More Related Content
Similar to 09 - ROP countermeasures, can we fix this? (20)
09 - ROP countermeasures, can we fix this?
- 2. Position independent code
PIE: also referenced as full ASLR
Randomization of base address of all segments
No more gadgets to find:
cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl
cisco@kali:~/src/seccon/ch9$ ./aslr-pie
Stack base address: 0xbff3fcb4
Heap base address: 0xb975e008
Memcpy libc address: 0xb77339a0
Code section address: 0xb77bf786
Data section address: 0xb77c0af8
RO data section address: 0xb77bf880
cisco@kali:~/src/seccon/ch9$ ./aslr-pie
Stack base address: 0xbfb20234
Heap base address: 0xb9082008
Memcpy libc address: 0xb76ff9a0
Code section address: 0xb778b786
Data section address: 0xb778caf8
RO data section address: 0xb778b880
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
- 3. PIE continued
Can’t predict gadget addresses anymore
Can still rely on ASLR bruteforcing
Expensive at runtime (~ 25% overhead)
Not widely used
cisco@kali:~/src/seccon/ch9$ uname -a
Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux
cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u
atd 2423 Full RELRO Canary found NX enabled PIE enabled
at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled
bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled
dhclient 2839 Full RELRO Canary found NX enabled PIE enabled
mysqld 5211 Full RELRO Canary found NX enabled PIE enabled
openvpn 12791 Full RELRO Canary found NX enabled PIE enabled
ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled
sshd 3436 Full RELRO Canary found NX enabled PIE enabled
Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
- 4. GNU RELRO
Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites
All functions are resolved at startup of the program
Lazy binding is not possible anymore
Does not prevent GOT dereferencing of course
Not very useful
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
- 5. Stack pivot detection
Check whether esp points into the stack
Difficult to achieve (when to check?)
Can still pivot inside the stack
No known implementation (outside of research)
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
- 6. Ret detection
Detect code doing many rets
Difficult to check
Can still use jmp instead (much harder)
No known implementation (outside of research)
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6