Analyzing the Gadgets - Towards a Metric to Measure Gadget Quality

Current low-level exploits often rely on code-reuse, whereby short sections of code (gadgets) are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this attack vector by applying code transformations to reduce the number of available gadgets. Nevertheless, it has emerged that the residual gadgets can still be sufficient to conduct a successful attack. Crucially, the lack of a common metric for " gadget quality " hinders the effective comparison of current mitigations. This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality. We apply these metrics to binaries produced when compiling programs for architectures implementing Intel's recent MPX CPU extensions. Our results demonstrate a 17% increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions, making them better suited for ROP attacks.

• Publication year

  2016

• Venue

  Engineering Secure Software and Systems

• Publication date

  2016-04-06

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1007/978-3-319-30806-7_10arXiv 1605.08159
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Control-Flow Integrity

  2017influential reference
• Fine-Grained Control-Flow Integrity Through Binary Hardening

  2015cited by this paper
• Control-Flow Bending: On the Effectiveness of Control-Flow Integrity

  2015cited by this paper
• Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications

  2015cited by this paper
• Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks

  2015cited by this paper
• Practical Context-Sensitive CFI

  2015cited by this paper
• Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

  2014cited by this paper
• Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard

  2014cited by this paper
• Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM

  2014cited by this paper
• Out of Control: Overcoming Control-Flow Integrity

  2014cited by this paper
• ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks

  2014cited by this paper
• ROP is Still Dangerous: Breaking Modern Defenses

  2014cited by this paper
• Evaluating the Effectiveness of Current Anti-ROP Defenses

  2014cited by this paper
• Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization

  2013cited by this paper
• Control Flow Integrity for COTS Binaries

  2013influential reference
• Transparent ROP Exploit Mitigation Using Indirect Branch Tracing

  2013cited by this paper
• Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming

  2012cited by this paper
• Return-Oriented Programming: Systems, Languages, and Applications

  2012cited by this paper
• Jump-oriented programming: a new class of code-reuse attack

  2011cited by this paper
• Q: Exploit Hardening Made Easy

  2011cited by this paper
• Data Execution Prevention

  2011cited by this paper
• Return-oriented programming without returns

  2010cited by this paper
• The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

  2007cited by this paper
• Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual

  2006cited by this paper
• A brief history of just-in-time

  2003cited by this paper
• Smashing The Stack For Fun And Profit

  1996cited by this paper

• Evaluating Software Diversity Based on Gadget Feature Analysis

  2022cites this paper
• BadASLR: Exceptional Cases of ASLR Aiding Exploitation

  2021cites this paper
• MAJORCA: Multi-Architecture JOP and ROP Chain Assembler

  2021cites this paper
• Survey of Methods for Automated Code-Reuse Exploit Generation

  2020cites this paper
• Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget sets

  2020influential citation
• BlankIt library debloating: getting what you want instead of cutting what you don’t

  2020cites this paper
• DECAF: Automatic, Adaptive De-bloating and Hardening of COTS Firmware

  2020cites this paper
• Is Less Really More? Why Reducing Code Reuse Gadget Counts via Software Debloating Doesn't Necessarily Lead to Better Security

  2019influential citation
• Is Less Really More? Why Reducing Code Reuse Gadget Counts via Software Debloating Doesn't Necessarily Indicate Improved Security

  2019cites this paper
• Binary Debloating for Security via Demand Driven Loading

  2019cites this paper
• Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating

  2019cites this paper
• Static Analysis of ROP Code

  2019cites this paper
• Reasoning about Probabilistic Defense Mechanisms against Remote Attacks

  2017cites this paper
• Automated Multi-architectural Discovery of CFI-Resistant Code Gadgets

  2016cites this paper
• PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution

  2016cites this paper