Jump to content
Nytro

Security Mitigations for Return-Oriented Programming Attacks

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Security Mitigations for Return-Oriented Programming Attacks

Abstract

With the discovery of new exploit techniques, new

protection mechanisms are needed as well. Mitigations

like DEP (Data Execution Prevention)

or ASLR (Address Space Layout Randomization)

created a significantly more difficult environment

for vulnerability exploitation. Attackers, however,

have recently developed new exploitation methods

which are capable of bypassing the operating system’s

security protection mechanisms.

In this paper we present a short summary of

novel and known mitigation techniques against

return-oriented programming (ROP) attacks. The

techniques described in this article are related

mostly to x86-321 processors and Microsoft Windows

operating systems.

1 Introduction

In order to increase the security level of the operating

system, Microsoft has implemented several

mitigation mechanisms, such as DEP and ASLR.

Data Execution Prevention (DEP) is a security feature

that prohibits the application from executing

code from non-executable memory area. To exploit

a vulnerability, an attacker must find a executable

memory region and be able to fill it with

necessary data (e.g., shellcode instructions). Generally,

achieving this goal using old exploitation

techniques is made significantly more difficult with

the addition of the DEP mechanism. As a result,

attackers improved upon the classic “return-into-

libc” technique and started using return-oriented

programming (ROP) [3, 7] to bypass Data Execution

Prevention.

Techniques like ROP are still based on the attacker

understanding memory layout characteristics,

leading Microsoft to implement Address Space

Layout Randomization (ASLR) as a countermeasure.

ASLR renders the layout of an application’s

address space less predictable because it relocates

the base addresses of executable modules and other

memory mappings. In order to bypass DEP protection

mechanism ROP technique was introduced. In

this article we present novel and known mechanisms

which are created specifically to prevent attackers

from exploiting vulnerabilities based on the ROP

method. Presented mitigations will be divided in

two general categories:

• Compiler-level mitigations — mitigations that

can be only applied by the compiler or linker.

• Binary-level mitigations — mitigations that

can be applied without knowing the source

code of the protected code fragment.

Download:

http://kryptoslogic.com/download/ROP_Whitepaper.pdf

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...