Paper notes: Block oriented programming: automating data-only attacks
Title: Block oriented programming: automating data-only attacks
PDF: aec7ba2a6395ec82632e323f0aef2295.pdf
Proposes a system for automating the process of constructing exploitation payloads that can bypass control-flow integrity and related mitigations. The target binary is lifted to an (unspecified) intermediate representation and its CFG is recovered. Each basic block is “summarized” using symbolic execution into a set of constraints with changes to memory and registers. These summarized data for each basic block also include any calls or jumps.
The desired payload is specified in a pseudo-C language (SPloit Language - SPL ;) which is translated into an again unspecified (another? the same as the target binary?) intermediate representation. At the next step, non-surprisingly, the summarized basic blocks are matched to SPL IR statements. A matched basic block must satisfy changes to registers and/or calls specified by the corresponding SPL IR statement. The target binary is scanned for “dispatcher” blocks that enable the connection of the basic blocks identified in the previous step. Dispatchers are found using concolic execution. Concretization of symbolic addresses is used to initialize memory before the execution of a previously matched basic block, guiding execution through the shortest path to the next matched basic block. The identified paths must satisfy the constraints of the basic blocks they traverse.
Finally, the execution trace of the identified paths is encoded as a series of writes for the target binary (the exploit payload). A bug giving an arbitrary write primitive is assumed of course.
Update (2018/11/02): The authors have released the accompanying code, and, not surprisingly, it is based on angr.