Exploit development is an arm race between attackers and defenders. In this thesis, I will introduce the development of code reuse attacks in recent years together with control flow integrity (CFI). I will give a deep insight in the CFI based on the binary code and demonstrate how limited those mitigations are against sophisticated code reuse attacks. TypeArmor and vfGuard are believed to be sufficient in defending against vtable reuse attacks. Both techniques use semantic information as the control flow integrity enforcement policy. We propose Layered Object-Oriented Programming (LOOP), an advanced vtable reuse attack, to show that the coarse-grained CFI strategies are still vulnerable to vtable reuse attacks. In LOOP, we introduce argument expansion gadgets and transfer gadgets to respectively bypass TypeArmor and vfGuard. We generalize the characteristics of both gadgets, and develop a tool to discover them at binary level. We demonstrated that under the protection of TypeArmor and vfGuard, Firefox, Adobe Flash Player and Internet Explorer are all vulnerable to LOOP attacks. Furthermore, we evaluate the availability and complexity of both gadgets in common software or libraries. Moreover, we will explain what is JIT spray attack and how constant blinding is expected to defend against such attack. We study the design and implementation of constant blinding mechanism in Flash Player and analyse the weakness in its pseudo random number generator (PRNG). Such weakness can be exploited to recover the seed value in PRNG, thus weakening the constant blinding in Flash Player. We propose two methods to circumvent constant blinding in Flash Player and demonstrate that these two methods are both practical via presenting proof-of-concept attacks based on existing vulnerability. We have reported the issue to Adobe Flash security team and CVE-2017-3000 is assigned to us. Furthermore, we implement a prototype tool Constant Blinding Enhancement (ConBE) based on dynamic instrumentation framework to defend against our proposed attacks. In ConBE, we provide a stronger defence than the official patch of Flash Player. We also study the JIT engine in Edge and Chrome browsers and try to discover the non-blinded constant in the JIT code. We propose Blockade, a grammar-based fuzzing framework, to search for cases where constant numbers are not blinded (nonblinded constant) in JIT code. We revisit the grammar of JavaScript and discover that proper grammar combined with efficient generation policy can greatly help us dig for the non-blinded constant in JIT code. Our work shows that structural information in script language can be utilized to release non-blinded constant number. We run Blockade on Microsoft Edge and Google Chrome. The result shows that in addition to the cases that have been discovered in previous work, our tool is able to find more cases of non-blinded constant. We find that array offset, object field, global variable and even number of statements in script can be used to emit non-blinded constant in JIT code.Doctor of Philosoph
