Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

09 - ROP countermeasures, can we fix this?

A
Alexandre Moneger

The document discusses various return-oriented programming (ROP) countermeasures, including position independent code (PIE) which randomizes the base address of all segments, making it difficult to predict gadget addresses and rely on bruteforcing. PIE imposes around a 25% performance overhead but is not widely used. Full RELRO prevents PLT/GOT overwrites but does not prevent GOT dereferencing. Stack pivot and return detection are difficult to implement outside of research. For exploitation concerns, PIE is the best available option.

1 of 7
ROP countermeasures Can we fix this? Alex Moneger Security Engineer
Position independent code  PIE: also referenced as full ASLR  Randomization of base address of all segments  No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
PIE continued  Can’t predict gadget addresses anymore  Can still rely on ASLR bruteforcing  Expensive at runtime (~ 25% overhead)  Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
GNU RELRO  Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites  All functions are resolved at startup of the program  Lazy binding is not possible anymore  Does not prevent GOT dereferencing of course  Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Stack pivot detection  Check whether esp points into the stack  Difficult to achieve (when to check?)  Can still pivot inside the stack  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Ret detection  Detect code doing many rets  Difficult to check  Can still use jmp instead (much harder)  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Concerned about exploitation, PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

More Related Content

What's hot

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
Alexey Troshichev
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
Simen Li
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manual
Madhu Amarnath
 

What's hot (20)

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manual
 

Viewers also liked

第1組 用款計畫
第1組 用款計畫第1組 用款計畫
第1組 用款計畫
小四 曾
 
como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog
sdfbjkgfrfbjk
 
下一站 實習
下一站 實習下一站 實習
下一站 實習
Xi-Zhe Lin
 
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_DeveloperPrince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_Developer
Prince nagsen
 
Detección de necesidades de capacitación
Detección de necesidades de capacitación Detección de necesidades de capacitación
Detección de necesidades de capacitación
Narcizo Uc
 
contenia+cover+letter+present+one
contenia+cover+letter+present+onecontenia+cover+letter+present+one
contenia+cover+letter+present+one
Contenia Mathis
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
CyberLab
 
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking WebserversCyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking Webservers
CyberLab
 
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical HackingCyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab
 
君山银针
君山银针君山银针
君山银针
mikejiang
 
評析政府開放資料
評析政府開放資料評析政府開放資料
評析政府開放資料
Audrey Tang
 
0910 線上問卷
0910 線上問卷0910 線上問卷
0910 線上問卷
佩琪 羅
 
The 7 Shifts
The 7 ShiftsThe 7 Shifts
The 7 Shifts
Brian Fitzgerald
 
國土治理的體制與挑戰
國土治理的體制與挑戰國土治理的體制與挑戰
國土治理的體制與挑戰
cettw
 
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.
Vuz Dở Hơi
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
佩琪 羅
 
The State of Food and Agriculture 2016
The State of Food and Agriculture 2016The State of Food and Agriculture 2016
The State of Food and Agriculture 2016
FAO
 

Viewers also liked (17)

第1組 用款計畫
第1組 用款計畫第1組 用款計畫
第1組 用款計畫
 
como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog
 
下一站 實習
下一站 實習下一站 實習
下一站 實習
 
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_DeveloperPrince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_Developer
 
Detección de necesidades de capacitación
Detección de necesidades de capacitación Detección de necesidades de capacitación
Detección de necesidades de capacitación
 
contenia+cover+letter+present+one
contenia+cover+letter+present+onecontenia+cover+letter+present+one
contenia+cover+letter+present+one
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
 
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking WebserversCyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking Webservers
 
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical HackingCyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
 
君山银针
君山银针君山银针
君山银针
 
評析政府開放資料
評析政府開放資料評析政府開放資料
評析政府開放資料
 
0910 線上問卷
0910 線上問卷0910 線上問卷
0910 線上問卷
 
The 7 Shifts
The 7 ShiftsThe 7 Shifts
The 7 Shifts
 
國土治理的體制與挑戰
國土治理的體制與挑戰國土治理的體制與挑戰
國土治理的體制與挑戰
 
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
 
The State of Food and Agriculture 2016
The State of Food and Agriculture 2016The State of Food and Agriculture 2016
The State of Food and Agriculture 2016
 

Similar to 09 - ROP countermeasures, can we fix this?

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
Jasper Nuyens
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
Woo Hyung Choi
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
Vincent Batts
 
IPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic NetworkingIPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic Networking
Wido den Hollander
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
fantasy zheng
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
Woo Hyung Choi
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Alexandre Moneger
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
Linux networking
Linux networkingLinux networking
Linux networking
Arie Bregman
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
camsec
 

Similar to 09 - ROP countermeasures, can we fix this? (20)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
IPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic NetworkingIPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic Networking
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 

Recently uploaded

UNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERING
UNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERINGUNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERING
UNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERING
Chandra Kumar S
 
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
Kiran Kumar Manigam
 
SM_5th-SEM_Cse_Mobile-Computing.pdf_________________
SM_5th-SEM_Cse_Mobile-Computing.pdf_________________SM_5th-SEM_Cse_Mobile-Computing.pdf_________________
SM_5th-SEM_Cse_Mobile-Computing.pdf_________________
smarakd64
 
Thermal Power Station Ukai Report pdf 24
Thermal Power Station Ukai Report pdf 24Thermal Power Station Ukai Report pdf 24
Thermal Power Station Ukai Report pdf 24
AnishVasava
 
