Skip to main content
SpringerLink
Log in

Survey of Methods for Automated Code-Reuse Exploit Generation

  • Published:
Programming and Computer Software Aims and scope Submit manuscript

Abstract

This paper provides a survey of methods and tools for automated code-reuse exploit generation. Such exploits use code that is already contained in a vulnerable program. The code-reuse approach allows one to exploit vulnerabilities in the presence of operating system protection that prohibits data memory execution. This paper contains a description of various code-reuse methods: return-to-libc attack, return-oriented programming, jump-oriented programming, and others. We define fundamental terms: gadget, gadget frame, gadget catalog. Moreover, we show that, in fact, a gadget is an instruction, and a set of gadgets defines a virtual machine. We can reduce an exploit creation problem to code generation for this virtual machine. Each particular executable file defines a virtual machine instruction set. We provide a survey of methods for gadgets searching and determining their semantics (creating a gadget catalog). These methods allow one to get the virtual machine instruction set. If a set of gadgets is Turing-complete, then a compiler can use a gadget catalog as a target architecture. However, some instructions can be absent. Hence we discuss several approaches to replace missing instructions with multiple gadgets. An exploit generation tool can chain gadgets by pattern searching (regular expressions) or considering gadgets semantics. Furthermore, some chaining methods use genetic algorithms, while others use SMT-solvers. We compare existing open-source tools and propose a testing system rop-benchmark that can be used to verify whether a generated chain successfully opens a shell.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.

Similar content being viewed by others

Notes

  1. Hereafter, we will use Intel syntax for x86 assembler.

REFERENCES

  1. The Heartbleed bug. http://heartbleed.com.

  2. Halperin, D., Heydt-Benjamin, T.S., Ransford, B., Clark, S.S., Defend, B., Morgan, W., Fu, K., Kohno, T., and Maisel, W.H., Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses, Proc. 2008 IEEE Symp. on Security and Privacy (sp 2008), Red Hook, NY: Curran Assoc., 2008, pp. 129–142. https://doi.org/10.1109/SP.2008.31

  3. CWE-2020, CWE top 25 most dangerous software weaknesses. https://cwe.mitre.org/top25/archive/2020/2020_cwe_ top25.html.

  4. Peslyak, A., Getting around non-executable stack (and fix), 1997. https://seclists.org/bugtraq/1997/Aug/63.

  5. Shacham, H., The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), Proc. 14th ACM Conf. on Computer and Communications Security (CCS ’07), Alexandria, Virginia, USA, New York, NY: Assoc. Comput. Mach., 2007, pp. 552–561. https://doi.org/10.1145/1315245.1315313

  6. Schwartz, E.J., Avgerinos, T., and Brumley, D., Q: Exploit hardening made easy, Proc. 20th USENIX Conf. on Security (SEC’11), San Francisco, CA, Berkeley, CA:USENIX Assoc., 2011. https://www.usenix.org/ legacy/event/sec11/tech/full_papers/Schwartz.pdf.

    Google Scholar 

  7. Roemer, R., Buchanan, E., Shacham, H., and Savage, S., Return-oriented programming: Systems, languages, and applications, ACM Trans. Inf. Syst. Secur., 2012, vol. 15, no. 1, 1–36. https://doi.org/10.1145/2133375.2133377

    Article  Google Scholar 

  8. Kornau, T., Return oriented programming for the ARM architecture, MSc Thesis, Bochum: Ruhr-Univ., 2009. https://bxi.es/Reversing-Exploiting/ROP/ Return%20Oriented%20Programming % 20for%20ARM.pdf.

  9. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M., Return-oriented programming without returns, Proc. 17th ACM Conf. on Computer and Communications Security (CCS’10), Chicago, IL, New York, NY: Assoc. Comput. Mach., 2010, pp. 559–572. https://doi.org/10.1145/1866307.1866370

  10. Davi, L., Dmitrienko, A., Sadeghi, A.-R., and Winandy, M., Return-Oriented Programming without Returns on ARM: Technical Report HGI-TR-2010-002, Bochum: Horst Gortz Inst. IT Secur., 2010. https://www.ei.ruhr-uni-bochum.de/media/trust/ veroeffentlichungen/2010/07/21/ROP-without-Returns-on-ARM.pdf.

