Successfully reported this slideshow.
Your SlideShare is downloading. ×

09 - ROP countermeasures, can we fix this?

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

09 - ROP countermeasures, can we fix this?

  1. 1. ROP countermeasures Can we fix this? Alex Moneger Security Engineer
  2. 2. Position independent code  PIE: also referenced as full ASLR  Randomization of base address of all segments  No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. PIE continued  Can’t predict gadget addresses anymore  Can still rely on ASLR bruteforcing  Expensive at runtime (~ 25% overhead)  Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. GNU RELRO  Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites  All functions are resolved at startup of the program  Lazy binding is not possible anymore  Does not prevent GOT dereferencing of course  Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Stack pivot detection  Check whether esp points into the stack  Difficult to achieve (when to check?)  Can still pivot inside the stack  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. Ret detection  Detect code doing many rets  Difficult to check  Can still use jmp instead (much harder)  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. Concerned about exploitation, PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

×