most of the time, it has an easy to identify hexadecimal value of \bltInlineVerb{0x41}. It is important to note that without any special compiler options the stack will be aligned in \bltInlineVerb{dword}'s, because of that the buffer has to be filled with 16 Bytes instead of 8 Bytes, this can be turned off with the option \bltInlineVerb{-mpreferred-stack-boundary=2}. Though, then the payload only worked when filling the buffer with 24 Bytes.
+The following graphic~\cref{fig:stack} is an illustration of how the stack changes when injecting the payload. The buffer first has to be filled. In binary exploitation the letter \Verb+A+ is used for that most of the time, it has an easy to identify hexadecimal value of \bltInlineVerb{0x41}. It is important to note that without any special compiler options the stack will be aligned in \bltInlineVerb{dword}'s, because of that the buffer has to be filled with 16 Bytes instead of 8 Bytes, this can be turned off with the option \bltInlineVerb{-mpreferred-stack-boundary=2}. Though, then the payload only worked when filling the buffer with 24 Bytes.
 \begin{figure}[h]
   \centering
   \includegraphics[width=0.79\textwidth]{stackropoffsec.png}
   \caption{The stack when injecting the payload}
-  \label{fig:mesh1}
+  \label{fig:stack}
 \end{figure}
 \subsection{ROP Chain}
 
@@ -129,7 +129,7 @@ \subsection{Phases of developing the attack}
   \item Insert payload into target using a vulnerability
 \end{enumerate}
 \paragraph{Goal and abstract payload}
-After specifying the goal and possibly simplifying it we have to write a list of instructions and arguments that achieve the goal, for this its favorable to directly use the format of the final payload except for using instructions instead of addresses as this will then allow to simply insert the found gadgets into this abstract payload. For the example in this paper we want to open a shell, for that the simplest way is to execute an execve system call. The following program state~\cref{fig:stateforint} has to be achieved so the interrupt \bltInlineVerb{int 0x80} causes a shell to be opened.~\cite{pixis}
+After specifying the goal and possibly simplifying it we have to write a list of instructions and arguments that achieve the goal, for this its favorable to directly use the format of the final payload except for using instructions instead of addresses as this will then allow to simply insert the found gadgets into this abstract payload. For the example in this paper we want to open a shell, for that the simplest way is to execute an execve system call. The following program state~\cref{fig:stateforint} has to be achieved so the interrupt \bltInlineVerb{int 0x80} causes a shell to be opened.~\cite{pixis}~\cite{proggen-rop}
 \begin{figure}[h]
   \centering
   \includegraphics[width=0.95\textwidth]{requirementstackmemory.png}

refs.bib

@@ -1,2 +1,22 @@
-@misc{pixis, title={Rop - Return Oriented Programming}, url={https://en.hackndo.com/return-oriented-programming/}, journal={hackndo}, publisher={Pixis}, author={Pixis}, year={2016}, month={Oct}}
-@misc{el-sherei, title={Return oriented programming (ROP FTW) - exploit-db.com}, url={https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}, journal={Return-Oriented-Programming (ROP FTW)}, author={El-Sherei, Saif}} 
+@misc{pixis, title={Rop - Return Oriented Programming}, howpublished="\url{https://en.hackndo.com/return-oriented-programming/}", journal={hackndo}, publisher={Pixis}, author={Pixis}, year={2016}, month={Oct}}
+@misc{el-sherei, title={Return oriented programming (ROP FTW) - exploit-db.com}, howpublished="\url{https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}", journal={Return-Oriented-Programming (ROP FTW)}, author={El-Sherei, Saif}}
+@misc{proggen-rop, title={Return-oriented Programming (ROP)}, howpublished="\url{https://www.proggen.org/doku.php?id=security%3Amemory-corruption%3Aexploitation%3Arop}", journal={Return-oriented Programming (ROP) - Raum für Ideen}} 
+@article{ropsla,
+author = {Roemer, Ryan and Buchanan, Erik and Shacham, Hovav and Savage, Stefan},
+title = {Return-Oriented Programming: Systems, Languages, and Applications},
+year = {2012},
+issue_date = {March 2012},
+publisher = {Association for Computing Machinery},
+address = {New York, NY, USA},
+volume = {15},
+number = {1},
+issn = {1094-9224},
+url = {https://doi.org/10.1145/2133375.2133377},
+doi = {10.1145/2133375.2133377},
+abstract = {We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program’s address space, each of which ends in a “return” instruction.Return-oriented programming defeats the W⊕X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code.To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.},
+journal = {ACM Trans. Inf. Syst. Secur.},
+month = {mar},
+articleno = {2},
+numpages = {34},
+keywords = {control flow integrity, return-into-libc, Return-oriented programming, attacks, RISC, W-xor-X, SPARC, memory safety, x86, NX}
+}