dwarf frankenstein is still in your memory: tiny code reuse attacks

Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. a large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. however, a usual aspect among these methods is consideration of the common behaviour of code reuse attacks, which is the construction of a gadget chain. therefore, the implication of a gadget and the minimum size of an attack chain are a matter of controversy. conservative or relaxed thresholds may cause false positive and false negative alarms, respectively. the main contribution of this paper is to provide a tricky aspect of code reuse techniques, called tiny code reuse attacks (tiny-cra) that demonstrates the ineffectiveness of the threshold based detection methods. we show that with bare minimum assumptions, tiny-cra can reduce the size of a gadget chain in shuch a way that no distinction can be detected between normal behaviour of a program and a code-reuse execution. to do so, we exhibit our tiny-cra primitives and introduce a useful gadget set available in “libc. we demonstrate the effectiveness of our approach by implementing nine different shell-codes and exploiting real-world buffer overflow vulnerability in ht editor 2.0.20.