Technical Report: Evaluating the Effectiveness of Current Anti-ROP Defenses
Felix Schuster, Thomas Tendyck, Jannik Pewny, Andreas Maaß, Martin Steegmanns, Moritz Contag, Thorsten Holz
TR-HGI-2014-001, Ruhr-Universität Bochum, Horst Görtz Institut für IT-Sicherheit (HGI), May 2014
Over the last few years, many defenses against the offensive technique of return-oriented programming (ROP) have been developed. Prominently among them are kBouncer, ROPecker, and ROPGuard which all target legacy binary software while requiring no or only minimal binary code rewriting.
In this paper, we evaluate the effectiveness of these Anti-ROP defenses. Our basic insight is that all three only analyze a limited number of recent (and upcoming) branches of an application’s control flow on certain events. As a consequence, an adversary can perform dummy operations to bypass all of the employed heuristics. We show that an adversary is able to generically bypass kBouncer, ROPecker, and ROPGuard with little extra effort in practice. In the cases of kBouncer and ROPGuard on Windows, we show that all required code sequences can already be found in a minimal 32-bit C/C++ application with an empty main() function. To demonstrate the viability of our attack approaches, we implemented several proof-of-concept exploits for recent vulnerabilities in popular applications; e. g., Internet Explorer 10 on Windows 8.[PDF]