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
r07z26xt
 
image processing image enhancement and filtering
image processing image enhancement and filteringimage processing image enhancement and filtering
image processing image enhancement and filtering
Sophia804451
 
Importent indian standard code.4081.1986.pdf
Importent indian standard code.4081.1986.pdfImportent indian standard code.4081.1986.pdf
Importent indian standard code.4081.1986.pdf
PradeepNigam12
 
Sea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy ResourcesSea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy Resources
21h16charis
 
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
CrimsonPublishers-SBB
 
Youtube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of APIYoutube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of API
AnamikaRani12
 
Gen AI with LLM for construction technology
Gen AI with LLM for construction technologyGen AI with LLM for construction technology
Gen AI with LLM for construction technology
Tae wook kang
 
Artificial Intelligence Imaging - medical imaging
Artificial Intelligence Imaging - medical imagingArtificial Intelligence Imaging - medical imaging
Artificial Intelligence Imaging - medical imaging
NeeluPari
 
MAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptx
MAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptxMAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptx
MAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptx
maniksrikant
 
DOUBLE SKIN FACADE PRESENTATION SLIDE.pdf
DOUBLE SKIN FACADE PRESENTATION SLIDE.pdfDOUBLE SKIN FACADE PRESENTATION SLIDE.pdf
DOUBLE SKIN FACADE PRESENTATION SLIDE.pdf
shakyabhumika51
 
How BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdfHow BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdf
Chemionix Ltd
 
抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战
抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战
抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战
【网祉:5j8.net】 极品美鲍【网祉:5j8.net】
 
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
Le Hoang Phong
 
Classification of optical fibers and Modes of Optical Fiber
Classification of optical fibers and Modes of Optical FiberClassification of optical fibers and Modes of Optical Fiber
Classification of optical fibers and Modes of Optical Fiber
ShailajaUdtewar3
 
UNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -ManufactUNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -Manufact
Mr.C.Dineshbabu
 
Trends in digital era-Programming Knowledge
Trends in digital era-Programming KnowledgeTrends in digital era-Programming Knowledge
Trends in digital era-Programming Knowledge
DrJSathyaPriyaPhd
 

Recently uploaded (20)

UNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERING
UNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERINGUNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERING
UNIT-1-INTRODUCTION- MECHATRONICS-ENGGINERING
 
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
 
SM_5th-SEM_Cse_Mobile-Computing.pdf_________________
SM_5th-SEM_Cse_Mobile-Computing.pdf_________________SM_5th-SEM_Cse_Mobile-Computing.pdf_________________
SM_5th-SEM_Cse_Mobile-Computing.pdf_________________
 
Thermal Power Station Ukai Report pdf 24
Thermal Power Station Ukai Report pdf 24Thermal Power Station Ukai Report pdf 24
Thermal Power Station Ukai Report pdf 24
 
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
 
image processing image enhancement and filtering
image processing image enhancement and filteringimage processing image enhancement and filtering
image processing image enhancement and filtering
 
Importent indian standard code.4081.1986.pdf
Importent indian standard code.4081.1986.pdfImportent indian standard code.4081.1986.pdf
Importent indian standard code.4081.1986.pdf
 
Sea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy ResourcesSea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy Resources
 
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
 
Youtube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of APIYoutube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of API
 
Gen AI with LLM for construction technology
Gen AI with LLM for construction technologyGen AI with LLM for construction technology
Gen AI with LLM for construction technology
 
Artificial Intelligence Imaging - medical imaging
Artificial Intelligence Imaging - medical imagingArtificial Intelligence Imaging - medical imaging
Artificial Intelligence Imaging - medical imaging
 
MAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptx
MAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptxMAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptx
MAJOR ACCIDENTS DUE TO FIRE IN COAL MINES.pptx
 
DOUBLE SKIN FACADE PRESENTATION SLIDE.pdf
DOUBLE SKIN FACADE PRESENTATION SLIDE.pdfDOUBLE SKIN FACADE PRESENTATION SLIDE.pdf
DOUBLE SKIN FACADE PRESENTATION SLIDE.pdf
 
How BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdfHow BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdf
 
抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战
抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战
抖音人气博主卖逼【网祉:5j8.net】反差幼师【网祉:5j8.net】中国农村野战
 
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
 
Classification of optical fibers and Modes of Optical Fiber
Classification of optical fibers and Modes of Optical FiberClassification of optical fibers and Modes of Optical Fiber
Classification of optical fibers and Modes of Optical Fiber
 
UNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -ManufactUNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -Manufact
 
Trends in digital era-Programming Knowledge
Trends in digital era-Programming KnowledgeTrends in digital era-Programming Knowledge
Trends in digital era-Programming Knowledge
 

09 - ROP countermeasures, can we fix this?

  • 1. ROP countermeasures Can we fix this? Alex Moneger Security Engineer
  • 2. Position independent code  PIE: also referenced as full ASLR  Randomization of base address of all segments  No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. PIE continued  Can’t predict gadget addresses anymore  Can still rely on ASLR bruteforcing  Expensive at runtime (~ 25% overhead)  Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. GNU RELRO  Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites  All functions are resolved at startup of the program  Lazy binding is not possible anymore  Does not prevent GOT dereferencing of course  Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. Stack pivot detection  Check whether esp points into the stack  Difficult to achieve (when to check?)  Can still pivot inside the stack  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Ret detection  Detect code doing many rets  Difficult to check  Can still use jmp instead (much harder)  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Concerned about exploitation, PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7