Paper: EVA­LUA­TING THE EF­FEC­TIVEN­ESS OF CUR­RENT AN­TI-ROP DE­FEN­SES

AB­STRACT
Over the last few years, many de­fen­ses against the of­fen­si­ve tech­ni­que of re­turn-ori­en­ted pro­gramming (ROP) have been de­ve­lo­ped. Pro­min­ent­ly among them are kBoun­cer, ROPe­cker, and ROP­Guard which all tar­get le­ga­cy bi­na­ry soft­ware while re­qui­ring no or only mi­ni­mal bi­na­ry code re­wri­ting.

In this paper, we eva­lua­te the ef­fec­tiven­ess of these An­ti-ROP de­fen­ses. Our basic in­sight is that all three only ana­ly­ze a li­mi­ted num­ber of re­cent (and up­co­ming) bran­ches of an ap­p­li­ca­ti­on’s con­trol flow on cer­tain events. As a con­se­quence, an ad­versa­ry can per­form dummy ope­ra­ti­ons to by­pass all of the em­ploy­ed heu­ris­tics. We show that an ad­versa­ry is able to ge­ne­ri­cal­ly by­pass kBoun­cer, ROPe­cker, and ROP­Guard with litt­le extra ef­fort in prac­tice. In the cases of kBoun­cer and ROP­Guard on Win­dows, we show that all re­qui­red code se­quen­ces can al­re­a­dy be found in a mi­ni­mal 32-bit C/C++ ap­p­li­ca­ti­on with an empty main() func­tion. To de­mons­tra­te the via­bi­li­ty of our at­tack ap­proa­ches, we im­ple­men­ted se­ver­al pro­of-of-con­cept ex­ploits for re­cent vul­nerabi­li­ties in po­pu­lar ap­p­li­ca­ti­ons; e. g., In­ter­net Ex­plo­rer 10 on Win­dows 8.

more here............http://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/05/09/TR-HGI-2014-001_1_1.pdf