ITOP: Automating counterfeit object-oriented programming attacks

Paul Muntean, Richard Viehoever, Zhiqiang Lin, Gang Tan, Jens Grossklags, Claudia Eckert

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

Exploiting a program requires a security analyst to manipulate data in program memory with the goal to obtain control over the program counter and to escalate privileges. However, this is a tedious and lengthy process as: (1) the analyst has to massage program data such that a logical reliable data passing chain can be established, and (2) depending on the attacker goal certain in-place fine-grained protection mechanisms need to be bypassed. Previous work has proposed various techniques to facilitate exploit development. Unfortunately, none of them can be easily used to address the given challenges. This is due to the fact that data in memory is difficult to be massaged by an analyst who does not know the peculiarities of the program as the attack specification is most of the time only textually available, and not automated at all. In this paper, we present indirect transfer oriented programming (iTOP), a framework to automate the construction of control-flow hijacking attacks in the presence of strong protections including control flow integrity, data execution prevention, and stack canaries. Given a vulnerable program, iTOP automatically builds an exploit payload with a chain of viable gadgets with solved SMT-based memory constraints. One salient feature of iTOP is that it contains 13 attack primitives powered by a Turing complete payload specification language, ESL. It also combines virtual and non-virtual gadgets using COOP-like dispatchers. As such, when searching for gadget chains, iTOP can respect, for example, a previously enforced CFI policy, by using only legitimate control flow transfers. We have evaluated iTOP with a variety of programs and demonstrated that it can successfully generate exploits with the developed attack primitives.

Original languageEnglish
Title of host publicationProceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
PublisherAssociation for Computing Machinery
Pages162-176
Number of pages15
ISBN (Electronic)9781450390583
DOIs
StatePublished - 6 Oct 2021
Event24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021 - Virtual, Online, Spain
Duration: 6 Oct 20218 Oct 2021

Publication series

NameACM International Conference Proceeding Series

Conference

Conference24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
Country/TerritorySpain
CityVirtual, Online
Period6/10/218/10/21

Keywords

  • Clang/LLVM
  • Machine code
  • control flow integrity
  • cyber attacks.

Fingerprint

Dive into the research topics of 'ITOP: Automating counterfeit object-oriented programming attacks'. Together they form a unique fingerprint.

Cite this