A practical analysis of ROP attacks

TL;DR

This paper analyzes Return-Oriented Programming (ROP) attacks, exploring techniques and challenges, and introduces an automated tool that constructs ROP chains to execute system calls on 64-bit systems.

Contribution

It provides a detailed analysis of ROP attack techniques and presents a new automated tool for generating ROP chains on 64-bit architectures.

Findings

Identified key challenges in performing ROP attacks

Developed an automated tool for ROP chain generation

Demonstrated the tool's capability to execute arbitrary system calls

Abstract

Control Flow Hijacking attacks have posed a serious threat to the security of applications for a long time where an attacker can damage the control Flow Integrity of the program and execute arbitrary code. These attacks can be performed by injecting code in the program's memory or reusing already existing code in the program (also known as Code-Reuse Attacks). Code-Reuse Attacks in the form of Return-into-libc Attacks or Return-Oriented Programming Attacks are said to be Turing Complete, providing a guarantee that there will always exist code segments (also called ROP gadgets) within a binary allowing an attacker to perform any kind of function by building a suitable ROP chain (chain of ROP gadgets). Our goal is to study different techniques of performing ROP Attacks and find the difficulties encountered to perform such attacks. For this purpose, we have designed an automated tool which works on 64-bit systems and generates a ROP chain from ROP gadgets to execute arbitrary system calls.