Code Reuse Attacks

What it is

Code reuse attacks allow the adversary to make malicious results by exploiting the control flow of existing program without any additional code injection.



In a code-reuse attack, the attacker combines existing code fragments (called gadgets) to achieve arbitrary computation. While code-resue attacks are Turing complete, they are generally used to disable code integrity and to allow an attacker to execute injected code. 


Return Oriented Programming (ROP)

Code reuse attacks allow attackers to execute arbitrary code on a compromised machine.

In this, the attacker directs the control flow through existing code without injecting new executable code.

Using ROP, the attackers can link small pieces of code which is known as gadgets, that already exist in the binary image of a vulnerable application.

In fact, the ROP gadgets are short sequence of code, typically ending with a return or indirect control transfer instruction. Instead of injecting binary code into the memory space of an application, the attacker can use a sequence of gadget in the stack or other memory of the program.

Each gadget ends with an indirect control transfer instruction, which transfers the control of next gadget according to the injected gadget sequence.


Existing defender lose effects

During the attack, the adversary can circumvent many defenses such as 
  • Read-only memory
  • Non-executable meomry
  • Kernel-code integrity protections

Since the injected part is only data (rather than code). In addition, access to ROP exploits is not difficult since they are provided in the publicly available packs. 

Most of existing defense mechanisms cannot defend code reuse attacks, such as
  • Instruction Set Randomization
  • Simple Address Space Layout Randomization (ASLR)
  • Stack canaries (Ref [25] in [3])

How to defense

Instruction Location Randomization


Software Diversity

  • By randomizing a binary’s code layout, a memory vulnerability is moved to a priori unknown location in the binary, thereby bring down the probability of return-to-libc and return-oriented attacks. [2]
    • [2] proposes an approach to recompile the code during execution with Java JIT compiler.


Reference
[1] Enhancing Software Dependability and Security with Hardware Supported Instruction Address Space Randomization, by Weidong Shi, in DSN15
[2] Adaptive Just-in-Time Code Diversification, by Abhinav Jangda, in MTD15
[3] An Evil Copy: How the Loader Betrays you 

Leave a Reply