On the Expressiveness of Return-into-libc Attacks
https://pdfs.semanticscholar.org/3a34/baf9434f8d785bfe34f69c0a5e2f0b13f6c7.pdf [pdfs.semanticscholar.org]
2018-11-18 03:07
Consequently, to address this limitation, researchers have developed other code-reuse techniques, such as return-oriented programming (ROP). In this paper, we make the counterargument and demonstrate that the orig- inal RILC technique is indeed Turing complete. Specifically, we present a generalized RILC attack called Turing complete RILC (TC-RILC) that allows for arbitrary computations. We demonstrate that TC-RILC sat- isfies formal requirements of Turing-completeness. In addition, because it depends on the well-defined semantics of libc functions, we also show that a TC-RILC attack can be portable between different versions (or even different families) of operating systems and naturally has negative implications for some existing anti-ROP defenses.
To validate the correctness of our implementation, we configured the ex- ploit to simulate a busy beaver—a special Turing machine that performs the greatest number of steps possible before halting [18]. Specifically, we simulate a 4-state 2-symbol busy beaver.
source: L