TY - GEN
T1 - ITOP
T2 - 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
AU - Muntean, Paul
AU - Viehoever, Richard
AU - Lin, Zhiqiang
AU - Tan, Gang
AU - Grossklags, Jens
AU - Eckert, Claudia
N1 - Publisher Copyright:
© 2021 ACM.
PY - 2021/10/6
Y1 - 2021/10/6
N2 - Exploiting a program requires a security analyst to manipulate data in program memory with the goal to obtain control over the program counter and to escalate privileges. However, this is a tedious and lengthy process as: (1) the analyst has to massage program data such that a logical reliable data passing chain can be established, and (2) depending on the attacker goal certain in-place fine-grained protection mechanisms need to be bypassed. Previous work has proposed various techniques to facilitate exploit development. Unfortunately, none of them can be easily used to address the given challenges. This is due to the fact that data in memory is difficult to be massaged by an analyst who does not know the peculiarities of the program as the attack specification is most of the time only textually available, and not automated at all. In this paper, we present indirect transfer oriented programming (iTOP), a framework to automate the construction of control-flow hijacking attacks in the presence of strong protections including control flow integrity, data execution prevention, and stack canaries. Given a vulnerable program, iTOP automatically builds an exploit payload with a chain of viable gadgets with solved SMT-based memory constraints. One salient feature of iTOP is that it contains 13 attack primitives powered by a Turing complete payload specification language, ESL. It also combines virtual and non-virtual gadgets using COOP-like dispatchers. As such, when searching for gadget chains, iTOP can respect, for example, a previously enforced CFI policy, by using only legitimate control flow transfers. We have evaluated iTOP with a variety of programs and demonstrated that it can successfully generate exploits with the developed attack primitives.
AB - Exploiting a program requires a security analyst to manipulate data in program memory with the goal to obtain control over the program counter and to escalate privileges. However, this is a tedious and lengthy process as: (1) the analyst has to massage program data such that a logical reliable data passing chain can be established, and (2) depending on the attacker goal certain in-place fine-grained protection mechanisms need to be bypassed. Previous work has proposed various techniques to facilitate exploit development. Unfortunately, none of them can be easily used to address the given challenges. This is due to the fact that data in memory is difficult to be massaged by an analyst who does not know the peculiarities of the program as the attack specification is most of the time only textually available, and not automated at all. In this paper, we present indirect transfer oriented programming (iTOP), a framework to automate the construction of control-flow hijacking attacks in the presence of strong protections including control flow integrity, data execution prevention, and stack canaries. Given a vulnerable program, iTOP automatically builds an exploit payload with a chain of viable gadgets with solved SMT-based memory constraints. One salient feature of iTOP is that it contains 13 attack primitives powered by a Turing complete payload specification language, ESL. It also combines virtual and non-virtual gadgets using COOP-like dispatchers. As such, when searching for gadget chains, iTOP can respect, for example, a previously enforced CFI policy, by using only legitimate control flow transfers. We have evaluated iTOP with a variety of programs and demonstrated that it can successfully generate exploits with the developed attack primitives.
KW - Clang/LLVM
KW - Machine code
KW - control flow integrity
KW - cyber attacks.
UR - http://www.scopus.com/inward/record.url?scp=85117729932&partnerID=8YFLogxK
U2 - 10.1145/3471621.3471847
DO - 10.1145/3471621.3471847
M3 - Conference contribution
AN - SCOPUS:85117729932
T3 - ACM International Conference Proceeding Series
SP - 162
EP - 176
BT - Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
PB - Association for Computing Machinery
Y2 - 6 October 2021 through 8 October 2021
ER -