Return oriented programming

Return-oriented programming l mt k thut cho php k tn cng c th thc thi code trong khi vn c cc hnh thc phng th sau: Phn on b nh khng cho php thc thi (Non executable memory segments). nh du code (Code signing)

Thut ng tin hc return-oriented programming c s dng cho mt tp hp con cc k thut c cp nh k thut ti s dng.

K thut return-into-library: l k thut gc ca mi k thut m cc mc tiu khai thc hng tr v (returnoriented exploit) c ly lm c s. Cch thc lm vic nh sau: Sau khi k tn cng chn lung iu khin, mt hm th vin c chn s c thc thi. K tn cng c th m bo c con tr stack tr ti phn on b nh m hn ang iu khin. K tn cng ci t d liu trong phn on b nh sao cho n cung cp ng cc bin cho cc hm th vin m hn chn. Qua , hn c th thc hin mt hm vi cc bin cn thit. K thut khai thc return-into-library c xut bi Solar Designer nm 1997 trong danh sch cc BugTraq. Trong mail ny, nn mng khai thc t return-into-library c trnh by. Cc mc k tip c cp trong Phrack article by Nergal. Borrowed code chunks technique: Vi s gii thiu v thnh phn phn cng h tr cc phn on b nh nonexecutable vi kt hp ca h tr ca cc CPU 64 bits, tnh th mt ln na thay i v hnh thc khai thc return-into-library truyn thng khng th b khai thc (v bt c mt thay i ABI no s u yu cu rng cc bin ti truyn ti mt hm phi truyn qua thanh ghi ch khng qua stack. Stealth pht trin mt hng mi c th s dng cc khc (chunks) trong cc hm th vin thay v li

gi bn thn hm tin hnh khai thc B trn my c h tr hnh thc phng th c gii thiu ny. nh hng c thit k xoay quanh tng xc nh cc cu trc lnh lin tip y cc gi tr ra khi stack vo cc thanh ghi cho cc li gi hm. Bng cch s dng hng ny, mt k tn cng c th thc hin khai thc return-into-library vi mt ABI mi. (tham kho DEPLib).

Return-oriented programming: K thut ny m rng vector tn cng ra xa hn bng cch gii thiu cc vng lp v cc r nhnh c iu kin cho nh hng (approach) return-oriented. T tng u tin c a ra l ca Hovav Shacham: The Geometry of Innocent Flesh on the Bone: Return-into-libc without function Calls (on the x86(. Ti liu m t hai im chnh nh a ch bi return-oriented programming ngc li vi k thut return-into-library: K thut return-into-library khng h tr lp v cc r nhnh c iu kin. Loi i nhng hm t th vin khng c cung cp bt c hnh thc bo mt no chng li return-oriented programming. Vi x86, tc gi tm kim mt on cu trc lnh tun t ph hp da trn vic x86 s dng mt t tp hp cu trc c di khc nhau. Do , hon ton c th tm c cc opcode nh phn n lm thay i lung iu khin nh cc m lnh tr v (0xC3) v o m (disassemble) nh phn t v tr ny ngc li. V x86 s dng mt tp hp cc cu trc c di a dng trc cc m lnh tr v c th cung cp rt nhiu cc ch th (instructions) lin tip. Shacham cng nh ngha mt thut ng gadget m t nhng ch th lin tip (c th thc hin mt thao tc hiu qu v d nh mt php cng). Mt gi nh c a ra l mt tp hp ch th (instruction set) c di c nh s lm mt sn phm ca return-oriented programming khng th thc thi c na. Cng trnh mang tnh thc tin nht trong lnh vc lp trnh hng tr v (return-oriented programming) l cng trnh v h thng h tr b phiu thun li (AVC advantage voting system). Cng trnh ny cung cp hc thuyt rng lp trnh hng tr v l mt cng c ph hp cho cc nghin cu tn cng bo mt (offensive security researcher) khi khng mt k thut no khc c th hiu qu hn chng kin trc Harvard (AVC Advantage c xy dng).