One sentence summary
The author proposed Limbo, a new framework for automatically discovering defense-awre code in executables, which overcome the defect that the current defend-aware attacks exists (the feasibility are very are very dependent on the behaviors of the attacked program).
Background
Although defenses such as CFI break many code reuse attacks, there are still avenues to attack them, and researchers have developed a variety of defense-aware strategies for targeting defenses. However, these stragtegies exists some issues. For instance, some will fail in the presence of defenses such as CFI, some are aware of CFI but they are complex and only target a single, hard-coded CFI variant, some have always focused on automating a specific defense-aware technique for constructing code reuse attacks (e.g., DOP) that was manually discovered through human insight.
Related work
There are some tools for construct the CRAs:
- BOPC, which is a state-of-the-art system for automatically discovering CFI-aware DOP attacks.
- angrop, a popular ROP automation tool that is part of the angr binary analysis framework
However, those methods faced challenges that hinder them develop.
Method
The code reuse attack problem can be reduced to software model checking (SMC) problem. Analogously, a code reuse problem is to determine whether a goal state can be reached from a vulnerability. The author use concolic execution, which allows Limbo to take a state and enumerate some of the states that are reachable from it by executing the program symbolically. Limbo uses this ability to iteratively compute a set of states that are reachable from the vulnerability. As soon as this set contains a goal state, Limbo outputs the discovered attack as an executable test case. The test case contains inputs that, when given to the program, will cause it to reach a goal state.
The customization of concolic execution based on Mayhem binary code executor. The author considered storage, heuristic principles and when is the heuristic evaluated. In addition, the author limit symbolic branches as well. For the tweaks to concolic execution, the author modified some in Mayhem, such as indirect jump and symbolic memory.
Evaluation
Reading summary
What is the novelty
Leverage the conconlic execution
Not only discover the existed attack method (ROP, JOP, COP and DOP), but also potentially dicover attacks that do not correspond to known techniques for code reuse attacks.
What is the contribution
Propose a generic framework for automatically identifying defense-aware code reuse attacks
Implement our framework in a tool called Limbo.We show how existing binary concolic executors can be leveraged to implement our framework using a small set of modifications.
Show that Limbo outperforms both angrop and BOPC, state-of-the-art tools for automatically constructing ROP and DOP attacks respectively, when there is little code available for reuse.