This chapter introduces the basics of Return Oriented Programming (ROP) and why using it is necessary. The ARM architecture is very different from x86 in regards to ROP, and this chapter introduces some new concepts specific to ARM. The chapter examines the bionic dynamic linker as a case study of a rich and comparatively stable source of code usable for ROP and presents some ideas for automation.
ROP is a technique to leverage existing native code in memory as an arbitrary payload instead of injecting custom native instruction payloads or shellcode. It has been documented in several degrees of abstraction in various academic papers, but its roots go back to the return2libc technique first publicly documented by Solar Designer in a 1997 post to the Bugtraq mailing list (
http://seclists.org/bugtraq/1997/Aug/63). In that article, Solar demonstrated the reuse of existing x86 code fragments in order to bypass a non-executable stack protection mechanism. Later, Tim Newsham demonstrated the first chaining of more than two calls in his
lpset Solaris 7 exploit from May 2000 (
There are three main reasons to leverage existing native code in today's ARM environments and therefore use ROP. The primary, and most obvious reason, is the XN exploit mitigation as discussed in Chapter 12. The secondary reason is due to the separate data and instruction caches on the ARM architecture as described ...