Evaluating the Effectiveness of Current Anti-ROP Defenses

Felix Schuster, Thomas Tendyck, Jannik Pewny, Andreas Maaß, Martin Steegmanns, Moritz Contag, Thorsten Holz

Re­se­arch in At­tacks, In­tru­si­ons and De­fen­ses (RAID) Sym­po­si­um, Gothenburg, Sweden, September 2014


Recently, many defenses against the offensive technique of return-oriented programming (ROP) have been developed. Prominently among them are kBouncer, ROPecker, and ROPGuard which all target legacy binary software while requiring no or only minimal binary code rewriting.

In this paper, we evaluate the effectiveness of these Anti-ROP defenses. Our basic insight is that all three only analyze a limited number of recent (and upcoming) branches in an application's control flow on certain events. As a consequence, an adversary can perform dummy operations to bypass all employed heuristics. We show that it is possible to generically bypass kBouncer, ROPecker, and ROPGuard with little extra effort in practice. In the cases of kBouncer and ROPGuard on Windows, we show that all required code sequences can already be found in the executable module of a minimal 32-bit C/C++ application with an empty main() function. To demonstrate the viability of our attack approaches, we implemented several proof-of-concept exploits for recent vulnerabilities in popular applications; e.g., Internet Explorer 10 on Windows 8.


tags: Exploit Mitigation, Memory Corruptions, ROP