    Google Scholar 

  11. Huang, Z.-S. and Harris, I.G., Return-oriented vulnerabilities in ARM executables, Proc. 2012 IEEE Conf. on Technologies for Homeland Security (HST), Red Hook, NY: Curran Assoc., 2012, pp. 1–6. https://doi.org/10.1109/THS.2012.6459817

  12. Fraser, O.L., Zincir-Heywood, N., Heywood, M., and Jacobs, J.T., Return-oriented programme evolution with ROPER: a proof of concept, Proc. Genetic and Evolutionary Computation Conf. Companion (GECCO ’17), New York, NY: Assoc. Comput. Mach., 2017, pp. 1447–1454. https://doi.org/10.1145/3067695.3082508

  13. Buchanan, E., Roemer, R., Shacham, H., and Savage, S., When good instructions go bad: Generalizing return-oriented programming to RISC, Proc. 15th ACM Conf. on Computer and Communications Security (CCS’08), Alexandria, Virginia, USA, New York, NY: Assoc. Comput. Mach., 2008, pp. 27–38. https://doi.org/10.1145/1455770.1455776

  14. Francillon, A. and Castelluccia, C., Code injection attacks on harvard-architecture devices, Proc. 15th ACM Conf. on Computer and Communications Security (CCS’08), Alexandria, Virginia, USA, New York, NY: Assoc. Comput. Mach., 2008, pp. 15–26. https://doi.org/10.1145/1455770.1455775.

  15. Lindner, F., Cisco IOS router exploitation, in Black Hat, 2009. https://www.blackhat.com/presentations/ bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-PAPER.pdf.

  16. Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., and Shacham, H., Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage, Proc. 2009 Conf. on Electronic Voting Technology/Workshop on Trustworthy Elections (EVT/WOTE’09), Montreal, Canada, Berkeley, CA: USENIX Assoc., 2009. https://www.usenix.org/legacy/event/evtwote09/tech /full_papers/checkoway.pdf.

    Google Scholar 

  17. Bletsch, T., Jiang, X., Freeh, V.W., and Liang, Z., Jump-oriented programming: a new class of code-reuse attack, Proc. 6th ACM Symp. on Information, Computer and Communications Security (ASIACCS ’11), Hong Kong, China, New York, NY: Assoc. Comput. Mach., 2011, pp. 30–40. https://doi.org/10.1145/1966913.1966919

  18. Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., and Yin, X., Automatic construction of jump-oriented programming shellcode (on the x86), Proc. 6th ACM Symp. on Information, Computer and Communications Security (ASIACCS’11), Hong Kong, China, New York, NY: Assoc. Comput. Mach., 2011, pp. 20–29. https://doi.org/10.1145/1966913.1966918

  19. Sadeghi, A., Niksefat, S., and Rostamipour, M., Pure-call oriented programming (PCOP): chaining the gadgets using call instructions, J. Comput. Virol. Hacking Techn., 2018, vol. 14, no. 2, pp. 139–156. https://doi.org/10.1007/s11416-017-0299-1

    Article  Google Scholar 

  20. Lu, K., Xiong, S., and Gao, D., RopSteg: Program steganography with return oriented programming, Proc. 4th ACM Conf. on Data and Application Security and Privacy (CODASPY’14), New York, NY: Assoc. Comput. Mach., 2014, pp. 265–272. https://doi.org/10.1145/2557547.2557572

  21. Ntantogian, C., Poulios, G., Karopoulos, G., and Xenakis, C., Transforming malicious code to ROP gadgets for antivirus evasion, IET Inf. Secur., 2019, vol. 13, no. 6, pp. 570–578. https://doi.org/10.1049/iet-ifs.2018.5386

    Article  Google Scholar 

  22. Mu, D., Guo, J., Ding, W., Wang, Z., Mao, B., and Shi, L., ROPOB: obfuscating binary code via return oriented programming, in Security and Privacy in Communication Networks, Cham: Springer-Verlag, 2018, pp. 721–737. https://doi.org/10.1007/978-3-319-78813-5_38

  23. Bosman, E. and Bos, H., Framing signals—a return to portable shellcode, Proc. 2014 IEEE Symp. on Security and Privacy, Red Hook, NY: Curran Assoc., 2014, pp. 243–258. https://doi.org/10.1109/SP.2014.23

  24. Borrello, P., Coppa, E., D’Elia, D.C., and Demetrescu, C., The ROP needle: hiding trigger-based injection vectors via code reuse, Proc. 34th ACM/SIGAPP Symp. on Applied Computing (SAC’19), Limassol, Cyprus, New York, NY: Assoc. Comput. Mach., 2019, pp. 1962–1970. https://doi.org/10.1145/3297280.3297472

  25. Hund, R., Holz, T., and Freiling, F.C., Return-oriented rootkits: bypassing kernel code integrity protection mechanisms, Proc. 18th Conf. on USENIX Security Symp. (SSYM’09), Montreal, Canada, Berkeley, CA: USENIX Assoc., 2009, pp. 383–398. https://www.usenix.org/legacy/events/sec09/tech/ full_papers/hund.pdf.

    Google Scholar 

  26. Quynh, N.A., OptiROP: hunting for ROP gadgets in style, 2013. https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-Slides.pdf.

  27. Ding, W., Xing, X., Chen, P., Xin, Z., and Mao, B., Automatic construction of printable return-oriented programming payload, Proc. 2014 9th Int. Conf. on Malicious and Unwanted Software “The Americas” (MALWARE), Washington, DC: IEEE Comput. Soc., 2014, pp. 18–25. https://doi.org/10.1109/MALWARE.2014.6999408

  28. Y. Ouyang, Q. Wang, J. Peng, and J. Zeng, An advanced automatic construction method of ROP, Wuhan Univ. J. Nat. Sci., 2015, vol. 20, no. 2, pp. 119–128. https://doi.org/10.1007/s11859-015-1069-x

    Article  MathSciNet  Google Scholar 

  29. Follner, A., Bartel, A., Peng, H., Chang, Y.-C., Ispoglou, K., Payer, M., and Bodden, E., PSHAPE: automatically combining gadgets for arbitrary method execution, Proc. 12th Int. Workshop Security and Trust Management (STM’2016), Heraklion, Crete, Greece, September 26–27, 2016, Cham: Springer-Verlag, 2016, pp. 212–228. https://doi.org/10.1007/978-3-319-46598-2_15.

  30. Milanov, B., ROPGenerator: practical automated ROP-chain generation, 2018. https://youtu.be/rz7Z9fBLVs0.

  31. Mosier, N. and Johnson, P., ROP with a 2nd stack, 2019. http://www.cs.middlebury.edu/~nmosier/portfolio /rsrc/ropc-slides.pdf.

  32. Follner, A., Bartel, A., Peng, H., Chang, Y.-C., Ispoglou, K., Payer, M., and Bodden, E., PSHAPE-practical support for half-automated program exploitation. https://github.com/Alexandre-Bartel/inspector-gadget.

  33. Fraser, O.L., ROPER: a genetic ROP-chain development tool. https://github.com/oblivia-simplex/roper.

  34. mona.py, Corelan Consulting BVBA. https://github.com/corelan/mona.

  35. Salwan, J., ROPgadget tool. https://github.com/JonathanSalwan/ROPgadget.

  36. Milanov, B., ROPium. https://github.com/Boyan-MILANOV/ropium.

  37. Salls, C., angrop. https: //github.com/salls/angrop.

  38. Schirra, S., Ropper. https://github.com/sashs/ropper.

  39. Paul, ROPC. https://github.com/pakt/ropc.

  40. ropc-llvm, Program STIC. https://github.com/programa-stic/ropc-llvm.

  41. Stewart, J., An open source, multiarchitecture ROP compiler. https://github.com/jeffball55/rop_compiler.

  42. SQLab, SQLab ROP payload generation. https://github.com/SQLab/ropchain.

  43. Gautham, A.V. and Singh, S., ROPilicious. https://github.com/ROPilicious/src.

  44. d4em0n, Exrop. https: //github.com/d4em0n/exrop.

