Search This Blog

Tuesday, September 3, 2019

Jump Oriented Programming and Call Oriented Programming (JOP and PCOP)

Image Credit: Jump-Oriented Programming: A New Class of Code-Reuse Attack

We all know about ROPs... return oriented programming.  But what if programs have stack protections in place, make the stack hard to utilize well, or have some protection mechanism against the heavy amount of returns needed in ROP chains?  Here's where some other neat attacks come in.  I will discuss the basics of JOP chains and very basics of PCOP chains today (it also will serve as notes for me in the future too :) ).  Hopefully, I will research more into these and find even some CTF challenges utilizing these techniques.  It's important to note that in my opinion, these attacks are much more difficult to perform.

In the case of JOP, we make use of jump instructions rather than returns.  Usually, most people describe it in the case of storing many gadgets on the heap (dispatch table) and then using something called a dispatcher gadget to run through the dispatch table. Within this dispatch table, all the gadgets lead to somewhere performing an arbitrary instructions and ends with an instruction that jumps us back to the dispatch gadget (this will be discussed more down below).  Moreover, let us assume we have control over registers r1 and r2 (that hopefully will avoid being affected by the gadgets in the dispatch table).  Our dispatcher gadget should increment r1 by 4 or 8 (depending on the architecture), and then perform the following instruction: jmp [r1].  r1 should originally point to the memory location of the dispatch table (Most papers say that it is on the heap, but it does necessarily have to) while r2 should point to the dispatcher gadget.  Thus, the dispatcher gadget can keep executing the instructions sequentially in the dispatch table, and as I mentioned earlier, each gadget in the table should jump us back to the dispatcher gadget.  How?  Well, ideally, the gadgets in the dispatch table should end in something like: jmp [r2], which brings us back to the dispatcher gadget.  One more thing... we need to get the JOP chain started.  Easy.  Just overwrite the instruction pointer with the dispatcher gadget location.  You can check out this paper for a much more in depth overview of JOP chains.  Apparently, with the help of misalignment or even just searching the libraries in general, the necessary ingredients for JOP chains can be found.  I still think it's much more complex to exploit than a classic ROP though.

This whole ideas about JOP chains got me thinking... you can determine where a call instruction goes to with registers or data you control too sometimes.  What if we swap the Jumps with Calls?  When looking at libc, such gadgets do seem to exist.  After some searching, I came across something called Pure Call Oriented Programming (PCOP).  It's very similar conceptually to JOP chains, but because of its nature, even more difficult to produce a working exploit.  It's still a cool concept nevertheless!

No comments:

Post a Comment