- Complete title: Block Oriented Programming: Automating Data-Only Attacks
- PDF: 69dcf39e7a25cd84a5f53479a48a80a86d2ce3c4
The paper describes a system (called BOPC) to automatically construct payloads to bypass CFI, provided only with an arbitrary read/write, an entrypoint and the payload itself, written in a pseudo-C language called SPL (SPloit Language).
Mapping between SPL statements and basic blocks is done with constrains, via symbolic execution of blocks: the constraints of the basic block must be a superset of the operations required to implement the SPL statement. The paper's implementation only maps a single basic block to each SPL statement, it doesn't combine them.
Once functional blocks are found, the next step is to search for paths to connect them blocks together, via chains of dispatcher blocks. Since this is a hard-problem, heuristics are used, mainly the proximity of the functional blocks (the more instructions between them, the more chance of clobbering the payload state). This results in a graph, with functional blocks as nodes, and chains of dispatchers as edges.
BOPC then checks if it's possible to to stitch the functional blocks without clobbering the SPL state, via concolic execution, concretizing the path, functional block by functional block. The execution trace is then encoded as a series of writes.
There is currently no code released along with the paper.
I really liked the following excerpt of the paper, providing a digest and clear yet exact description of a weird machine:
The environment for SPL differs from that of conventional languages. Instead of running code directly on a CPU, our compiler encodes the payload as a mapping of instructions to functional blocks. That is, the underlying runtime environment is the target binary and its program state, where payloads are executed as side effects of the underlying binary.