ROP图灵完备的普遍可实现性

Universal Availability of ROP-Based Turing-Complete Computation

返回导向编程(return-oriented programming,简称ROP)被广泛用于软件漏洞利用攻击中,用来构造攻击代码.通过更新ROP构造技术,证实了图灵完备的纯ROP攻击代码在软件模块中是普遍可实现的.ROP构造功能代码的难点是实现条件转移逻辑.通过深入分析条件转移机器指令的执行上下文发现,对这些指令的传统认知存在一定的局限性.事实上,在已有代码中存在少量的条件转移指令,它们的两个分支的开始部分都是可复用的代码片段(称为gadgets),而且这两个gadgets会从不同的内存单元中取得下一个gadget的地址,因此,以这些条件转移指令开始的代码片段可以帮助ROP实现条件转移逻辑.把这种代码片段称为if-gadget.在Linux和Windows系统上的实验结果表明,if-gadget普遍存在,即使在代码量很小的日常可执行程序中也存在.在Binutils程序集上的实验结果表明,引入if-gadget后,构造图灵完备的ROP代码要比用传统方法容易得多.在Ubuntu这样的主流操作系统上,由于可执行程序上默认没有实施防御ROP攻击的保护机制,因此,攻击者可以在这些软件模块中构造纯ROP攻击代码来发动攻击.由此可见,ROP对系统安全的威胁比原来认为的严重得多.

Return-Oriented programming （ROP） is widely applied in modern software vulnerability exploitations. This work demonstrates that Turing-eomplete ROP code is universally available in everyday software. A big challenge for applying ROP is to construct the functionality of conditional jumps. Because conditional branch instructions are abandoned as they are deemed no use for achieving this functionality, existing works resort to some awkward methods which suffer from high risk of failure. By analyzing the execution context of conditional branch instructions, this study finds that the traditional viewpoint on these instructions only partially reveals the truth. In fact, there are some conditional branch instructions in which two branches each starts a reusable gadget, and these two gadgets fetch the next gadget from different memory cells. Hence, the code snippets beginning at these conditional instructions can implement the conditional jumps for ROP code. Such a code snippet is named if-gadget. Experimental results show that if-gadgets are widely available in executables of Linux and Windows platforms. Evaluations on programs of Binutils demonstrate that, Turing complete ROP code can be achieved with the help of if-gadgets while existing techniques even fail to gather Turing complete gadgets. On platforms such as Ubuntu, because the executables running on them do not support ASLR by default, attackers can construct Turing-complete ROP code on these executables and then mount an attack. Therefore, ROP-based attacks pose a great threat to modem platforms, which is far more serious than originally thought.