Submit Search
Upload
09 - ROP countermeasures, can we fix this?
•
0 likes
•
687 views
A
Alexandre Moneger
Follow
* Possible mitigations * Compiler and OS protection mitigations
Read less
Read more
Engineering
Report
Share
Report
Share
1 of 7
Recommended
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
Design and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
Linux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
Recommended
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
Design and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
Linux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
iCloud keychain
iCloud keychain
Alexey Troshichev
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
深入淺出C語言
深入淺出C語言
Simen Li
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
Exploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Humantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
IT6712 lab manual
IT6712 lab manual
Madhu Amarnath
第1組 用款計畫
第1組 用款計畫
小四 曾
como insertar un power poin a tu blog
como insertar un power poin a tu blog
sdfbjkgfrfbjk
More Related Content
What's hot
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
iCloud keychain
iCloud keychain
Alexey Troshichev
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
深入淺出C語言
深入淺出C語言
Simen Li
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
Exploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Humantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
IT6712 lab manual
IT6712 lab manual
Madhu Amarnath
What's hot
(20)
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
iCloud keychain
iCloud keychain
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Return oriented programming (ROP)
Return oriented programming (ROP)
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
深入淺出C語言
深入淺出C語言
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Zn task - defcon russia 20
Zn task - defcon russia 20
Network security Lab manual
Network security Lab manual
Network security mannual (2)
Network security mannual (2)
Exploiting buffer overflows
Exploiting buffer overflows
Humantalk Angers 14 Mars
Humantalk Angers 14 Mars
IT6712 lab manual
IT6712 lab manual
Viewers also liked
第1組 用款計畫
第1組 用款計畫
小四 曾
como insertar un power poin a tu blog
como insertar un power poin a tu blog
sdfbjkgfrfbjk
下一站 實習
下一站 實習
Xi-Zhe Lin
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_Developer
Prince nagsen
Detección de necesidades de capacitación
Detección de necesidades de capacitación
Narcizo Uc
contenia+cover+letter+present+one
contenia+cover+letter+present+one
Contenia Mathis
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
CyberLab
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking Webservers
CyberLab
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab
君山银针
君山银针
mikejiang
評析政府開放資料
評析政府開放資料
Audrey Tang
0910 線上問卷
0910 線上問卷
佩琪 羅
The 7 Shifts
The 7 Shifts
Brian Fitzgerald
國土治理的體制與挑戰
國土治理的體制與挑戰
cettw
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.
Vuz Dở Hơi
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
佩琪 羅
The State of Food and Agriculture 2016
The State of Food and Agriculture 2016
FAO
Viewers also liked
(17)
第1組 用款計畫
第1組 用款計畫
como insertar un power poin a tu blog
como insertar un power poin a tu blog
下一站 實習
下一站 實習
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_Developer
Detección de necesidades de capacitación
Detección de necesidades de capacitación
contenia+cover+letter+present+one
contenia+cover+letter+present+one
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
君山银针
君山银针
評析政府開放資料
評析政府開放資料
0910 線上問卷
0910 線上問卷
The 7 Shifts
The 7 Shifts
國土治理的體制與挑戰
國土治理的體制與挑戰
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
The State of Food and Agriculture 2016
The State of Food and Agriculture 2016
Similar to 09 - ROP countermeasures, can we fix this?
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
Power of linked list
Power of linked list
Peter Hlavaty
Getting started with IPv6
Getting started with IPv6
Private
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
Jasper Nuyens
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
ACI MultiPod 구성
ACI MultiPod 구성
Woo Hyung Choi
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
Vincent Batts
IPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic Networking
Wido den Hollander
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
The true story_of_hello_world
The true story_of_hello_world
fantasy zheng
ACI MultiPod Config Guide
ACI MultiPod Config Guide
Woo Hyung Choi
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Alexandre Moneger
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
Linux networking
Linux networking
Arie Bregman
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
IPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
IPv6 for Pentesters
IPv6 for Pentesters
camsec
Similar to 09 - ROP countermeasures, can we fix this?
(20)
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Power of linked list
Power of linked list
Getting started with IPv6
Getting started with IPv6
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
ACI MultiPod 구성
ACI MultiPod 구성
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
IPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic Networking
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
The true story_of_hello_world
The true story_of_hello_world
ACI MultiPod Config Guide
ACI MultiPod Config Guide
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Linux networking
Linux networking
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
IPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
IPv6 for Pentesters
IPv6 for Pentesters
Recently uploaded
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
ranjana rawat
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
M Maged Hegazy, LLM, MBA, CCP, P3O
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
rakeshbaidya232001
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
misbanausheenparvam
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Dr.Costas Sachpazis
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
Soham Mondal
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
ranjana rawat
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog Converter
AbhinavSharma374939
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
rehmti665
Extrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
120cr0395
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
Asutosh Ranjan
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
purnimasatapathy1234
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
hassan khalil
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
ranjana rawat
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
SIVASHANKAR N
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
upamatechverse
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
null - The Open Security Community
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
upamatechverse
Recently uploaded
(20)
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog Converter
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Extrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
09 - ROP countermeasures, can we fix this?
1.
ROP countermeasures Can
we fix this? Alex Moneger Security Engineer
2.
Position independent code
PIE: also referenced as full ASLR Randomization of base address of all segments No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3.
PIE continued
Can’t predict gadget addresses anymore Can still rely on ASLR bruteforcing Expensive at runtime (~ 25% overhead) Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
4.
GNU RELRO
Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites All functions are resolved at startup of the program Lazy binding is not possible anymore Does not prevent GOT dereferencing of course Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5.
Stack pivot detection
Check whether esp points into the stack Difficult to achieve (when to check?) Can still pivot inside the stack No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6.
Ret detection
Detect code doing many rets Difficult to check Can still use jmp instead (much harder) No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7.
Concerned about exploitation,
PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7