京大 NANJING UNIVERSITY Return-Orinted Programming 2023/2/7 1
2023/2/7 1 Return-Orinted Programming
校绵鼎 月 Introduction The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham.ACM CCS 2007 2023/2/7 2
2023/2/7 2 Introduction The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, ACM CCS 2007
效绵熟 Introduction "WX"ensures that no memory location in a process image is marked both writable ("W")and executable ("X").With "WX",there is no location in memory into which the attacker can inject code to execute. Now that the attackers cannot inject code,their response was to use,for their own purposes,code that already exists in the process image they are attacking 2023/2/7 3
2023/2/7 3 Introduction ⚫ "W⊕X" ensures that no memory location in a process image is marked both writable ("W") and executable ("X"). With "W⊕X", there is no location in memory into which the attacker can inject code to execute. ⚫ Now that the attackers cannot inject code, their response was to use, for their own purposes, code that already exists in the process image they are attacking
效绵县 Introduction Since the standard C library,libe,is loaded in nearly every Unix program,and since it contains routines of the sort that are useful for an attacker (e.g.,wrappers for system calls),it is libc that is the usual target,and such attacks are therefore known as return into-libc attacks.But in principle any available code,either from the program's text segment or from a library it links to, could be used 2023/2/7 4
2023/2/7 4 Introduction Since the standard C library, libc, is loaded in nearly every Unix program, and since it contains routines of the sort that are useful for an attacker (e.g., wrappers for system calls), it is libc that is the usual target, and such attacks are therefore known as return into-libc attacks. But in principle any available code, either from the program's text segment or from a library it links to, could be used
“绵县 Introduction The building blocks for the traditional return-into-libc attack are functions and these can be removed by the maintainers of libc. By contrast,the building blocks for ROP are short code sequences,each just two or three instructions long,end in a return instruction(gadgets).Some are present in libc as a result of the code-generation choices of the compiler.Others are found in libc despite not having been placed there at all by the compiler.In either case,these code sequences would be very difficulty to eliminate without extensive modifications to the compiler and assembler. 2023/2/7 5
2023/2/7 5 Introduction ◼ The building blocks for the traditional return-into-libc attack are functions and these can be removed by the maintainers of libc. ◼ By contrast, the building blocks for ROP are short code sequences, each just two or three instructions long, end in a return instruction(gadgets). Some are present in libc as a result of the code-generation choices of the compiler. Others are found in libc despite not having been placed there at all by the compiler. In either case, these code sequences would be very difficulty to eliminate without extensive modifications to the compiler and assembler