Research And Implement On An Automatic ROP Exploit Based On Long Instruction Sequences

With the rapid development of the computer industry, more and more important operation and data are processing by the computer The safety of the application has been paid more attention, thus application security has become popular in the computer industry research. Early in the area of applicationsecurity, attackers manner using code injection attack to break the defense. However, since W(?)X has been proposed, attackers can’t use code injection any more. So they proposetwo code re-use methods which are return-into-libc and Return-oriented programming (referred to as ROP). Wherein, ROP attack overcomes the disadvantages of return-into-libc,which must execute code in the order, and finallybecomes more mainstream attack.ROP attacks are designed to exploit the ’ret’ and ’jmp’ instruction to build the sets of the gadget which can be used to construct the attack sequences. Importantly, these sequences of instructions are from the source application code, the attacker does not need to inject attack code. So ROP attack can break the defense of the W (?) X.Based on the characteristics of ROP attack, the researchers ROP has proposed variety of methods to defense against ROP. One of the researchers, Ping Chen, has proposed a new detection method:In the code snippet, if the instruction numbers of the consecutive three sequences is less than 5, it is determined as ROP attacks. But Jiaxing Cao proposed the Lgadet which can easily break the Ping Chen’s defense.Based on the Lgadget proposed by Jiaxing Cao, this paper proposed an automated tool for ROP attack. The contribution of this paper is as follows:1) further amended and extended Lgadget in order to reduce the dependence between the registers and maintain the Turing-complete sets at the same time and.ensured the Lgadget meet the need to constructing ROP attack automatically; 2) defined the R language and R language interpreter so that an attacker can use a simple high-level language to constructing ROP attack; 3) designed an automatic padding and linking frame, which can fill the needed ret sequence into a stack based on the results generated by the R language interpreter 4) verified the effectiveness of the automatic ROP attack frame through an experiment.