Sigreturn-oriented programming (SROP) is a

computer security exploit An exploit (from the English verb ''to exploit'', meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unan ...

technique that allows an attacker to execute code in presence of security measures such as non-executable memory and code signing. It was presented for the first time at the 35th IEEE Symposium on Security and Privacy in 2014 where it won the ''best student paper award''. This technique employs the same basic assumptions behind the

return-oriented programming Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing. In this technique, an attacker gains cont ...

(ROP) technique: an attacker controlling the

call stack In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or mach ...

, for example through a

stack buffer overflow In software, a stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs ...

, is able to influence the

control flow In computer science, control flow (or flow of control) is the order in which individual statements, instructions or function calls of an imperative program are executed or evaluated. The emphasis on explicit control flow distinguishes an '' ...

of the program through simple instruction sequences called ''

gadget A gadget is a mechanical device or any ingenious article. Gadgets are sometimes referred to as '' gizmos''. History The etymology of the word is disputed. The word first appears as reference to an 18th-century tool in glassmaking that was develo ...

s''. The attack works by pushing a forged ''sigcontext'' structure on the call stack, overwriting the original return address with the location of a gadget that allows the attacker to call the ''sigreturn''

system call In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...

. Often just a single gadget is needed to successfully put this attack into effect. This gadget may reside at a fixed location, making this attack simple and effective, with a setup generally simpler and more portable than the one needed by the plain

technique. Sigreturn-oriented programming can be considered a

weird machine In computer security, a weird machine is a computational artifact where additional code execution can happen outside the original specification of the program. It is closely related to the concept of weird instructions, which are the building blocks ...

since it allows code execution outside the original specification of the program.

Background

Sigreturn-oriented programming (SROP) is a technique similar to

(ROP), since it employs

code reuse In software development (and computer programming in general), code reuse, also called software reuse, is the use of existing software, or software knowledge, to build new software, following the reusability principles. Code reuse may be achiev ...

to execute code outside the scope of the original control flow. In this sense, the adversary needs to be able to carry out a

stack smashing In software, a stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs ...

attack, usually through a

, to overwrite the return address contained inside the

Stack hopping exploits

If mechanisms such as

data execution prevention In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit (no-execute bit ...

are employed, it won't be possible for the attacker to just place a

shellcode In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised mac ...

on the stack and cause the machine to execute it by overwriting the return address. With such protections in place, the machine won't execute any code present in memory areas marked as writable and non-executable. Therefore, the attacker will need to reuse code already present in memory. Most programs do not contain functions that will allow the attacker to directly carry out the desired action (e.g., obtain access to a

shell Shell may refer to: Architecture and design * Shell (structure), a thin structure ** Concrete shell, a thin shell of concrete, usually with no interior columns or exterior buttresses ** Thin-shell structure Science Biology * Seashell, a hard o ...

), but the necessary instructions are often scattered around memory. Return-oriented programming requires these sequences of instructions, called gadgets, to end with a RET instruction. In this way, the attacker can write a sequence of addresses for these gadgets to the stack, and as soon as a RET instruction in one gadget is executed, the control flow will proceed to the next gadget in the list.

Signal handler mechanism

This attack is made possible by how

signals In signal processing, a signal is a function that conveys information about a phenomenon. Any quantity that can vary over space or time can be used as a signal to share messages between observers. The ''IEEE Transactions on Signal Processing'' ...

are handled in most

POSIX The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming inte ...

-like systems. Whenever a signal is delivered, the kernel needs to

context switch In computing, a context switch is the process of storing the state of a process or thread, so that it can be restored and resume execution at a later point, and then restoring a different, previously saved, state. This allows multiple processes ...

to the installed signal handler. To do so, the kernel saves the current execution context in a frame on the stack. The structure pushed onto the stack is an architecture-specific variant of the ''sigcontext'' structure, which holds various data comprising the contents of the registers at the moment of the context switch. When the execution of the signal handler is completed, the sigreturn() system call is called. Calling the ''sigreturn'' syscall means being able to easily set the contents of registers using a single gadget that can be easily found on most systems.

Differences from ROP

There are several factors that characterize an SROP exploit and distinguish it from a classical return-oriented programming exploit. First, ROP is dependent on available gadgets, which can be very different in distinct

binaries A binary file is a computer file that is not a text file. The term "binary file" is often used as a term meaning "non-text file". Many binary file formats contain parts that can be interpreted as text; for example, some computer document file ...

, thus making chains of gadget non-portable.

Address space layout randomization Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited ...

