Jump Oriented Programming on Windows Platform (on the x86)

摘要

Non-executable memory pages were deployed in operating systems in order to defend against code injection attacks. However, it was bypassed by reusing codes that already exist in the process memory which have the execute permission. The Return-Oriented Programming (ROP), of the most well-known code reuse attack, has been developed and widely used to exploit systems. ROP hijacks the control flow and returns to the middle of instruction sequences that end with a return instruction. These instruction sequences are called gadgets. Researchers proposed many ROP defense mechanisms which mostly relied on the fact that ROP executes many return instructions. Proposed defenses however, are not fundamental defenses. Researches found that the concept of ROP can be implemented in Linux using jump instructions instead of return instructions, therefore successfully bypassing ROP defenses. However, no research was done on implementing the attack on non-Linux systems. In this paper, we show the possibility of implementing JOP (Jump Oriented Programming) attack model on Windows platform by presenting example gadgets and propose an algorithm for searching JOP gadgets in Dynamic Link Libraries.