Evaluating the generality and limits of blind return-oriented programming attacks

Abstract

We consider a recently proposed information disclosure vulnerability called blind return-oriented programming (BROP). Under certain conditions, this attack allows a return-oriented programming attack against previously unknown binaries. We precisely enumerate the assumptions for a successful BROP attack to take place. We analyze prerequisite knowledge to perform a BROP attack, including the need to exploit a stack-based buffer overflow. In particular, we examine the types of buffer-handling functions and canaries that may render these functions useless for exploitation purposes. We survey network service binaries, to examine how often different BROP requirements are satisfied in real software, including the presence of certain gadgets and the behavior on crashes. We find if an optimized attack fails, a first principles BROP attack is unlikely to succeed. Our survey shows that certain required gadgets are rare, limiting a first principles attack.We show the presence of required gadgets fluctuates with binary version number and build conditions. The majority of the services we survey do not appear vulnerable to BROP due to missing gadgets or re-randomization on crash. We suggest some ameliorations that may further limit the applicability of this attack.