(ASLR) makes it hard to use gadgets without an

information leakage Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless. In other words: Information leakage occurs when secret information correlates with, or ca ...

to get their exact positions in memory. Although

Turing-complete In computability theory, a system of data-manipulation rules (such as a computer's instruction set, a programming language, or a cellular automaton) is said to be Turing-complete or computationally universal if it can be used to simulate any Tu ...

ROP compilers exist, it is usually non-trivial to create a ROP chain. SROP exploits are usually portable across different binaries with minimal or no effort and allow easily setting the contents of the registers, which could be non-trivial or unfeasible for ROP exploits if the needed gadgets are not present. Moreover, SROP requires a minimal number of gadgets and allows constructing effective shellcodes by chaining system calls. These gadgets are always present in memory, and in some cases are always at fixed locations:

Attacks

Linux

An example of the kind of gadget needed for SROP exploits can always be found in the

VDSO vDSO (virtual dynamic shared object) is a kernel mechanism for exporting a carefully selected set of kernel space routines to user space applications so that applications can call these kernel space routines in-process, without incurring the per ...

memory area on x86-

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which i ...

systems: __kernel_sigreturn proc near: pop eax mov eax, 77h int 80h ; LINUX - sys_sigreturn nop lea esi, si+0__kernel_sigreturn endp On some

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ...

versions, ASLR can be disabled by setting the limit for the stack size to unlimited, effectively bypassing ASLR and allowing easy access to the gadget present in VDSO. For Linux kernels prior to version 3.3, it is also possible to find a suitable gadget inside the vsyscall page, which is a mechanism to accelerate the access to certain system calls often used by legacy programs and resides always at a fixed location.

Turing-completeness

It is possible to use gadgets to write into the contents of the stack frames, thereby constructing a

self-modifying program In computer science, self-modifying code (SMC) is code that alters its own instructions while it is executing – usually to reduce the instruction path length and improve performance or simply to reduce otherwise repetitively similar code, ...

. Using this technique, it is possible to devise a simple

virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized har ...

, which can be used as the compilation target for a

language. An example of such an approach can be found in Bosman's paper, which demonstrates the construction of an interpreter for a language similar to the

Brainfuck programming language Brainfuck is an esoteric programming language created in 1993 by Urban Müller. Notable for its extreme minimalism, the language consists of only eight simple commands, a data pointer and an instruction pointer. While it is fully Turing comp ...

. The language provides a program counter PC, a memory pointer P, and a temporary register used for 8-bit addition A. This means that also complex

backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so titl ...

s or obfuscated attacks can be devised.

Defenses and mitigations

A number of techniques exists to mitigate SROP attacks, relying on

address space layout randomization Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited ...

, canaries and

cookie A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, ...

s, or

shadow stack A shadow is a dark area where light from a light source is blocked by an opaque object. It occupies all of the three-dimensional volume behind an object with light in front of it. The cross section of a shadow is a two-dimensional silhouette, ...

Address space layout randomization

makes it harder to use suitable gadgets by making their locations unpredictable.

Signal cookies

A mitigation for SROP called ''signal cookies'' has been proposed. It consists of a way of verifying that the sigcontext structure has not been tampered with by the means of a random cookie

XORed Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , , ...

with the address of the stack location where it is to be stored. In this way, the ''sigreturn'' syscall just needs to verify the cookie's existence at the expected location, effectively mitigating SROP with a minimal impact on performances.

Vsyscall emulation

In Linux kernel versions greater than 3.3, the vsyscall interface is emulated, and any attempt to directly execute gadgets in the page will result in an exception.

RAP

Grsecurity is a set of patches for the

to harden and improve system security. It includes the so-called Return-Address Protection (RAP) to help protect from code reuse attacks.

CET

Starting in 2016,

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the devel ...

is developing a

Control-flow Enforcement Technology Control-flow integrity (CFI) is a general term for computer security techniques that prevent a wide variety of malware attacks from redirecting the flow of execution (the control flow) of a program. Techniques Associated techniques include code-p ...

(''CET'') to help mitigate and prevent stack-hopping exploits. CET works by implementing a shadow stack in RAM which will only contain return addresses, protected by the CPU's

memory management unit A memory management unit (MMU), sometimes called paged memory management unit (PMMU), is a computer hardware unit having all memory references passed through itself, primarily performing the translation of virtual memory addresses to physical ...

References

{{Reflist

External links

OHM 2013: Review of “Returning signals for fun and profit

SigReturn Oriented Programming on x86-64 linux

Computer security exploits