Automatic Generation of ROP Through Static Instructions Assignment and Dynamic Memory Analysis

Abstract

W⊕X is a protection mechanism against control-flow hijacking attacks. Return-oriented programming (ROP) can perform a specific function by searching for appropriate assembly instruction fragments (gadgets) in a code segment and bypass the W⊕X. However, manual search for gadgets that match the conditions is inefficient, with high error and missing rates. In order to improve the efficiency of ROP generation, the authors propose an automatic generation method based on a fragmented layout called automatic generation of ROP. This method designs new intermediate instruction construction rules based on an automatic ROP generation framework Q, uses symbolic execution to analyze program memory states and construct data constraints for multi-modules ROP, and solves ROP data constraints to generate test cases of an ROP chain. Experiments show that this method can effectively improve the space efficiency of the ROP chain and lower the requirements of the ROP layout on memory conditions.