oss-sec mailing list archives
Re: Re: Fwd: x86 ROP mitigation
From: Jonathan Salwan <jonathan.salwan () gmail com>
Date: Thu, 19 Nov 2015 12:08:21 +0100
Hey Steve,
What I found was that the list of libraries or programs that ROPgadget could build a chain for is fairly small. I thought about reasons why that might be the case and then considered that maybe if the gadgets from several libraries were combined, maybe it would find more.
The build chain of ROPgadget is pretty "stupid", we search a series of patterns [1] which would allow us to build our payload. If these patterns are not present we don't build the payload. Then, we don't search through others libraries. That's why you got a small list. The best way to build a ROP-chain automatically, is to build the chain from the instruction semantics (take a look from slide 53 to 62 of this lecture [2]).
But I think ASLR would make too many moving parts for that to be practical. If you use a whole library or application, then everything moves together up or down as a unit to the new offset.
If you find the base address from the plt/got you win. Florian Gaultier proved that it was possible [3].
Another thought in explaining why the list was so small is that the quality of the chaining that ROPgadget has needs a lot of improvement.
So true :). [1] https://goo.gl/faO3VC [2] http://goo.gl/ttpr5S [3] http://goo.gl/kDTa1A
Current thread:
- Re: Re: Fwd: x86 ROP mitigation, (continued)
- Re: Re: Fwd: x86 ROP mitigation Daniel Micay (Nov 17)
- Re: Re: Fwd: x86 ROP mitigation Rich Felker (Nov 17)
- Re: Re: Fwd: x86 ROP mitigation Daniel Micay (Nov 17)
- Re: Fwd: x86 ROP mitigation Solar Designer (Nov 17)
- Re: Fwd: x86 ROP mitigation Florian Weimer (Nov 18)
- Data on Linux attacks (was Re: [oss-security] Re: Fwd: x86 ROP mitigation) Josh Bressers (Nov 18)
- Re: Data on Linux attacks (was Re: [oss-security] Re: Fwd: x86 ROP mitigation) Kurt Seifried (Nov 18)
- Re: Re: Fwd: x86 ROP mitigation Steve Grubb (Nov 18)
- Re: Re: Fwd: x86 ROP mitigation Fabio Pagani (Nov 18)
- Re: Fwd: x86 ROP mitigation Solar Designer (Nov 19)
- Re: Re: Fwd: x86 ROP mitigation Jonathan Salwan (Nov 19)
- Re: Fwd: x86 ROP mitigation Solar Designer (Nov 17)
- Re: Fwd: x86 ROP mitigation Bernd Schmidt (Nov 18)
- Re: Re: Fwd: x86 ROP mitigation Florian Weimer (Nov 18)
- Re: Fwd: x86 ROP mitigation Jeff Law (Nov 18)