Abstract

Nowadays, ensuring software security is of paramount importance. Software failures can have significant consequences, and malicious vulnerability exploitation can inflict immense losses. Large corporations pay particular attention to the investigation of computer security incidents. Code-reuse attacks based on return-oriented programming (ROP) are gaining popularity each year and can bypass even modern operating system protection mechanisms. Unlike ordinary shellcode, where instructions are placed sequentially in memory, a ROP chain consists of multiple small instruction blocks (called gadgets) and uses the stack to chain them together. This makes the analysis of ROP exploits more difficult. The main goal of this work is to simplify reverse engineering of ROP exploits. A method for analyzing code-reuse attacks that allows one to split the chain into gadgets, restore the semantics of each particular gadget, and restore the prototypes and parameter values of the system calls and functions invoked during the execution of the ROP chain is proposed. The semantics of each gadget is determined by its parameterized type. Each gadget type is defined by a postcondition (Boolean predicate) that must always be true after the gadget execution. The proposed method was implemented as a software tool and tested on real-world ROP exploits found on the Internet.

中文翻译：

---

一种分析代码重用攻击的方法

摘要

如今，确保软件安全至关重要。软件故障可能会造成严重后果，恶意漏洞利用可能造成巨大损失。大公司特别注意对计算机安全事件的调查。每年，基于返回导向的编程（ROP）的代码重用攻击越来越流行，甚至可以绕过现代的操作系统保护机制。与将指令顺序放置在内存中的普通shellcode不同，ROP链由多个小指令块（称为小工具）组成，并使用堆栈将它们链接在一起。这使得对ROP漏洞的分析更加困难。这项工作的主要目的是简化ROP漏洞的反向工程。提出了一种分析代码重用攻击的方法，该方法允许将链拆分为小工具，恢复每个特定小工具的语义，并恢复在ROP链执行期间调用的系统调用和函数的原型和参数值。每个小工具的语义取决于其参数化类型。每个小工具类型均由后置条件（布尔谓词）定义，后置条件在小工具执行后必须始终为true。所提出的方法被实现为软件工具，并在Internet上的真实ROP漏洞中进行了测试。每个小工具类型均由后置条件（布尔谓词）定义，后置条件在小工具执行后必须始终为true。所提出的方法被实现为软件工具，并在Internet上的真实ROP漏洞中进行了测试。每个小工具类型均由后置条件（布尔谓词）定义，后置条件在小工具执行后必须始终为true。所提出的方法被实现为软件工具，并在Internet上的真实ROP漏洞中进行了测试。