Visible to the public Function-Oriented Programming: A New Class of Code Reuse Attack in C Applications

TitleFunction-Oriented Programming: A New Class of Code Reuse Attack in C Applications
Publication TypeConference Paper
Year of Publication2018
AuthorsGuo, Y., Chen, L., Shi, G.
Conference Name2018 IEEE Conference on Communications and Network Security (CNS)
Keywordsaddress space layout randomization, ASLR, C Applications, C languages, C program, CFI, coarse-grained CFI, coarse-grained control-flow integrity, code injection attacks, code reuse attack, code reuse attacks, composability, Conferences, Control-hijacking attacks, COOP, Counterfeit Object-oriented Programming, data-execution prevention, DEP, existing function, fine-grained CFI technologies, FOP, FOP attack, FOP gadgets, function-oriented programming, Human Behavior, JOP, Jump-Oriented Programming, Layout, Linux, Linux x64 environment, malicious program behavior, object-oriented programming, privacy, proftpd1.3.0 server, pubcrawl, Resiliency, return oriented programming, return-oriented programming, ROP, Scalability, security, security of data, Servers, shadow stack technology, Tools
AbstractControl-hijacking attacks include code injection attacks and code reuse attacks. In recent years, with the emergence of the defense mechanism data-execution prevention(DEP), code reuse attacks have become mainstream, such as return-oriented programming(ROP), Jump-Oriented Programming(JOP), and Counterfeit Object-oriented Programming(COOP). And a series of defensive measures have been proposed, such as DEP, address space layout randomization (ASLR), coarse-grained Control-Flow Integrity(CFI) and fine-grained CFI. In this paper, we propose a new attack called function-oriented programming(FOP) to construct malicious program behavior. FOP takes advantage of the existing function of the C program to induce attack. We propose concrete algorithms for FOP gadgets and build a tool to identify FOP gadgets. FOP can successfully bypass coarse-grained CFI, and FOP also can bypass some existing fine-grained CFI technologies, such as shadow stack technology. We show a real-world attack for proftpd1.3.0 server in the Linux x64 environment. We believe that the FOP attack will encourage people to come up with more effective defense measures.
DOI10.1109/CNS.2018.8433189
Citation Keyguo_function-oriented_2018