  45. Nurmukhametov, A. and Vishnyakov, A., ROP benchmark. https://github.com/ispras/rop-benchmark.

  46. W^X now mandatory in OpenBSD, 2016. https://undeadly.org/cgi?action=article&sid= 20160527203200.

  47. A detailed description of the data execution prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC edition 2005, and Windows Server 2003. https://support.microsoft.com/kb/875352/EN-US/.

  48. van de Ven, A., New security enhancements in Red Hat Enterprise Linux v.3, update 3, 2004. https://static.redhat.com/legacy/f/pdf/rhel/ WHP0006US_Execshield.pdf.

  49. Tanenbaum, A.S. and Bos, H., Buffer overflow attacks, in Modern Operating Systems, 4th ed., London: Pearson, 2015, ch. 9.6.1, pp. 640–649. ISBN 978-0133591620

    Google Scholar 

  50. CWE-123: Write-what-where condition. https://cwe.mitre.org/data/definitions/123.html.

  51. Spengler, B., PaX: The guaranteed end of arbitrary code execution. https://grsecurity.net/PaX-presentation.pdf.

  52. Bhatkar, S., DuVarney, D.C., and Sekar, R., Address obfuscation: An efficient approach to combat a broad range of memory error exploits, Proc. 12th USENIX Security Symp., Washington, DC, August 4–8, 2003, Berkeley, CA: USENIX Assoc., 2003, vol. 12, no. 2, pp. 291–301. https://www.usenix.org/legacy/event/sec03/tech/full_ papers/bhatkar/bhatkar.pdf.

  53. Fedotov, A.N., Padaryan, V.A., Kaushan, V.V., Kurmangaleev, S.F., Vishnyakov, A.V., and Nurmukhametov, A.R., Software defect severity estimation in presence of modern defense mechanisms, Proc. Inst. Syst. Program., Russ. Acad. Sci., 2016, vol. 28, no. 5, pp. 73–92. https://doi.org/10.15514/ISPRAS-2016-28(5)-4

    Article  Google Scholar 

  54. Procedure Linkage Table (processor-specific). https://docs.oracle.com/cd/E23824_01/html/819-0690/chapter6-1235.html.

  55. Salwan, J., An introduction to the return oriented programming and ROP-chain generation, 2014. http://shell-storm.org/talks/ROP_course_lecture_jonathan_salwan_2014.pdf.

  56. Dullien, T.F., Weird machines, exploitability, and provable unexploitability, IEEE Trans. Emerg. Topics Comput., 2018, vol. 8, no. 2, pp. 391–403. https://doi.org/10.1109/TETC.2017.2785299

    Article  Google Scholar 

  57. Graziano, M., Balzarotti, D., and Zidouemba, A., ROPMEMU: A framework for the analysis of complex code-reuse attacks, Proc. 11th ACM on Asia Conf. on Computer and Communications Security (ASIA CCS’16), New York, NY: Assoc. Comput. Mach., 2016, pp. 47–58. https://doi.org/10.1145/2897845.2897894

  58. Schwartz, E.J., Avgerinos, T., and Brumley, D., Update on Q: Exploit hardening made easy, 2012. https://edmcman.github.io/papers/usenix11-update.pdf.

  59. Weidler, N.R., Brown, D., Mitchell, S.A., Anderson, J., Williams, J.R., Costley, A., Kunz, C., Wilkinson, C., Wehbe, R., and Gerdes, R., Return-oriented programming on a resource constrained device, Sustainable Comput.: Inf. Syst., 2019, vol. 22, pp. 244–256. ISSN 2210-5379. https://doi.org/10.1016/j.suscom.2018.10.002

  60. Vishnyakov, A.V., Nurmukhametov, A.R., Kurmangaleev, S.F., and Gaisaryan, S.S., A method for analyzing code-reuse attacks, Program. Comput. Software, 2019, vol. 45, pp. 473–484. https://doi.org/10.1134/S0361768819080061

    Article  Google Scholar 

  61. Roglia, G.F., Martignoni, L., Paleari, R., and Bruschi, D., Surgically returning to randomized lib(c), Proc. 2009 Annual Computer Security Applications Conf., Red Hook, NY: Curran Assoc., 2009, pp. 60–69. https://doi.org/10.1109/ACSAC.2009.16

  62. PE format-Import Address Table. https://docs.microsoft.com/en-us/windows/win32/ debug/pe-format#import-address-table.

  63. ld.so(8)-Linux manual page. http://man7.org/linux/man-pages/man8/ld.so.8.html.

  64. Kirsch, J., Bierbaumer, B., Kittel, T., and Eckert, C., Dynamic loader oriented programming on Linux, Proc. 1st Reversing and Offensive-oriented Trends Symp. (ROOTS), Vienna, Austria, New York, NY: Assoc. Comput. Mach., 2017, pp. 1–13. https://doi.org/10.1145/3150376.3150381

  65. Ward, B.C., Skowyra, R., Spensky, C., Martin, J., and Okhravi, H., The leakage-resilience dilemma, Proc. 24th European Symp. on Research in Computer Security “Computer Security—ESORICS 2019,” Luxembourg, September 23–27, 2019, Cham: Springer-Verlag, 2019, pp. 87–106. https://doi.org/10.1007/978-3-030-29959-0_5

  66. Dai Zovi, D., Practical return-oriented programming, SOURCE Boston, 2010. https://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf.

  67. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., and Hinton, H., Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks, Proc. 7th USENIX Security Symp. San Antonio, Texas, January 26–29, 1998, Berkeley, CA: USENIX Assoc., 1998, vol. 98, pp. 63–78. https://www.usenix.org/legacy/publications/library/ proceedings/sec98/full_papers/cowan/cowan.pdf.

  68. mprotect(2)-Linux manual page. http://man7.org/linux/manpages/man2/mprotect.2.html.

  69. VirtualProtect function. https://docs.microsoft.com/ en-us/windows/desktop/api/memoryapi/nf-memoryapi-virtualprotect.

  70. van Eeckhoutte, P., Exploit writing tutorial part 10: chaining DEP with ROP—the Rubik’s™ cube, 2010. https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorialpart-10-chaining-dep-with-rop-therubikstm-cube/.

  71. Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., and Boneh, D., Hacking blind, Proc. 2014 IEEE Symp. on Security and Privacy (SP’14), Washington, DC: IEEE Comput. Soc., 2014, pp. 227–242. https://doi.org/10.1109/SP.2014.22

  72. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R., Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization, Proc. 2013 IEEE Symp. on Security and Privacy (SP’13), Washington, DC: IEEE Comput. Soc., 2013, pp. 574–588. https://doi.org/10.1109/SP.2013.45

  73. Nurmukhametov, A.R., Zhabotinskiy, E.A., Kurmangaleev, S.F., Gaissaryan, S.S., and Vishnyakov A.V., Fine-grained address space layout randomization on program load, Program. Comput. Software, 2018, vol. 44, no. 5, pp. 363–370. https://doi.org/10.1134/S0361768818050080

    Article  Google Scholar 

  74. Göktas, E., Kollenda, B., Koppe, P., Bosman, E., Portokalidis, G., Holz, T., Bos, H., and Giuffrida, C., Position-independent code reuse: On the effectiveness of ASLR in the absence of information disclosure, Proc. 2018 IEEE European Symp. on Security and Privacy (EuroSP), Washington, DC: IEEE Comput. Soc., 2018, pp. 227–242. https://doi.org/10.1109/EuroSP.2018.00024

  75. Burow, N., Carr, S.A., Nash, J., Larsen, P., Franz, M., Brunthaler, S., and Payer, M., Control-flow integrity: precision, security, and performance, ACM Comput. Surv., 2017, vol. 50, no. 1, pp. 16:1–16:33. https://doi.org/10.1145/3054924

  76. Carlini, N. and Wagner, D., ROP is still dangerous: breaking modern defenses, Proc. 23rd USENIX Security Symp., San Diego, CA, August 20–22, 2014, Berkeley, CA: USENIX Assoc., 2014, pp. 385–399. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-carlini.pdf.

  77. Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., and Ning, P., On the expressiveness of return-into-libc attacks, Proc. 14th Int. Symp. Recent Advances in Intrusion Detection (RAID 2011), Menlo Park, CA, USA, September 20–21, 2011, Berlin: Springer-Verlag, 2011, pp. 121–141. https://doi.org/10.1007/978-3-642-23644-0_7

  78. Lan, B., Li, Y., Sun, H., Su, C., Liu, Y., and Zeng, Q., Loop-oriented programming: a new code reuse attack to bypass modern defenses, Proc. 2015 IEEE Trustcom/BigDataSE/ISPA (TRUSTCOM’15), Washington, DC: IEEE Comput. Soc., 2015, vol. 1, pp. 190–197. https://doi.org/10.1109/Trustcom.2015.374

    Article  Google Scholar 

  79. Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F., Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection, Proc. 23rd USENIX Security Symp., San Diego, CA, August 20–22, 2014, Berkeley, CA: USENIX Assoc., 2014, pp. 401–416. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf.

  80. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T., Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications, Proc. 2015 IEEE Symp. on Security and Privacy (SP’15), Washington, DC: IEEE Comput. Soc., 2015, pp. 745–762. https://doi.org/10.1109/SP.2015.51

  81. Wang, C., Chen, B., Liu, Y., and Wu, H., Layered object-oriented programming: advanced VTable reuse attacks on binary-level defense, IEEE Trans. Inf. Forensics Secur., vol. 14, no. 3, pp. 693–708, 2019. https://doi.org/10.1109/TIFS.2018.2855648

    Article  Google Scholar 

  82. Guo, Y., Chen, L., and Shi, G., Function-oriented programming: a new class of code reuse attack in C applications, Proc. 6th Annual IEEE CNS Conf. on Communications and Network Security, Piscataway, NJ: Inst. Electr. Electron. Eng., 2018, pp. 1–9. https://doi.org/10.1109/CNS.2018.8433189

  83. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., and Iyer, R.K., Non-control-data attacks are realistic threats, Proc. 14th Conf. on USENIX Security Symp. (SSYM’05), Berkeley, CA: USENIX Assoc., 2005, vol. 14, pp. 177–192. http://static.usenix.org/event/sec05/tech/full_papers /chen/chen.pdf.

    Google Scholar 

  84. Hu, H., Chua, Z.L., Adrian, S., Saxena, P., and Liang, Z., Automatic generation of dataoriented exploits, Proc. 24th USENIX Conf. on Security Symp. (SEC’15), Berkeley, CA: USENIX Assoc., 2015, pp. 177–192. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-hu.pdf.

    Google Scholar 

  85. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., and Liang, Z., Data-oriented programming: on the expressiveness of noncontrol data attacks, Proc. 2016 IEEE Symp. on Security and Privacy (SP’16), Washington, DC: IEEE Comput. Soc., 2016, pp. 969–986. https://doi.org/10.1109/SP.2016.62.

  86. Pewny, J., Koppe, P., and Holz, T., STEROIDS for DOPed applications: a compiler for automated data-oriented programming, Proc. 2019 IEEE European Symp. on Security and Privacy Workshops (EuroS&PW), Red Hook, NY: Curran Assoc., 2019, pp. 111–126. https://doi.org/10.1109/EuroSP.2019.00018.

  87. Ispoglou, K.K., AlBassam, B., Jaeger, T., and Payer, M., Block oriented programming: Automating data-only attacks, Proc. 2018 ACM SIGSAC Conf. on Computer and Communications Security (CCS’18), Toronto, Canada, New York, NY: Assoc. Comput. Mach., 2018, pp. 1868–1882. https://doi.org/10.1145/3243734.3243739

  88. Avgerinos, T., Cha, S.K., Hao, B.L.T., and Brumley, D., AEG: automatic exploit generation, Commun. ACM, 2011, vol. 57, no. 2, pp. 283–300. http://security.ece.cmu.edu/aeg/aeg-current.pdf.

