Gary's Personal Page

Paper Reading 3 - A Generic Technique for Automatically Finding Defense-Aware Code Reuse Attacks

Posted on Edited on

One-Sentence Summary

The authors proposed Limbo, a framework for automatically discovering defense-aware code-reuse attacks in executables. It addresses a key limitation of current defense-aware attacks: their feasibility depends heavily on the behavior of the attacked program.

Background

Although defenses such as CFI break many code-reuse attacks, attackers still have ways to target them, and researchers have developed a variety of defense-aware strategies. However, these strategies have several issues. Some fail in the presence of defenses such as CFI; some are CFI-aware but complex and limited to a single, hard-coded CFI variant; and others focus on automating a specific defense-aware technique, such as DOP, that was originally discovered through manual insight.

Some tools can construct code-reuse attacks:

  • BOPC, a state-of-the-art system for automatically discovering CFI-aware DOP attacks.
  • angrop, a popular ROP automation tool that is part of the angr binary-analysis framework.

However, these methods face challenges that limit their development.

Method

The code-reuse attack problem can be reduced to a software model checking (SMC) problem. In this setting, the goal is to determine whether a goal state can be reached from a vulnerability. The authors use concolic execution, which allows Limbo to take a state and enumerate some states reachable from it by executing the program symbolically. Limbo uses this capability to iteratively compute the set of states reachable from the vulnerability. As soon as this set contains a goal state, Limbo outputs the discovered attack as an executable test case. The test case contains inputs that make the program reach the goal state.

The customized concolic execution is based on the Mayhem binary-code executor. The authors considered storage, heuristic principles, and when each heuristic should be evaluated. They also limit symbolic branches. To adapt concolic execution, the authors modified parts of Mayhem, including its handling of indirect jumps and symbolic memory.

Evaluation

Reading Summary

  • What is the novelty?

  • It leverages concolic execution.

  • It not only discovers existing attack methods, including ROP, JOP, COP, and DOP, but may also discover attacks that do not correspond to known code-reuse techniques.

  • What is the contribution?

  • The authors propose a generic framework for automatically identifying defense-aware code-reuse attacks.

  • They implement the framework in a tool called Limbo and show how existing binary concolic executors can support it with only a small set of modifications.

  • They show that Limbo outperforms both angrop and BOPC, state-of-the-art tools for automatically constructing ROP and DOP attacks respectively, when little code is available for reuse.