In a Return-Oriented-Programming attack, instead of executing an arbitrary piece of attacker's code, he or a she tries to exploit a small instruction sequence that are already present in the binary of the libraries linked to form a chain of instructions as dictated by the attacker. A small instruction sequence that are already present within the application is called as gadgets. An attacker analyzes the software in the system, looking for these gadgets, which is a useful fragment of code usually ending with a function return. For example, one of the useful gadgets could be like just add R0, R1, or two followed by BXLR. There's two instruction sequence acts as a gadget for adding two registers together. On a similar angle, by scanning all the available libraries, and attackers can build a collection of gadgets. These gadgets are existing legal code within the executable region. This means that they are not affected by the protections like execute permissions. The attackers strings together a chain of gadgets forming wafers effectively. A new program made up of existing code fragments, whereas in the jump oriented programming, which is also like a code reuse attack where in the chain of gadgets is formed. But the gadgets end with an indirect branch instruction instead of a function return, or the BX allow instructions. We will see more details on the jump oriented programming in the upcoming slides. So how do we find useful gadgets? There are several open source offline tools available to skim through your code that can create a list of gadgets for you. There is one called [] which can directly give you the list of gadgets. Now, what do we do with these gadgets before going into the details, let's try to understand the features of any useful gadget. So the two important features of a gadget is to make sure it breaks the control flow integrity of a program, because it redirects the control flow of the program. And it also returns without going through the function entry. Now, keeping these two important features of any gadget, now, let's try to understand in this particular example whether the BXLR instruction, will it return back to the malicious app? Well, instead of branching back to the malicious app, if we can find a gadget that is going to pop back the value of LR from the stack before executing the BXLR instruction. Then in the malicious app, we can set up a return address in the stack where we want to branch to. It's important to know that our compiler usually used to pop the return address from the stack, and then that's a BXLR for a subroutine return. So by using a pop back the LR value gadget, and the stacks that have done during the launch of the malicious app. The attackers can branch to the address where he, or she wants to, and if the next gadget also uses BXLR. Then we can pop back the return address and then branch to a new address. This way you can chain the gadgets together to form a core sequence as per attackers requirements. Okay, so now we can execute the gadgets, what can we do? Almost everything, right from overwriting this stack return address, then jump off the system control code. As a local security counter mission. Two new concepts pointer authentication, and the branch target identification has been introduced in the arm V 8.1 M architecture turned together as a PAC BTI extension. This is an optional extension to arm V 0.1 M architecture. Point of authentication, or the pointer authentication court is used to verify the function return address before it proceeds further, especially during subroutine returns. You can also use it to verify generic pointers as well. The branch target identification can mitigate against JOP attacks with the jump oriented programming attacks, by creating an architectural dependency between the indirect branch instruction and the instructions at the target address. [] is enabled. The processor ensures the indirect branches all these land on the landing pad. This is quite effective as we are providing an extra guarding mechanism because the attacker cannot jump in the middle of a function by changing the branch address. That both PAC and the BTA enabled in the program can significantly reduce the number of gadgets that can be found.
