MAJORCA: Multi-Architecture JOP and ROP Chain Assembler

  title={MAJORCA: Multi-Architecture JOP and ROP Chain Assembler},
  author={Alexey R. Nurmukhametov and Alexey V. Vishnyakov and V. I. Logunova and Shamil F. Kurmangaleev},
  journal={2021 Ivannikov Ispras Open Conference (ISPRAS)},
Nowadays, exploits often rely on a code-reuse approach. Short pieces of code called gadgets are chained together to execute some payload. Code-reuse attacks can exploit vul-nerabilities in the presence of operating system protection that prohibits data memory execution. The ROP chain construction task is the code generation for the virtual machine defined by an exploited executable. It is crucial to understand how powerful ROP attacks can be. Such knowledge can be used to improve software… 

Figures and Tables from this paper



A Method for Analyzing Code-Reuse Attacks

A method for analyzing code-reuse attacks that allows one to split the chain into gadgets, restore the semantics of each particular gadget, and restore the prototypes and parameter values of the system calls and functions invoked during the execution of the ROP chain is proposed.

Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions

This work is the first that shows real code-reuse attacks solely based on call gadgets, and shows that the proposed PCOP is Turing-complete, meaning that any functionality can be driven by PCOP.

Analyzing the Gadgets - Towards a Metric to Measure Gadget Quality

This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality, and applies them to binaries produced when compiling programs for architectures implementing Intel's recent MPX CPU extensions, demonstrating a 17% increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions.

PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution

The notion of gadget summaries, a compact representation of the effects a gadget or a chain of gadgets has on memory and registers, is introduced, which enables analysts to quickly determine the usefulness of long, complex gadgets that use a lot of aliasing or involve memory accesses.

Unleashing Mayhem on Binary Code

This paper proposes two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level.

Jump-oriented programming: a new class of code-reuse attack

This paper introduces a new class of code-reuse attack, called jump-oriented programming, which eliminates the reliance on the stack and ret instructions (including ret-like instructions such as pop+jmp) seen in return- oriented programming without sacrificing expressive power.

Fine-Grained Address Space Layout Randomization on Program Load

The proposed fine-grained address space layout randomization on program load that is able to protect from ROP attacks is applicable across the entire operating system and has no compatibility problems affecting the program performance.

Automatic construction of jump-oriented programming shellcode (on the x86)

This paper proposes an improved ROP techniques to construct the ROP shellcode without returns and implements a tool to automatically construct the real-world Return-Oriented Programming without returns shellcode, which can bypass most of the existing ROP defenses.

Survey of Methods for Automated Code-Reuse Exploit Generation

This paper provides a survey of methods and tools for automated code-reuse exploit generation, and compares existing open-source tools and proposes a testing system rop-benchmark that can be used to verify whether a generated chain successfully opens a shell.

Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming

This work proposes a ROP attack technique, based on a handpicked but flexible and Turing-complete set of gadgets, and describes an efficient scanner which locates these gadgets in a given program.