In this project, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks (PIROP), a new class of code-reuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions “close” to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes.
This work is based upon research supported in part by the European Commission through project H2020 MSCA-RISE-2015 “PROTASIS” under Grant Agreement No. 690972 and H2020 “BASTION” under Grant Agreement No. 640110, in part by the U.S. Office of Naval Research under award numbers N00014-16-1-2261, N00014-17-1-2788, and N00014-17-1-2782, and in part by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI “Dowsing” and NWO 639.021.753 VENI “PantaRhei”. The public artifacts reflect only the authors’ view. The funding agencies are not responsible for any use that may be made of the information they contain.