Return-Oriented Programming

Goals

• Learn how ROP attacks work
• Be able to execute a ROP attack
• Analyze the implications of ROP for software defenses

ROP techniques

• How can we implement shellcode with semantically equivalent gadgets?
• How do we string together the execution of multiple gadgets?
• How does standard disassembly work?
• Compare/contrast intended vs. unintended gadgets
  • How do unintended gadgets arise?
  • How can we find them?
• What are some examples of useful gadgets?
• Stack pivots
  • What is it?
  • How does it work?
  • Why is it useful?
• What do ROP attacks imply for the software defenses we’ve seen so far?
  • E.g., canaries, DEP, ASLR, sanitizing library functions