Return-oriented programming: how much do you know about it? If you are interested in hacker attacks and their mechanisms, or if you are from time to time you for sure have heard about RPO (yes, you have guessed correctly: this abbreviation is used for this programming type). But even if you aren’t much aware of the hacker’s things, it might be interesting and useful for you to learn about the ROP and some interesting details connected with it.
What Is ROP?
If you are one of coding assignment experts working for a programming homework service, you can explain very well what ROP is and how to use it. Thus, here, we will try to explain it to those people who aren’t in programming but are interested in the dark side of programming.
Return-oriented programming uses vulnerabilities in the security system of a computer. Basically, a hacker induces into a program data that makes the program flow in a way that differs from the intended flow.
The Main Difference from Typical Attack Types
Normally, it is impossible for a hacker to execute malicious instructions. The thing is that a browser overflow normally overwrites all the content in a special memory data section. Such instructions are flagged as non-executable and thus, are not dangerous. This feature is deployed in the modern OS and it protects the system from malicious code.
In the case of an ROP attack, everything is different. There is no malicious code injected. The hacker uses already available instructions. However, the criminal changes the initial return addresses. Thus, the flow of a specific program changes. Basically, no malicious code is introduced, but the initial instructions were played with to change them. Thus, the execution prevention will not work because there are only native instructions, no malicious code.
What Is the Most Popular ROP Attack?
Buffer vulnerabilities are not so interesting to attackers. It is not surprising though because in the case of a buffer overflow vulnerabilities exploit, a hacker is limited to the executable instructions only.
However, it is not sufficient for an expert. Thus, the return-into-library technique was invented.
Here, an ROP attack spreads not only to executable code but to shared libraries. Some shared libraries are used to perform system calls. They have special subroutines for that. Along with it, shared libraries have other functionalities that attract hackers. Thus, the process looks like this:
- A hacker uses buffer overflow vulnerabilities to hijack the flow of a specific program;
- The hacker ignores the stack but instead, moves to a library function;
- The attacker changes the return address;
- After that, the attacker changes the stack locations.
Thus, the stack locations now don’t obey the conventions applicable for calling. Instead, they get the functionality that the attacker needs.
Also read: How to Increase PPC Conversion Rate?
Are There Effective Mitigation Techniques?
The most complicated thing is that when an ROP attack is executed, the system doesn’t perceive it as something wrong. An attacker used the functions and flows on which the system is based. Just the flow is changed. That’s why it is much more difficult to mitigate an ROP attack than any other attack type.
Though recently, some special prevention techniques were invented:
The first technique is to check the stack pointer points. It sounds pretty logical that they shall be assigned to the specific thread of the program. If an attacker attempts switching them to an ROP chain, you will notice the changes immediately and fix them.
Ensure that the specified return address always returns from a particular function. If you find any strange piece of code there, something that doesn’t relate to the thread, it might be an ROP gadget. However, if you use a compiler to generate a code, it will be difficult for an attacker to change anything. API calls if performed with the help of a compiler are pretty consistent. They use the minimum of forms, and not many things there can be modified in a way to stay undetected.
ROPGuard might be used to prevent changes in the stack.
kBouncer can be applied to prevent ROP attacks. This is one of the most efficient technologies for now. It is applied in Last Branch Recording or LBR. This feature is enabled and executes returns for calls.
Can Be Advanced Mitigation Techniques Circumvented?
Yes, even the most advanced technologies might be circumvented when it comes to programming. Take the most efficient technology: kBouncer. What if the code doesn’t apply gadgets with return? Just as an example:
- An ROP gadget pops the next ROP gadget out of the stack;
- It instead jumps to the popped ROP gadget address;
- The LBR stack cannot detect that the control transfer took place;
- The ROP attack will succeed.
This is just one example of how to circumvent the existing techniques. There are many ways that vary in a complexity level depending on the code, the system, and many more factors. But this example shows clearly that even the strongest protection system can be broken into.
Programming is still an unexplored field even though we have already made many advances. In the example of ROP, you can see that many ways can be found to set particular rules and to break them. If you know the most advanced trends though, you will be able to handle the existing threats and move on with your projects.