What it is
Code reuse attacks allow the adversary to make malicious results by exploiting the control flow of existing program without any additional code injection.
In a code-reuse attack, the attacker combines existing code fragments (called gadgets) to achieve arbitrary computation. While code-resue attacks are Turing complete, they are generally used to disable code integrity and to allow an attacker to execute injected code.
Return Oriented Programming (ROP)
Code reuse attacks allow attackers to execute arbitrary code on a compromised machine.
In this, the attacker directs the control flow through existing code without injecting new executable code.
Using ROP, the attackers can link small pieces of code which is known as gadgets, that already exist in the binary image of a vulnerable application.
In fact, the ROP gadgets are short sequence of code, typically ending with a return or indirect control transfer instruction. Instead of injecting binary code into the memory space of an application, the attacker can use a sequence of gadget in the stack or other memory of the program.
Each gadget ends with an indirect control transfer instruction, which transfers the control of next gadget according to the injected gadget sequence.
Existing defender lose effects
- Read-only memory
- Non-executable meomry
- Kernel-code integrity protections
Since the injected part is only data (rather than code). In addition, access to ROP exploits is not difficult since they are provided in the publicly available packs.
- Instruction Set Randomization
- Simple Address Space Layout Randomization (ASLR)
- Stack canaries (Ref [25] in [3])
How to defense
Instruction Location Randomization
Software Diversity
- By randomizing a binary’s code layout, a memory vulnerability is moved to a priori unknown location in the binary, thereby bring down the probability of return-to-libc and return-oriented attacks. [2]
- [2] proposes an approach to recompile the code during execution with Java JIT compiler.
[2] Adaptive Just-in-Time Code Diversification, by Abhinav Jangda, in MTD15
[3] An Evil Copy: How the Loader Betrays you