ROP-chain generation using Genetic Programming : GENROP

Return Oriented Programming (ROP) is the de-facto technique used to exploit most of today’s native-code vulnerabilities hiding in old and newly developed software alike. By reusing bits and pieces of already existing code (gadgets), ROP can be used to bypass the ever-present Write ⊕ eXecute (W⊕X) security feature, which enforces memory to only be marked as either executable or writable; never both at the same time. Even with its widespread use, crafting more advanced ROP-chains is mostly left as a manual task. This paper attempts to explore the viability of automating ROP-chain generation by leveraging genetic programming (GP), and describes the implementation and design of the ROP-compiler GENROP in this endeavour. We introduce a novel approach to adapt GP to work within the environment of ROP, which attempts to guide the algorithm and preemptively remove pathways which are known ahead of time to be unable to generate a solution. GENROP is tested by attempting to generate a working payload against a number of binaries, and is then evaluated based on success rate and payload size when compared to angrop (another ROP-compiler). The results show that the algorithm is able to generate functioning payloads in most of the tested cases, although it does perform worse than angrop. This can partly be explained by the fact that GENROP uses gadget definitions generated by angrop, which reduces the potential viability of the ROP-compiler, as more unwieldy but potentially usable gadgets are not available. Additionally, it was found that extensively guiding the algorithm has negative consequences in terms of solution diversity. Relying on faster execution times and more iterations might produce better results. Further work is required to assess whether or not generating ROP-chains using genetic programming is a viable approach