Thursday, May 19, 2011

Return Oriented Programming.

In the past CeSeNA security meetings we had focused on ROP (Return Oriented Programming) introduced by Shacham. ROP is a techniques by which W(+)X-style hardware protections (aka DEP) are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-lenght x86 instructions, creating a short new instruction streams that then return. ROP is Turing complete language and for such a reason is a powerful tool for every attacker.


This self-explanatory image has been taken from one of the most authoritative paper on such topic: "When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC ". I deeply suggest this reading to everybody interested on machine exploitation without injecting payloads to the machine, but using ROP technique. Once the %esp becomes the %eip the attacker could forge any instruction (Turing's completeness) determining which instruction to fetch and to execute. Processor doesn't automatically increment %esp but "ret" at the end of each instruction sequence (in a C lib, for instance) does.



For more information on this powerful exploiting technique read this, this (practical one), this and this (nice and small).

3 comments:

Anonymous said...

may want to add this to the list too : http://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/

Marco Ramilli said...

Good Link Anonymous !!!
Thank you !

muebles en salamanca said...

So, I do not really consider it may have success.