Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses

Code reuse attacks have become one of the most popular exploitation techniques, and coarse-grained control flow integrity (CFI) is a practical approach used to prevent such attacks. Recently, some new approaches have been proposed to construct call-preceded-ROP attacks to bypass coarse-grained CFI, however, we find that they still fail to bypass shadow stack, which enforces caller-callee semantics to strengthen CFI that constrains the control flow in a much stricter way. Therefore, in this paper, we propose a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack. Quite different from previous code reuse attacks, LOP collects entire functions as basic building blocks (i.e., gadgets), and chains these gadgets in a way that the control flows strictly follow the process of call-ret-pairing. Specifically, LOP selects a particular function with a loop statement, called loop gadget, to chain all the available gadgets. To demonstrate the effectiveness of LOP, we construct a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.