Analyzing and Quantifying the Impact of Software Diversification on Return-Oriented Programming (ROP) Based Exploits
With the implementation of modern software mitigation techniques such: as Address Space Layout Randomization (ASLR), stack canaries, and the No-Execute bit (N.X.), attackers can no longer achieve arbitrary code execution simply by injecting shellcode into a vulnerable buffer and redirecting execution to this vulnerable buffer. Instead, attackers have pivoted to Return Oriented Programming (ROP) to achieve the same arbitrary code execution. Using this attack method, attackers string together ROP gadgets, assembly code snippets found in the target binary, to form what are known as ROP Chains. Using these ROP Chains, attackers can achieve the same malicious behavior as previous code injection attacks on vulnerable buffers. Furthermore, because of the static location of these ROP gadgets, attackers can re-use their exploit code across all systems running the binary. This phenomenon is what is called a write-once, compromise-everywhere scenario. Software diversification has been presented as a possible mitigation strategy over the past seventeen years. Software diversification is a technique that modifies the instructions in binaries while maintaining their semantic behavior. The means given the same input binaries would produce the same output; however, the diversified binary is syntactically different at the assembly level. Previous work in this area has shown general success in reducing the number of shared gadgets. However, there has been a lack of research that analyzes how diversification affects an attacker from re-using a previously crafted exploit. Furthermore, current research has not presented approaches that measure diversification algorithms' impact and effectiveness on binaries. Finally, because software diversification modifies the assembly code of binaries, different binaries are affected in vastly different ways. In addition to the different diversification algorithms, defenders can find it challenging to determine which configurations best suit their needs. This uncertainty may lead to unwanted trade-offs; for example, one diversification algorithm might make it harder for modern tools like Fuzzers to find crashes or vulnerabilities. The impact might come at the cost of increasing the total number of gadgets in the binary or increasing the program's run time. Likewise, while one algorithm might offer protection while minimizing the number of ROP gadgets, it might allow modern tools or attackers to locate the vulnerability faster than if another algorithm were applied. To address the lack of research in this area, the work presented in this dissertation analyzes software diversification's impact on exploit re-use attacks, identifies the primary criteria to quantify the efficacy of diversification algorithms, and proposes a method to quantify the effectiveness of diversification algorithms. Finally, this work develops and presents a system that identifies the appropriate algorithm(s) or combination of algorithms based on the end user's needs using the quantification methods developed. This system allows the end user to quickly and easily identify the appropriate algorithm based on their security preferences or requirements; while giving the end user an understanding of the trade-offs between algorithms. With this understanding, the end user can create multiple diversified variants of the target binary that meet their security needs.
Reyes, David, "Analyzing and Quantifying the Impact of Software Diversification on Return-Oriented Programming (ROP) Based Exploits" (2022). ETD Collection for University of Texas, El Paso. AAI29999792.