Visible to the public STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming

TitleSTEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming
Publication TypeConference Paper
Year of Publication2019
AuthorsPewny, Jannik, Koppe, Philipp, Holz, Thorsten
Conference Name2019 IEEE European Symposium on Security and Privacy (EuroS P)
Date Publishedjun
Keywords64-bit applications, automated data-oriented programming, code pointers, code-reuse attacks, code-reuse chain, code-reuse techniques, compiler, composability, conventional code-injection, data structures, data-oriented programming, DOP exploits, DOPed applications, Engines, exploitation, high-level language SLANG, Human Behavior, human factors, JIT-ROP attack, Just-in-Time, just-in-time gadget search, low-level DOP data structures, Manuals, memory corruption vulnerabilities, object-oriented programming, online front-ends, Payloads, pointer chain, program compilers, program debugging, Program processors, Programming, Prototypes, pubcrawl, relocate gadget addresses, resilience, Resiliency, rop attacks, ROP chain, Scalability, scripting engine, security of data, Slang, software reusability, Steroids, STEROIDS compiles, Turing machines, Turing-complete computations, vastly different vulnerabilities, vulnerability-independent, Web browser, wide-spread adoption
AbstractThe wide-spread adoption of system defenses such as the randomization of code, stack, and heap raises the bar for code-reuse attacks. Thus, attackers utilize a scripting engine in target programs like a web browser to prepare the code-reuse chain, e.g., relocate gadget addresses or perform a just-in-time gadget search. However, many types of programs do not provide such an execution context that an attacker can use. Recent advances in data-oriented programming (DOP) explored an orthogonal way to abuse memory corruption vulnerabilities and demonstrated that an attacker can achieve Turing-complete computations without modifying code pointers in applications. As of now, constructing DOP exploits requires a lot of manual work-for every combination of application and payload anew. In this paper, we present novel techniques to automate the process of generating DOP exploits. We implemented a compiler called STEROIDS that leverages these techniques and compiles our high-level language SLANG into low-level DOP data structures driving malicious computations at run time. This enables an attacker to specify her intent in an application-and vulnerability-independent manner to maximize reusability. We demonstrate the effectiveness of our techniques and prototype implementation by specifying four programs of varying complexity in SLANG that calculate the Levenshtein distance, traverse a pointer chain to steal a private key, relocate a ROP chain, and perform a JIT-ROP attack. STEROIDS compiles each of those programs to low-level DOP data structures targeted at five different applications including GStreamer, Wireshark and ProFTPd, which have vastly different vulnerabilities and DOP instances. Ultimately, this shows that our compiler is versatile, can be used for both 32-bit and 64-bit applications, works across bug classes, and enables highly expressive attacks without conventional code-injection or code-reuse techniques in applications lacking a scripting engine.
DOI10.1109/EuroSP.2019.00018
Citation Keypewny_steroids_2019