Traditional shell code attacks (e.g., stack and heap based execution) may no longer able to execute on targeted computers due to the No eXecute (NX) bit and/or Data Execution Prevention (DEP) or similar features supported by hardware and/or an Operating System (OS). Additionally, dynamically injected code may be under scrutiny by security vendors and an Operating System when executed from non-executable sections of memory. Newer shell code attacks may be designed to work around these checks. Newer shell code attacks may be designed to execute a complete logical sequence of operations by executing fragments of instruction fragments (from executable code pages) that jump from one fragment to the other with the help of addresses and parameters supplied in a payload. This may differ from traditional shell code where the instructions to be executed were supplied in the payload itself. A payload may thus comprise multiple sets of addresses and optionally, parameters. The byte sequence fragments (forming logical instruction sequences) may abuse x86 binary execution weakness wherein the instruction pointer may be made to jump anywhere (where that starting byte may very well be sub-part of an expected multi-byte instruction or its operands) and as long as the byte and subsequent byte sequences make instructional sense, the processor may execute them.
The shell coders (i.e., hackers) challenge is merely to exploit an application vulnerability and build stack such that instruction pointer can jump to locations that have usable instructions ending with a control transfer instruction where the control transfer address is fetched from the stack (e.g., a pop Executable Instruction Pointer (EIP) effect via return instruction) or moving the stack data to a register and using the register value to do a jmp also known as pop-jmp sequences (like pop x; jmp *x) using any general purpose registers. Such shell code is referred as ROP (Return-oriented-programming) or JOP (Jump-oriented-programming). The step of exploitation that searches for logical sequence of bytes that make instructional sense that end in a control transfer instruction (known as “eggs” or “gadgets”) that can be stitched to carry out an operation (known as “omelet” or “gadget”) is referred to as “gadget hunting”. Note that sequence of instructions ending in a call instruction are typically not considered a useable gadget since the since the return address is governed by the call instruction and not by the attacker. The higher the number of occurrences of such eggs or gadgets, the easier it gets to write shell code against these binaries. Gadgets may be aligned or unaligned byte sequences. An aligned byte sequence may be a sequence of bytes executed in an order intended by the program design (e.g., instructions OA/OB followed by OC/OD and then OE). An unaligned byte sequence may be the execution of bytes in an order other than that intended by the program design (e.g., using a jump to skip instruction OA and execute OB/OC followed by OD/OE). Because shell coders may be able to control a EIP (e.g., by using heap spraying to allow execution of a payload pointing to addresses of desired instructions) traditional safeguards such as the NX bit and scanning for injection codes may not be sufficient. Furthermore, the abundance of unaligned byte sequences may makes it trivial to construct a logical sequence of operations that can be exploited.
In view of the foregoing, it may be understood that there may be significant problems and shortcomings associated with current executable code vulnerability reduction technologies.