SlideShare a Scribd company logo

09 - ROP countermeasures, can we fix this?

A
Alexandre Moneger

* Possible mitigations * Compiler and OS protection mitigations

Engineering
1 of 7
ROP countermeasures Can we fix this? Alex Moneger Security Engineer
Position independent code  PIE: also referenced as full ASLR  Randomization of base address of all segments  No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
PIE continued  Can’t predict gadget addresses anymore  Can still rely on ASLR bruteforcing  Expensive at runtime (~ 25% overhead)  Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
GNU RELRO  Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites  All functions are resolved at startup of the program  Lazy binding is not possible anymore  Does not prevent GOT dereferencing of course  Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Stack pivot detection  Check whether esp points into the stack  Difficult to achieve (when to check?)  Can still pivot inside the stack  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Ret detection  Detect code doing many rets  Difficult to check  Can still use jmp instead (much harder)  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Concerned about exploitation, PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Recommended

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 

Recommended

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
Alexey Troshichev
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
Simen Li
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manual
Madhu Amarnath
 
第1組 用款計畫
第1組 用款計畫第1組 用款計畫
第1組 用款計畫
小四 曾
 
como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog
sdfbjkgfrfbjk
 

More Related Content

What's hot

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 

What's hot (20)

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manual
 

Viewers also liked

como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog
sdfbjkgfrfbjk
 
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_DeveloperPrince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_Developer
Prince nagsen
 
contenia+cover+letter+present+one
contenia+cover+letter+present+onecontenia+cover+letter+present+one
contenia+cover+letter+present+one
Contenia Mathis
 
君山银针
君山银针君山银针
君山银针
mikejiang
 

Viewers also liked (17)

第1組 用款計畫
第1組 用款計畫第1組 用款計畫
第1組 用款計畫
 
como insertar un power poin a tu blog
como insertar un power poin a tu blog como insertar un power poin a tu blog
como insertar un power poin a tu blog
 
下一站 實習
下一站 實習下一站 實習
下一站 實習
 
Prince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_DeveloperPrince_Kumar_JAVA_Developer
Prince_Kumar_JAVA_Developer
 
Detección de necesidades de capacitación
Detección de necesidades de capacitación Detección de necesidades de capacitación
Detección de necesidades de capacitación
 
contenia+cover+letter+present+one
contenia+cover+letter+present+onecontenia+cover+letter+present+one
contenia+cover+letter+present+one
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
 
CyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking WebserversCyberLab CCEH Session -12 Hacking Webservers
CyberLab CCEH Session -12 Hacking Webservers
 
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical HackingCyberLab CCEH Session - 1 Introduction to Ethical Hacking
CyberLab CCEH Session - 1 Introduction to Ethical Hacking
 
君山银针
君山银针君山银针
君山银针
 
評析政府開放資料
評析政府開放資料評析政府開放資料
評析政府開放資料
 
0910 線上問卷
0910 線上問卷0910 線上問卷
0910 線上問卷
 
The 7 Shifts
The 7 ShiftsThe 7 Shifts
The 7 Shifts
 
國土治理的體制與挑戰
國土治理的體制與挑戰國土治理的體制與挑戰
國土治理的體制與挑戰
 
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
 
The State of Food and Agriculture 2016
The State of Food and Agriculture 2016The State of Food and Agriculture 2016
The State of Food and Agriculture 2016
 

Similar to 09 - ROP countermeasures, can we fix this?

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
 

Similar to 09 - ROP countermeasures, can we fix this? (20)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
IPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic NetworkingIPv6 in CloudStack Basic Networking
IPv6 in CloudStack Basic Networking
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 

Recently uploaded

Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
dharasingh5698
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
 

Recently uploaded (20)

Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 

09 - ROP countermeasures, can we fix this?

  • 1. ROP countermeasures Can we fix this? Alex Moneger Security Engineer
  • 2. Position independent code  PIE: also referenced as full ASLR  Randomization of base address of all segments  No more gadgets to find: cisco@kali:~/src/seccon/ch9$ cc aslr.c -o aslr-pie -fpie -pie -ldl cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbff3fcb4 Heap base address: 0xb975e008 Memcpy libc address: 0xb77339a0 Code section address: 0xb77bf786 Data section address: 0xb77c0af8 RO data section address: 0xb77bf880 cisco@kali:~/src/seccon/ch9$ ./aslr-pie Stack base address: 0xbfb20234 Heap base address: 0xb9082008 Memcpy libc address: 0xb76ff9a0 Code section address: 0xb778b786 Data section address: 0xb778caf8 RO data section address: 0xb778b880 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. PIE continued  Can’t predict gadget addresses anymore  Can still rely on ASLR bruteforcing  Expensive at runtime (~ 25% overhead)  Not widely used cisco@kali:~/src/seccon/ch9$ uname -a Linux kali 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux cisco@kali:~/src/seccon/ch9$ sudo ~/bin/checksec.sh --proc-all | grep "PIE en" | sort -u atd 2423 Full RELRO Canary found NX enabled PIE enabled at-spi-bus-laun 24825 Full RELRO Canary found NX enabled PIE enabled bluetoothd 5965 Partial RELRO Canary found NX enabled PIE enabled dhclient 2839 Full RELRO Canary found NX enabled PIE enabled mysqld 5211 Full RELRO Canary found NX enabled PIE enabled openvpn 12791 Full RELRO Canary found NX enabled PIE enabled ssh-agent 3099 Full RELRO Canary found NX enabled PIE enabled sshd 3436 Full RELRO Canary found NX enabled PIE enabled Xorg 2468 Partial RELRO Canary found NX enabled PIE enabled © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. GNU RELRO  Full RELRO (-Wl,-z,relro,-z,now) prevents PLT/GOT overwrites  All functions are resolved at startup of the program  Lazy binding is not possible anymore  Does not prevent GOT dereferencing of course  Not very useful © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. Stack pivot detection  Check whether esp points into the stack  Difficult to achieve (when to check?)  Can still pivot inside the stack  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Ret detection  Detect code doing many rets  Difficult to check  Can still use jmp instead (much harder)  No known implementation (outside of research) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Concerned about exploitation, PIE is your only option © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7