Return-oriented programming (ROP) is a well-known technique from the software security domain that is at the base of a myriad of vulnerability exploitation attacks carried out in the wild. By chaining together short legit fragments of a program through "return" instructions, an attacker can encode and execute an arbitrary sequence of malicious actions without having to load any external code into the system.
The popularity of ROP mainly stems from its ability to fool the defenses employed by modern operating systems against code injection and remote code execution attacks. Over the years, prominent ROP attacks have targeted popular software such as Adobe Flash, Adobe Reader, Internet Explorer, and Microsoft Office. ROP has also been used to bypass code signing mechanisms in Apple iOS, to drop dangerous ransomware in hardened systems, and to induce misbehavior in election voting machines.
The contributions this project aims at providing are threefold. Firstly, we plan to devise a ROP-based obfuscation tool for protecting portions of a program against reversing and cracking, thus proposing ROP technology for a benign application. Secondly, we believe the community would benefit from a systematization of knowledge on the ROP domain that can provide a longitudinal view of ROP attacks and defenses, offer useful perspectives on open problems, and point out possibly missed opportunities. Finally, we intend to shed light on aspects of the ROP practice that remain hardly accessible to the research community due to the entanglements and huge amount of engineering work typically involved in the creation and deployment of a ROP exploit.
The project will be carried out as part of a joint effort with Royal Holloway University of London.
We believe the present project has the potential to bring interesting contributions to the ROP theory and practice in a timely manner. ROP makes a compelling topic for both researchers and security professionals: while dozens of conference talks and publications take place every year in academic venues, security experts and companies offer protection services and solutions to their customers for ROP technology, often releasing white papers and reports on novel exploits they had to face.
From a theoretical perspective, our contributions would help clarify and contextualize aspects from an established, major research area, bringing value to the community. Moreover, novel research insights are likely to emerge from the design of a ROP obfuscator backend for the LLVM compiler infrastructure, which poses some unprecedented challenges to programming languages implementors and compiler architects.
We believe the practical relevance of a ROP-based obfuscator emerges in the light of software theft and piracy concerns from software industry. Borrowing a technique originally intended for malicious purposes in order to protect a legit program (and, as we discuss later, without being subject to certain limitations of virtualization-based obfuscator) represents in our opinion a compelling research direction, and can also pave the way to interesting opportunities in terms of technology transfer.
Finally, an experimental evaluation of tools for ROP gadget manipulation and an in-depth analysis of prominent ROP exploits can bring a valid contribution to areas that have been partially overlooked, or in which there seems to be an important divergence between what has been prototyped in research papers and what is observed in the wild.
We conclude the present section by elaborating on the importance and the novelty of each of the project's main goals.
1) "Good" ROP: program obfuscation
Virtualization-based obfuscators can be applied to protect a compiled program from reverse engineering and cracking attacks, at the price of important slowdowns, high intrusiveness, and detectability of the used obfuscation. Compared to them, a ROP-based obfuscator integrated in a full-blown compilation toolchain can potentially offer a higher degree of resilience and better performance for two reasons. First, it could shape the layout of the generated code in order to create gadgets where needed and construct ROP chains in stealthy, obfuscated manner. Second, it could take advantage of insights on the program state derived from static code analysis in order to introduce opaque predicates and other features that increase the resilience of the obfuscation against automated analyses. Virtualization-based obfuscators are instead denied such opportunities as they work essentially as binary rewriters.
2) "Bad" ROP: systematization of knowledge
Systematization of knowledge (SoK) works are perceived in top security forums as strongly needed by the community. For instance, the IEEE Symposium on Security and Privacy - the top venue in the area along with the ACM Conference on Computer and Communications Security - since 2010 hosts a special separate track for SoK papers, which are reviewed by the entire Program Committee due to their importance and the value they can bring to the community. We believe a SoK work on ROP technology would be very timely, for all the reasons expressed in the previous section regarding the current fragmentation of knowledge we observe.
3) "Ugly" ROP: unraveling the knots
The availability of several tools for finding and chaining ROP gadgets, combined with the lack of experimental studies, makes it hard to identify a clear winner, and discordant opinions about them can be found in several research works. While all such tools implement variants of the original GALILEO algorithm [2] for finding gadgets, it remains unclear which are the improvements made in each tool and their relevance. Also, in our experience we have noticed that several exploits in the wild significantly diverge from what is conjectured in research papers, contradicting certain assumptions behind them or pointing out overlooked aspects. We thus believe it would be beneficial to the community to shed light on how attacks in the wild look like with a preliminary study of prominent ROP exploits.