Survey of Methods for Automated Code-Reuse Exploit Generation

  title={Survey of Methods for Automated Code-Reuse Exploit Generation},
  author={Alexey V. Vishnyakov and Alexey R. Nurmukhametov},
  journal={Program. Comput. Softw.},
This paper provides a survey of methods and tools for automated code-reuse exploit generation. Such exploits use code that is already contained in a vulnerable program. The code-reuse approach allows one to exploit vulnerabilities in the presence of operating system protection that prohibits data memory execution. This paper contains a description of various code-reuse methods: return-to-libc attack, return-oriented programming, jump-oriented programming, and others. We define fundamental terms… 


Jump-oriented programming: a new class of code-reuse attack
This paper introduces a new class of code-reuse attack, called jump-oriented programming, which eliminates the reliance on the stack and ret instructions (including ret-like instructions such as pop+jmp) seen in return- oriented programming without sacrificing expressive power.
STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming
Novel techniques to automate the process of generating DOP exploits are presented and a compiler called STEROIDS is implemented that leverages these techniques and compiles the authors' high-level language SLANG into low-level DOP data structures driving malicious computations at run time, enabling highly expressive attacks without conventional code-injection or code-reuse techniques in applications lacking a scripting engine.
Q: Exploit Hardening Made Easy
Q, an end-to-end system that automatically generates ROP payloads for a given binary, is built and shown that Q can automatically perform exploit hardening, enabling an attacker to automatically bypass defenses as deployed by industry for those programs.
PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution
The notion of gadget summaries, a compact representation of the effects a gadget or a chain of gadgets has on memory and registers, is introduced, which enables analysts to quickly determine the usefulness of long, complex gadgets that use a lot of aliasing or involve memory accesses.
A Method for Analyzing Code-Reuse Attacks
A method for analyzing code-reuse attacks that allows one to split the chain into gadgets, restore the semantics of each particular gadget, and restore the prototypes and parameter values of the system calls and functions invoked during the execution of the ROP chain is proposed.
Return-Oriented Programming: Systems, Languages, and Applications
This work presents a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets, and constructs a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures.
Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses
This paper proposes a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack, and constructs a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.
Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
It is demonstrated that many of these defenses that do not consider object-oriented C++ semantics precisely can be generically bypassed in practice, and that even recently proposed defenses that specifically target C++ are vulnerable to COOP.
Automatic construction of printable return-oriented programming payload
Experimental results show that the novel method presented can construct the printable ROP payload that has the same functionality as the real-world malicious shellcode, in addition, the construction process is totally automatic.
Analyzing the Gadgets - Towards a Metric to Measure Gadget Quality
This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality, and applies them to binaries produced when compiling programs for architectures implementing Intel's recent MPX CPU extensions, demonstrating a 17% increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions.