Survey of Methods for Automated Code-Reuse Exploit Generation

TL;DR

This survey reviews methods and tools for automated code-reuse exploit generation, highlighting techniques for gadget discovery, chaining, and virtual machine modeling to bypass OS protections.

Contribution

It provides a comprehensive overview of code-reuse exploit methods, introduces a virtual machine perspective, and compares tools and approaches for gadget search and chaining.

Findings

Gadget sets can be modeled as virtual machines for exploit generation.

Various methods exist for gadget search and semantics determination.

A new testing system, rop-benchmark, is proposed for verifying exploit chains.

Abstract

This paper provides a survey of methods and tools for automated code-reuse exploit generation. Such exploits use code that is already contained in a vulnerable program. The code-reuse approach allows one to exploit vulnerabilities in the presence of operating system protection that prohibits data memory execution. This paper contains a description of various code-reuse methods: return-to-libc attack, return-oriented programming, jump-oriented programming, and others. We define fundamental terms: gadget, gadget frame, gadget catalog. Moreover, we show that, in fact, a gadget is an instruction, and a set of gadgets defines a virtual machine. We can reduce an exploit creation problem to code generation for this virtual machine. Each particular executable file defines a virtual machine instruction set. We provide a survey of methods for gadgets searching and determining their semantics (creating a gadget catalog). These methods allow one to get the virtual machine instruction set. If a set of gadgets is Turing-complete, then a compiler can use a gadget catalog as a target architecture. However, some instructions can be absent. Hence we discuss several approaches to replace missing instructions with multiple gadgets. An exploit generation tool can chain gadgets by pattern searching (regular expressions) or considering gadgets semantics. Furthermore, some chaining methods use genetic algorithms, while others use SMT-solvers. We compare existing open-source tools and propose a testing system rop-benchmark that can be used to verify whether a generated chain successfully opens a shell.