Article Preview
TopROP attacks were firstly documented in 2007 by Shacham,(2007) for the Intel x86 architecture. Among the state-of-the-art cyberattacks, ROP attack is a most effective cyberattack (Ding et al., 2012) illustrated by recent ROP attacks that have compromised Harvard architecture-based platforms, i.e., Apple iPhone and Sequoia AVC advantage that is impossible to be achieved by using traditional cyberattacks based on injection code (Checkoway, et al., 2010).
An attacker deliberately reuses code snippets inside the program to accomplish the execution of malicious codes (Li, et al,2018). The defined steps of this process chain sequence instructions together as a basic block within the memory address space (Hund, Holz, & Freiling, 2009). Gadgets are integrated together to replace the in action calls in Return-to-LIBC (McClure, Scambray, Kurtz, & Kurtz, 2009). There are six sorts of ROP evolution: 1). Return-to-LIBC; 2). Jump-Oriented Programming; 3). String-Oriented Programming; 4). Blind Return-Oriented Programming; 5). Signal Return-Oriented Programming; 6). Function-Oriented Programming.
Return-to-LIBC
Return-to-LIBC is one of ROP without a non-executable stack. It typically targets the process of returning address pointing to where the shared library, such as a C library that is loaded and accessible through UNIX processes (Shacham, 2007). The existing codes from the linked library and text segment can be leveraged to escalate privilege. A Return-to-LIBC changes a return address to direct to a new location of RAM to control program process flow. The requested arguments to the shared library function are stored in a stack where malicious attackers can access, modify them, and invoke other library functions.Return-to-LIBC attack allows a malicious attacker to execute arbitrary code. This is extremely difficult to be detected by using IDS/IPS as it neither does it modifies existing codes, nor injects malicious codes.