    Google Scholar 

  89. Cha, S.K., Avgerinos, T., Rebert, A., and Brumley, D., Unleashing Mayhem on binary code, Proc. 2012 IEEE Symp. on Security and Privacy, Red Hook, NY: Curran Assoc., 2012, pp. 380–394. https://doi.org/10.1109/SP.2012.31

  90. Padaryan, V.A., Kaushan, V.V., and Fedotov, A.N., Automated exploit generation for stack buffer overflow vulnerabilities, Program. Comput. Software, 2015, vol. 41, no. 6, pp. 373–380. https://doi.org/10.1134/S0361768815060055

    Article  Google Scholar 

  91. Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser C., Kruegel, C., and Vigna, G., SOK: (state of) the art of war: Offensive techniques in binary analysis, Proc. 2016 IEEE Symp. on Security and Privacy (SP), Red Hook, NY: Curran Assoc., 2016, pp. 138–157. https://doi.org/10.1109/SP.2016.17

  92. King, J.C., Symbolic execution and program testing, Commun. ACM, 1976, vol. 19, no. 7, pp. 385–394. https://doi.org/10.1145/360248.360252

    Article  MathSciNet  MATH  Google Scholar 

  93. Schwartz, E.J., Avgerinos, T., and Brumley, D., All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask), Proc. 2010 IEEE Symp. on Security and Privacy, Red Hook, NY: Curran Assoc., 2010, pp. 317–331. https://doi.org/10.1109/SP.2010.26

  94. Godefroid, P., Levin, M.Y., and Molnar, D.A., Automated whitebox fuzz testing, Proc. 15th Network and Distributed System Security Symp. (NDSS'2008), San Diego, California, USA, Reston, VA: Internet Soc., 2008, vol. 8, pp. 151–166. https://www.microsoft.com/en-us/research/publication/automatedwhitebox-fuzz-testing/.

    Google Scholar 

  95. Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., and Franz, M., Microgadgets: size does matter in turing-complete returnoriented programming, Proc. 6th USENIX Workshop on Offensive Technologies (WOOT’12), Berkeley, CA: USENIX Assoc., 2012. https://www.usenix.org/system/files/conference/woot12 /woot12-final9.pdf.

    Google Scholar 

  96. BARF: binary analysis and reverse engineering framework, Program STIC. https://github.com/programa-stic/barf-project.

  97. Heffner, C., MIPS ROP IDA plug-in. https://github.com/devttys0/ida/tree/master/plugins/ mipsrop.

  98. Mosier, N., A pair of return-oriented programming utilities: a gadget finder and ROP compiler. https://github.com/nmosier/rop-tools.

  99. lucasg, ROP database plug-in for IDA. https://github.com/lucasg/idarop.

  100. Jager, I. and Brumley, D., Efficient Directionless Weakest Preconditions: Technical Report CMU-CyLab-10-002, Pittsburgh, PA: Carnegie Mellon Univ., 2010. http://security.ece.cmu.edu/pubs/CMUCyLab10002. pdf.

    Google Scholar 

  101. Nethercote, N. and Seward, J., Valgrind: a framework for heavyweight dynamic binary instrumentation, Proc. 28th ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI’07), New York, NY: Assoc. Comput. Mach., 2007, pp. 89–100. https://doi.org/10.1145/1273442.1250746

  102. Dullien, T. and Porst, S., REIL: a platform-independent intermediate representation of disassembled code for static code analysis, 2009. https://static.googleusercontent.com/media/zynamics.com/en//downloads/ csw09.pdf.

  103. Padaryan, V.A., Soloviev, M.A., and Kononov, A.I., Modeling operational semantics of machine instructions, Proc. Inst. Syst. Program., Russ. Acad. Sci., 2010, vol. 19, pp. 165–186. https://www.ispras.ru/en/proceedings /isp_19_2010/isp_19_2010_165/.

