SlideShare a Scribd company logo

09 - ROP countermeasures, can we fix this?

A
Alexandre Moneger

* Possible mitigations * Compiler and OS protection mitigations

Engineering
1 of 7
ROP countermeasures Can we fix this? Alex Moneger Security Engineer
Position independent code  PIE: also referenced as full ASLR  Randomization of base address of all segments  No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
PIE continued  Can’t predict gadget addresses anymore  Can still rely on ASLR bruteforcing  Expensive at runtime (~ 25% overhead)  Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
GNU RELRO  Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites  All functions are resolved at startup of the program  Lazy binding is not possible anymore  Does not prevent GOT dereferencing of course  Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Stack pivot detection  Check whether esp points into the stack  Difficult to achieve (when to check?)  Can still pivot inside the stack  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Ret detection  Detect code doing many rets  Difficult to check  Can still use jmp instead (much harder)  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Concerned about exploitation, PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Recommended

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 

Recommended

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual Vivek Kumar Sinha
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)Vivek Kumar Sinha
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflowsPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manualMadhu Amarnath
 
第1組 用款計畫
第1組 用款計畫第1組 用款計畫
第1組 用款計畫小四 曾
 
como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog sdfbjkgfrfbjk
 

More Related Content

What's hot

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual Vivek Kumar Sinha
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)Vivek Kumar Sinha
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 

What's hot (20)

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manual
 

Viewers also liked

第1組 用款計畫
第1組 用款計畫第1組 用款計畫
第1組 用款計畫小四 曾
 
como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog sdfbjkgfrfbjk
 
下一站 實習
下一站 實習下一站 實習
下一站 實習Xi-Zhe Lin
 
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_DeveloperPrince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_DeveloperPrince nagsen
 
Detección de necesidades de capacitación
Detección de necesidades de capacitación Detección de necesidades de capacitación
Detección de necesidades de capacitación Narcizo Uc
 
contenia+cover+letter+present+one
contenia+cover+letter+present+onecontenia+cover+letter+present+one
contenia+cover+letter+present+oneContenia Mathis
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab
 
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking WebserversCyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking WebserversCyberLab
 
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical HackingCyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical HackingCyberLab
 
君山银针
君山银针君山银针
君山银针mikejiang
 
評析政府開放資料
評析政府開放資料評析政府開放資料
評析政府開放資料Audrey Tang
 
0910 線上問卷
0910 線上問卷0910 線上問卷
0910 線上問卷佩琪 羅
 
國土治理的體制與挑戰
國土治理的體制與挑戰國土治理的體制與挑戰
國土治理的體制與挑戰cettw
 
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.Vuz Dở Hơi
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課佩琪 羅
 
The State of Food and Agriculture 2016
The State of Food and Agriculture 2016The State of Food and Agriculture 2016
The State of Food and Agriculture 2016FAO
 

Viewers also liked (17)

第1組 用款計畫
第1組 用款計畫第1組 用款計畫
第1組 用款計畫
 
como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog
 
下一站 實習
下一站 實習下一站 實習
下一站 實習
 
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_DeveloperPrince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_Developer
 
Detección de necesidades de capacitación
Detección de necesidades de capacitación Detección de necesidades de capacitación
Detección de necesidades de capacitación
 
contenia+cover+letter+present+one
contenia+cover+letter+present+onecontenia+cover+letter+present+one
contenia+cover+letter+present+one
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
 
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking WebserversCyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking Webservers
 
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical HackingCyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
 
君山银针
君山银针君山银针
君山银针
 
評析政府開放資料
評析政府開放資料評析政府開放資料
評析政府開放資料
 
0910 線上問卷
0910 線上問卷0910 線上問卷
0910 線上問卷
 
The 7 Shifts
The 7 ShiftsThe 7 Shifts
The 7 Shifts
 
國土治理的體制與挑戰
國土治理的體制與挑戰國土治理的體制與挑戰
國土治理的體制與挑戰
 
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
 
The State of Food and Agriculture 2016
The State of Food and Agriculture 2016The State of Food and Agriculture 2016
The State of Food and Agriculture 2016
 

Similar to 09 - ROP countermeasures, can we fix this?

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEVJasper Nuyens
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
IPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic NetworkingIPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic NetworkingWido den Hollander
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthereurobsdcon
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config GuideWoo Hyung Choi
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersRaphaël PINSON
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 

Similar to 09 - ROP countermeasures, can we fix this? (20)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
IPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic NetworkingIPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic Networking
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 

Recently uploaded

multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communicationpanditadesh123
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
Industrial Applications of Centrifugal Compressors
Industrial Applications of Centrifugal CompressorsIndustrial Applications of Centrifugal Compressors
Industrial Applications of Centrifugal CompressorsAlirezaBagherian3
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书rnrncn29
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTSneha Padhiar
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Erbil Polytechnic University
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodManicka Mamallan Andavar
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solidnamansinghjarodiya
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfRobotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfsahilsajad201
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Communityprachaibot
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSsandhya757531
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSneha Padhiar
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 

Recently uploaded (20)

multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communication
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
Industrial Applications of Centrifugal Compressors
Industrial Applications of Centrifugal CompressorsIndustrial Applications of Centrifugal Compressors
Industrial Applications of Centrifugal Compressors
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solid
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfRobotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdf
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 

09 - ROP countermeasures, can we fix this?

  • 1. ROP countermeasures Can we fix this? Alex Moneger Security Engineer
  • 2. Position independent code  PIE: also referenced as full ASLR  Randomization of base address of all segments  No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. PIE continued  Can’t predict gadget addresses anymore  Can still rely on ASLR bruteforcing  Expensive at runtime (~ 25% overhead)  Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. GNU RELRO  Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites  All functions are resolved at startup of the program  Lazy binding is not possible anymore  Does not prevent GOT dereferencing of course  Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. Stack pivot detection  Check whether esp points into the stack  Difficult to achieve (when to check?)  Can still pivot inside the stack  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Ret detection  Detect code doing many rets  Difficult to check  Can still use jmp instead (much harder)  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Concerned about exploitation, PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7