Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Return-oriented programming [1,2] is an exploitation technique that enables run-time attacks to execute code in a vulnerable process in the presence of security defenses such as W⊕X memory protection policies (e.g. a NX bit) and code signing. In ROP, the adversary exploits a memory vulnerability to manipulate return addresses stored on the stack, thereby altering the program’s backward-edge control flow. ROP allows Turing-complete attacks by chaining together multiple gadgets, i.e., adversary-chosen sequences of pre-existing program instructions ending in a return instruction that together perform the desired operations. Identifiying suitable ROP-gadget chains useful in attacks can be automated using gadget-finding tools such as ROPGadget [3] or ROPgenerator [4].

...

The objective of this topic is to design and implement a ROP-gadget finder that takes into account PA-based defenses such as GCC's and LLVM's -msign-return-address (GCC < 9.0) [7] / -mbranch-protection=pac+ref-ret[+leaf] (GCC 9.0 and newer) [8]. These defenses cryptographically bind the return addresses stored on the stack to the stack pointer value at the time the address is pushed to the stack. To exploit PA-protected return addresses in a ROP-chain, the adversary must obtain signed return addresses that correspond to the value of the stack pointer when the ROP-gadget executes it's return instruction using the reused protected address.

NOTE: Part of this topic will be performed as a special assignment, which is a pre-requisite for an eventual  thesis topic.

...