Thursday, May 19, 2011

Return Oriented Programming.

In the past CeSeNA security meetings we had focused on ROP (Return Oriented Programming) introduced by Shacham. ROP is a techniques by which W(+)X-style hardware protections (aka DEP) are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-lenght x86 instructions, creating a short new instruction streams that then return. ROP is Turing complete language and for such a reason is a powerful tool for every attacker.

This self-explanatory image has been taken from one of the most authoritative paper on such topic: "When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC ". I deeply suggest this reading to everybody interested on machine exploitation without injecting payloads to the machine, but using ROP technique. Once the %esp becomes the %eip the attacker could forge any instruction (Turing's completeness) determining which instruction to fetch and to execute. Processor doesn't automatically increment %esp but "ret" at the end of each instruction sequence (in a C lib, for instance) does.

For more information on this powerful exploiting technique read this, this (practical one), this and this (nice and small).


Anonymous said...

may want to add this to the list too :

Marco Ramilli said...

Good Link Anonymous !!!
Thank you !

muebles en salamanca said...

So, I do not really consider it may have success.