A.A Sadeghi; F. Aminmansour; H.R. Shahriari
Abstract
Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. A large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation ...
Read More
Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. A large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. However, a usual aspect among these methods is consideration of the common behaviour of code reuse attacks, which is the construction of a gadget chain. Therefore, the implication of a gadget and the minimum size of an attack chain are a matter of controversy. Conservative or relaxed thresholds may cause false positive and false negative alarms, respectively. The main contribution of this paper is to provide a tricky aspect of code reuse techniques, called tiny code reuse attacks (Tiny-CRA) that demonstrates the ineffectiveness of the threshold based detection methods. We show that with bare minimum assumptions, Tiny-CRA can reduce the size of a gadget chain in shuch a way that no distinction can be detected between normal behavior of a program and a code-reuse execution. To do so, we exhibit our Tiny-CRA primitives and introduce a useful gadget set available in libc. We demonstrate the effectiveness of our approach by implementing nine different shell-codes and exploiting real-world buffer overflow vulnerability in HT Editor 2.0.20.