Trading Off a Vulnerability: Does Software Obfuscation Increase the Risk of ROP Attacks

Authors

  • Harshvardhan P. Joshi Department of Computer Science, North Carolina State University Raleigh, NC 27695-8206, USA
  • Aravindhan Dhanasekaran Department of Computer Science, North Carolina State University Raleigh, NC 27695-8206, USA
  • Rudra Dutta Department of Computer Science, North Carolina State University Raleigh, NC 27695-8206, USA

DOI:

https://doi.org/10.13052/2245-1439.444

Keywords:

Mobile

Abstract

Software obfuscation is a commonly used technique to protect software, especially against reverse-engineering attacks. It is a form of security through obscurity and is commonly used for intellectual property and Digital Rights Management protection. However, this increase of security may come at the expense of increased vulnerabilities in another direction, hitherto unsuspected. In this paper, we propose and investigate the hypothesis that some of the most popular obfuscation techniques, including changing the control flow graph and substituting simpler instruction sequences with complex instructions, may make the obfuscated binary more vulnerable to Return-Oriented Programming (ROP) based attacks. ROP is a comparatively recent technique used to exploit buffer-overflow vulnerabilities. We analyze the ROP gadgets present in both obfuscated and un-obfuscated versions of well known binaries.We show that the number of ROP gadgets in a binary significantly increase after certain obfuscations, and it can potentially make ROP-based exploits easier.

 

Downloads

Download data is not yet available.

Author Biographies

Harshvardhan P. Joshi, Department of Computer Science, North Carolina State University Raleigh, NC 27695-8206, USA

H. P. Joshi received his B.E. and M.B.A. degrees from Gujarat University, Ahmedabad, India in 2000 and 2002 respectively. He also received a Master of Science degree from North Carolina State University, USA in 2006. After working in industry for several years, he is currently pursuing a Ph.D. degree in Computer Science at North Carolina State University. His primary research interest is in networking and security.

Aravindhan Dhanasekaran, Department of Computer Science, North Carolina State University Raleigh, NC 27695-8206, USA

A. Dhanasekaran received his B.Tech. in Information Technology from Anna University, India in 2009. He worked in industry before earning a Master of Science in Computer Science from North Carolina State University, USA in 2015. He currently works as a software engineer at Cisco Systems, Inc.

Rudra Dutta, Department of Computer Science, North Carolina State University Raleigh, NC 27695-8206, USA

R. Dutta was born in Kolkata, India, in 1968. After completing elementary schooling in Kolkata, he received a B.E. in Electrical Engineering from Jadavpur University, Kolkata, India, in 1991, a M.E. in Systems Science and Automation from Indian Institute of Science, Bangalore, India in 1993, and a Ph.D. in Computer Science from North Carolina State University, Raleigh, USA, in 2001. From 1993 to 1997 he worked for IBM as a software developer and programmer in various networking related projects. He has been employed from 2001–2007 as Assistant Professor, from 2007–2013 as Associate Professor, and since 2013 as Professor, in the department of Computer Science at the North Carolina State University, Raleigh. During the summer of 2005, he was a visiting researcher at the IBM WebSphere Technology Institute in RTP, NC, USA. His current research interests focus on design and performance optimization of large networking systems, Internet architecture, wireless networks, and network analytics.

References

Bhatkar, S.,DuVarney,D. C., and Sekar,R. (2003). “Address obfuscation:

an efficient approach to combat a broad range of memory error exploits,”

in Proceedings of USENIX Security, Vol. 3, 105–120.

Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and

Boneh, D. (2004). “On the effectiveness of address–space randomization,”

in Proceedings of the 11th ACM Conference on Computer and

Communications Security. ACM, New York, NY, 298–307.

Shacham, H. (2007). “The geometry of innocent flesh on the bone:

Return-into-libc without function calls (on the x86),” in Proceedings

of the 14th ACM Conference on Computer and Communications Security,

ser. CCS ’07 (New York, NY: ACM), 552–561. Available at:

http://doi.acm.org.prox.lib.ncsu.edu/10.1145/1315245.1315313

Nagra, J., and Collberg, C. (2009). Surreptitious software: obfuscation,

watermarking, and tamperproofing for software protection. Pearson

Education, Upper Saddle River, NJ.

Collberg, C. S., and Thomborson, C. (2002) Watermarking, tamperproofing,

and obfuscation tools for software protection. IEEE Transact.

Softw. Eng., 28, 735–746.

Wojtczuk, R. (2001). The advanced return-into-lib(c) exploits: PaX case

study. Phrack Mag., 0x0b, Phile# 0x04 of 0x0e.

Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and

Sadeghi, A.-R. (2013). Just-in-time code reuse: on the effectiveness

of fine-grained address space layout randomization,” in 2013 IEEE

Symposium on Security and Privacy (SP), , 574–588.

Roemer, R., Buchanan, E., Shacham, H., and Savage, S. (2012). “Returnoriented

programming: Systems, languages, and applications,” in ACM

Transactions on Information and System Security (TISSEC), Vol. 15, 2.

Lattner, C., and Adve, V. (2004). “Llvm: a compilation framework for

lifelong program analysis and transformation,” in IEEE International

Symposium on Code Generation and Optimization, 2004 (CGO 2004),

–86.

GNU Coreutils. Available at: https://www.gnu.org/software/coreutils/

OpenSSL. OpenSSL: Cryptography and SSL/TLS Toolkit. Available at:

https://www.openssl.org/

TheTigressCDiversifier/Obfuscator.Available at: http://tigress.cs.arizon

a.edu/index.html.

Obfuscator LLVM. Available at: https://github.com/obfuscatorllvm/obf

uscator/wiki

ROPgadget. Available at: http://shell-storm.org/project/ROPgadget/

Scrinzi, F. (2015). Behavioral Analysis of Obfuscated Code. [Online].

Available at: http://essay.utwente.nl/67522/

Lu, K., Xiong, S., and Gao, D. (2014). “Ropsteg: program steganography

with return oriented programming,” in Proceedings of the 4th ACM

Conference on Data and Application Security and Privacy (New York,

NY: ACM), 265–272.

Pappas, V., Polychronakis, M., and Keromytis, A. D. (2012). “Smashing

the gadgets: Hindering return-oriented programming using in-place code

randomization,” in IEEE Symposium on Security and Privacy (SP), 2012,

–615.

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. (2005). “Controlflow

integrity,” in Proceedings of the 12thACMConference on Computer

and Communications Security (New York, NY: ACM), 340–353.

Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). “Transparent

rop exploit mitigation using indirect branch tracing.” in USENIX

Security, 447–462.

Cheng,Y., Zhou, Z.,Yu, M., Ding, X., and Deng, R. H. (2014). “Ropecker:

a generic and practical approach for defending against rop attacks,” in

Symposium on Network and Distributed System Security (NDSS).

Carlini, N., and Wagner, D. (2014). “Rop is still dangerous: Breaking

modern defenses,” in USENIX Security Symposium.

Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag,

M., and Holz, T. (2014). “Evaluating the effectiveness of current antirop

defenses,” in Research in Attacks, Intrusions and Defenses (Berlin:

Springer), 88–108.

Downloads

Published

2016-01-22

How to Cite

1.
P. Joshi H, Dhanasekaran A, Dutta R. Trading Off a Vulnerability: Does Software Obfuscation Increase the Risk of ROP Attacks. JCSANDM [Internet]. 2016 Jan. 22 [cited 2024 Apr. 19];4(4):305-24. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5173

Issue

2015: Vol 4 Iss 4

Section

Articles