| With the buffer overflow and format string vulnerability, the code injection attack had been popular for a long time. Different kinds of defensive technology against buffer overflow and format string vulnerability like W(?)X and DEP have been proposed to reduce the effectiveness of the code injection attack. The W(?)X guarantees that a memory region can not be writable and executable at the same time. The execution of the shellcode injected into the process memory is successfully stopped by this technology. To break these strategy, attacker began to discover new methods and code reuse attack was proposed. In this kind of attack, there is no injected codes but only "borrowed" codes. These "borrowed" codes existe in the libraries or other code pages before the attack begins. In return-to-libc, attackers discover the codes in the GNU libc and reuse them to do the computation. In 2007 Shacham proposed a new return-to-libc without function call, called Return Oriented Programming. In an ROP attack, the short instructions sequences call gadget must be discovered first and then placed on the stack. Through overwriting the return address of some functions, the gadgets can be executed by sequence.Considering the reliance of the ROP on the stack, a variety of defenses have been proposed to either detect or prevent its happening. Earlier StackGuard placed a "canary" word next to the return address on the stack to detect whether the return address has been altered. DROP observes that a ROP execution continuously pops return addresses that always point to the same specific memory space. This was considered as a ROP-inherent feature and be useful for the detection of ROP.In this paper we present a new kind of ROP attack method to eliminate the reliance on the stack for gadgets chaining and operands placement. In heap fengshui elaborated by Alexander Sotirov, fake object and fake virtual table were build on the heap to trigger the attack. But his attack needs injected shellocde and can prevented by heap DEP. On the base of heap fengshui, we propose a new code reuse attack method without stack reliance. Instead of placing all gadgets addresses on the stack and popping them successively to perform particular computation, we put the gadgets addresses on the heap and make use of existing loop logic instructions to unify them. In fact this method the input operands are also injected into the heap instead of stack. In this way, almost all known defenses based on the stack, including the defend technologies we mentioned just now, are not capable of detecting or prevents this kind of approach.Opposed to traditional ROP attack, we can not use the attack to chain the gadgets and operands. We put these data on the heap. And we must improve the gadget model to be applicable to our attack. And we define a data swap data region on the stack to save the computation context.In experiment we choose a vulnerability and an gadgets example to test feasibility and reliability of our ROP attack technique.Finally, we summarize our work, point out some flaws in our ROP attack technique and explore new solutions and future research ideas. |
PDF Full Text Request