Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses

• Published in: 2015 IEEE Trustcom/BigDataSE/ISPA Vol. 1; pp. 190 - 197
• Main Authors: Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.08.2015
• Subjects: Call-Ret-Pairing; Code Reuse Attack; Control Flow Integrity; Internet; Libraries; Loop-Oriented Programming; Process control; Programming; Runtime; Security; Semantics
• DOI: 10.1109/Trustcom.2015.374

Code reuse attacks have become one of the most popular exploitation techniques, and coarse-grained control flow integrity (CFI) is a practical approach used to prevent such attacks. Recently, some new approaches have been proposed to construct call-preceded-ROP attacks to bypass coarse-grained CFI, however, we find that they still fail to bypass shadow stack, which enforces caller-callee semantics to strengthen CFI that constrains the control flow in a much stricter way. Therefore, in this paper, we propose a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack. Quite different from previous code reuse attacks, LOP collects entire functions as basic building blocks (i.e., gadgets), and chains these gadgets in a way that the control flows strictly follow the process of call-ret-pairing. Specifically, LOP selects a particular function with a loop statement, called loop gadget, to chain all the available gadgets. To demonstrate the effectiveness of LOP, we construct a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.