In-memory ROP payload detection
Justin Kim Microsoft
Since the introduction of DEP (Data Execution Prevention) to block shellcode from execution, the use of ROP (Return-Oriented Programming) in exploits has increased over the past
decade. ASLR (Address Space Layout Randomization) helps mitigate ROP, but in recent years exploit writers have increasingly focused on finding ways to bypass ASLR and thereby
enable ROP. ROP is an exploit technique that uses the mechanism of a calling convention to execute attacker-specified code locations that are linked as ROP chains.
In this paper, I will show how it is possible to detect these chains that are targeted towards various applications. For attackers to generate the malicious payload, they choose a
combination of ROP gadgets collected from modules. However, this set of gadgets is finite and limited in number. This characteristic makes it possible to detect the finite combinations
of gadgets. Even ROP attacks that depend on bypassing ASLR with a memory disclosure (info leak) vulnerability can be detected using relative offsets of the gadgets.
I will demonstrate scanning against in-the-wild exploits and show how to analyse the chain once found. Each address in the chain is mapped to an assembly instruction in the gadget
database. In this way, the purpose of the ROP chain or what it is programmed to do can be revealed.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.
Click here for more details about the conference or register online.
del.icio.us digg this