    Google Scholar 

  104. Soloviev, M.A., Bakulin, M.G., Gorbachev, M.S., Manushin, D.V., Padaryan, V.A., and. Panasenko, S.S, Next-generation intermediate representations for binary code analysis, Program. Comput. Software, 2019, vol. 45, pp. 424–437. https://doi.org/10.1134/S0361768819070107

    Article  Google Scholar 

  105. Heitman, C. and Arce, I., BARF: a multiplatform open source binary analysis and reverse engineering framework, XX Congr. Argentino de Ciencias de la Computación, San Justo: Univ. Nac. La Matanza, 2014. http://sedici.unlp.edu.ar/handle/10915/42157.

  106. Vishnyakov, A.V., Semantic verification of linear machine instruction sequence, 2019. https://vishnya.xyz/vishnyakov-coursework2019.pdf.

  107. Vishnyakov, A., Nurmukhametov, A., Kurmangaleev, S., and Gaisaryan, S., Method for analysis of code-reuse attacks—reverse engineering of ROP exploits. https://vishnya.xyz/vishnyakovisprasopen2018.pdf.

  108. Barrett, C., Fontaine, P., and Tinelli, C., The SMT-LIB Standard: Version 2.6, Iowa City, IA: Univ. Iowa, 2017. https://www.SMT-LIB.org.

    Google Scholar 

  109. Dullien, T., Kornau, T., and Weinmann, R.-P., A framework for automated architecture-independent gadget search, 2010. https://www.usenix.org/legacy/ events/woot10/tech/full_papers/Dullien.pdf.

  110. Follner, A., Bartel, A., and Bodden, E., Analyzing the gadgets: towards a metric to measure gadget quality, Proc. 8th Int. Symp. “Engineering Secure Software and Systems” (ESSoS 2016), London, UK, April 6–8, 2016, Cham: Springer-Verlag, 2016, pp. 155–172. https://doi.org/10.1007/978-3-319-30806-7_10

  111. Fraser, O.L., Urschleim in silicon: return oriented program evolution with ROPER, MSc Thesis, Halifax: Dalhouse Univ., 2018. https://dalspace.library.dal.ca/handle/10222/73879.

    Google Scholar 

  112. Dijkstra, E.W., A note on two problems in connexion with graphs, Num. Math., 1959, vol. 1, no. 1, pp. 269–271. ISSN 0945-3245. https://doi.org/10.1007/BF01386390

  113. Saudel, F. and Salwan, J., Triton: a dynamic symbolic execution framework, Symp. sur la Sécurité des Technologies de l’Information et des Communications (SSTIC'2015), Rennes, 2015, pp. 31–54. https://triton.quarkslab.com/files/sstic2015_slide_en _saudel_salwan.pdf.

  114. Aho, A.V., Lam, M.S., Sethi, R., and Ullman, J.D., Compilers: Principles, Techniques, and Tools, 2th ed., Boston: Addison-Wesley, 2006, ch. 6, pp. 563–565.

    MATH  Google Scholar 

  115. Stewart, J. and Dedhia, V., ROP compiler. https://css.csail.mit.edu/6.858/2015/projects/ je25365-ve25411.pdf.

  116. Mortimer, T., Removing ROP gadgets from OpenBSD, Proc. AsiaBSDCon 2018 Conf., Bucharest, 2019, pp. 13–21. https://2019.asiabsdcon.org/proc-body-2019.pdf# page=13.

Download references

Funding

This work was supported by the Russian Foundation for Basic Research, project no. 17-01-00600.

Author information

Authors and Affiliations

  1. Ivannikov Institute for System Programming, Russian Academy of Sciences, 109004, Moscow, Russia

    A. V. Vishnyakov & A. R. Nurmukhametov

Authors
  1. A. V. Vishnyakov
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. A. R. Nurmukhametov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to A. V. Vishnyakov or A. R. Nurmukhametov.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Vishnyakov, A.V., Nurmukhametov, A.R. Survey of Methods for Automated Code-Reuse Exploit Generation. Program Comput Soft 47, 271–297 (2021). https://doi.org/10.1134/S0361768821040071

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1134/S0361768821040071

Search

Navigation