Q: Exploit Hardening Made Easy

Download: Paper, Update Note, PDF Slides, PPTX Slides, Video, Audio.

“Q: Exploit Hardening Made Easy” by Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. In Proceedings of the USENIX Security Symposium, 2011.


Prior work has shown that return oriented programming (ROP) can be used to bypass W^X, a software defense that stops shellcode, by reusing instructions from large libraries such as libc. Modern operating systems have since enabled address randomization (ASLR), which randomizes the location of libc, making these techniques unusable in practice. However, modern ASLR implementations leave smaller amounts of executable code unrandomized and it has been unclear whether an attacker can use these small code fragments to construct payloads in the general case.

In this paper, we show defenses as currently deployed can be bypassed with new techniques for automatically creating ROP payloads from small amounts of unrandomized code. We propose using semantic program verification techniques for identifying the functionality of gadgets, and design a ROP compiler that is resistant to missing gadget types. To demonstrate our techniques, we build Q, an end-to-end system that automatically generates ROP payloads for a given binary. Q can produce payloads for 80% of Linux /usr/bin programs larger than 20KB. We also show that Q can automatically perform exploit hardening: given an exploit that crashes with defenses on, Q outputs an exploit that bypasses both W^X and ASLR. We show that Q can harden nine real-world Linux and Windows exploits, enabling an attacker to automatically bypass defenses as deployed by industry for those programs.

Download: Paper, Update Note, PDF Slides, PPTX Slides, Video, Audio.

BibTeX entry:

   author = {Edward J. Schwartz and Thanassis Avgerinos and David Brumley},
   title = {{Q}: Exploit Hardening Made Easy},
   booktitle = {Proceedings of the {USENIX} Security Symposium},
   year = {2011}

(This webpage was created with bibtex2web.)

Back to publications.