Visible to the public MAJORCA: Multi-Architecture JOP and ROP Chain Assembler

Submitted by aekwall on Mon, 03/14/2022 - 1:34pm
TitleMAJORCA: Multi-Architecture JOP and ROP Chain Assembler
Publication TypeConference Paper
Year of Publication2021
AuthorsNurmukhametov, Alexey, Vishnyakov, Alexey, Logunova, Vlada, Kurmangaleev, Shamil
Conference Name2021 Ivannikov Ispras Open Conference (ISPRAS)
KeywordsBenchmark testing, code-reuse attack, codes, composability, Computer architecture, gadget, gadget catalog, gadget frame, Heuristic algorithms, human factors, JOP, Jump-Oriented Programming, Measurement, Operating systems, Payload, pubcrawl, Registers, Resiliency, restricted symbols, return-oriented programming, ROP, rop attacks, ROP benchmark, ROP chain, ROP compiler, Scalability
AbstractNowadays, exploits often rely on a code-reuse approach. Short pieces of code called gadgets are chained together to execute some payload. Code-reuse attacks can exploit vul-nerabilities in the presence of operating system protection that prohibits data memory execution. The ROP chain construction task is the code generation for the virtual machine defined by an exploited executable. It is crucial to understand how powerful ROP attacks can be. Such knowledge can be used to improve software security. We implement MAJORCA that generates ROP and JOP payloads in an architecture agnostic manner and thoroughly consider restricted symbols such as null bytes that terminate data copying via strcpy. The paper covers the whole code-reuse payloads construction pipeline: cataloging gadgets, chaining them in DAG, scheduling, linearizing to the ready-to-run payload. MAJORCA automatically generates both ROP and JOP payloads for x86 and MIPS. MAJORCA constructs payloads respecting restricted symbols both in gadget addresses and data. We evaluate MAJORCA performance and accuracy with rop-benchmark and compare it with open-source compilers. We show that MAJORCA outperforms open-source tools. We propose a ROP chaining metric and use it to estimate the probabilities of successful ROP chaining for different operating systems with MAJORCA as well as other ROP compilers to show that ROP chaining is still feasible. This metric can estimate the efficiency of OS defences.
DOI10.1109/ISPRAS53967.2021.00011
Citation Keynurmukhametov_majorca_2021
Groups: