Re: Re: Fwd: x86 ROP mitigation

[Jonathan Salwan <jonathan.salwan () gmail com>]

Hey Steve,

> What I found was that the list of libraries or programs that ROPgadget could
> build a chain for is fairly small. I thought about reasons why that might be
> the case and then considered that maybe if the gadgets from several libraries
> were combined, maybe it would find more.

The build chain of ROPgadget is pretty "stupid", we search a series of
patterns [1] which would allow us to build our payload. If these
patterns are not present we don't build the payload. Then, we don't
search through others libraries. That's why you got a small list. The
best way to build a ROP-chain automatically, is to build the chain
from the instruction semantics (take a look from slide 53 to 62 of
this lecture [2]).

> But I think ASLR would make too many
> moving parts for that to be practical. If you use a whole library or
> application, then everything moves together up or down as a unit to the new
> offset.

If you find the base address from the plt/got you win. Florian
Gaultier proved that it was possible [3].

> Another thought in explaining why the list was so small is that the quality of
> the chaining that ROPgadget has needs a lot of improvement.

So true :).

[1] https://goo.gl/faO3VC
[2] http://goo.gl/ttpr5S
[3] http://goo.gl/kDTa1A