TY - GEN
T1 - TGRop
T2 - 29th European Symposium on Research in Computer Security, ESORICS 2024
AU - Zhong, Nanyu
AU - Chen, Yueqi
AU - Zou, Yanyan
AU - Xing, Xinyu
AU - Dong, Jinwei
AU - Xian, Bingcheng
AU - Zhao, Jiaxu
AU - Li, Menghao
AU - Liu, Binghong
AU - Huo, Wei
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.
PY - 2024
Y1 - 2024
N2 - Given the prevalence of Return-Oriented Programming (ROP) in exploitation, automating ROP has become a cornerstone of security research and education. Many security measures are evaluated against and thus restricted by the practical capability of ROP. However, the ROP automation state-of-the-art approaches have fundamental limitations in their gadget utilization and fall short of delivering the promise. To overcome these fundamental limitations, we design and implement TGRop which advances ROP automation to a new level. TGRop can leverage gadgets that operate memory and perform complex arithmetic calculations. By breaking down the entire computation into sub-goals, TGRop effectively reduces search space and thus maximizes the utility of the SAT/SMT solver. More importantly, TGRop employs a systematic approach to resolving data dependencies and eliminating side effects. Our thorough measurement shows that TGRop outperforms all existing approaches by more than 1.62–3.11 times. Additionally, we validate the rationale behind its design via analytical experiments. When running TGRop against the newest ROP mitigations, we discovered their weaknesses and reported to vendors.
AB - Given the prevalence of Return-Oriented Programming (ROP) in exploitation, automating ROP has become a cornerstone of security research and education. Many security measures are evaluated against and thus restricted by the practical capability of ROP. However, the ROP automation state-of-the-art approaches have fundamental limitations in their gadget utilization and fall short of delivering the promise. To overcome these fundamental limitations, we design and implement TGRop which advances ROP automation to a new level. TGRop can leverage gadgets that operate memory and perform complex arithmetic calculations. By breaking down the entire computation into sub-goals, TGRop effectively reduces search space and thus maximizes the utility of the SAT/SMT solver. More importantly, TGRop employs a systematic approach to resolving data dependencies and eliminating side effects. Our thorough measurement shows that TGRop outperforms all existing approaches by more than 1.62–3.11 times. Additionally, we validate the rationale behind its design via analytical experiments. When running TGRop against the newest ROP mitigations, we discovered their weaknesses and reported to vendors.
UR - http://www.scopus.com/inward/record.url?scp=85204531244&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85204531244&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-70896-1_7
DO - 10.1007/978-3-031-70896-1_7
M3 - Conference contribution
AN - SCOPUS:85204531244
SN - 9783031708954
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 130
EP - 152
BT - Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings
A2 - Garcia-Alfaro, Joaquin
A2 - Kozik, Rafał
A2 - Choraś, Michał
A2 - Katsikas, Sokratis
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 16 September 2024 through 20 September 2024
ER -