In-memory ROP payload detection

Justin Kim Microsoft

Since the introduction of DEP (Data Execution Prevention) to block shellcode from execution, the use of ROP (Return-Oriented Programming) in exploits has increased over the past decade. ASLR (Address Space Layout Randomization) helps mitigate ROP, but in recent years exploit writers have increasingly focused on finding ways to bypass ASLR and thereby enable ROP. ROP is an exploit technique that uses the mechanism of a calling convention to execute attacker-specified code locations that are linked as ROP chains.

In this paper, I will show how it is possible to detect these chains that are targeted towards various applications. For attackers to generate the malicious payload, they choose a combination of ROP gadgets collected from modules. However, this set of gadgets is finite and limited in number. This characteristic makes it possible to detect the finite combinations of gadgets. Even ROP attacks that depend on bypassing ASLR with a memory disclosure (info leak) vulnerability can be detected using relative offsets of the gadgets.

I will demonstrate scanning against in-the-wild exploits and show how to analyse the chain once found. Each address in the chain is mapped to an assembly instruction in the gadget database. In this way, the purpose of the ROP chain or what it is programmed to do can be revealed.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference or register online.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Malware Prevalence
Adware-misc |##########|
Java-Exploit |########|
Autorun |#####|
BHO/Toolbar-misc |####|
Conficker/Downadup |###|
 View this month's full report

Virus Bulletin currently has 231,338 registered users.