| Code-injection attacks are perhaps one of the most common attacks on modern computer systems. As W⊕X was introduced, it largely mitigate the thread of code-injection attacks. However, a new type of code-reuse technique, Return-oriented pro-gramming(ROP), was introduced. It has been proved that ROP can circumvent W⊕X mechanism and perform arbitrary computation. After that, a lot of approaches were proposed to defend or detect the return-oriented attack. Recently, some new defenses were proposed. E.g., the deRop used to convert a ROP exploit into shellcode and the ROPScan used to scan the payload. These methods mainly focus on the ROP pay-load. They detected if there are continuous gadgets addresses included in the payload via dynamic and static techniques to make sure whether there is a ROP attack. In order to bypass these defenses, in this paper, we present an advanced ROP technique-English ROP. English ROP not only can achieve ROP’s capability, but also have the same representation and structure with the normal english text. Namely, it is diffi-cult to distinguish English ROP with normal english text without considering semantic information. Different from traditional ROP, English ROP is composed of printable gadgets and printable data. In this paper, we first prove that English ROP is turing-completeness, and then propose an algorithm for automatically constructing English ROP. In addition, based on English ROP, we construct two specific ROP obfuscation tools. One is a self-contained English ROP decoder which can be used to decode the encoded ROP payload. Using this decoder, we can construct any polymorphic ROP to circumvent payload-based defenses.The other is an English ROP Packer which can be used to get unprintable address.Our English ROP can include the gadgets ending in ret as well as the gadgets ending in call or jmp. |
PDF Full Text Request