Defenses and Return-Oriented Programming (ROP)

Goals

• Defenses and Limitations:
  • Explain how commonly deployed defenses work
  • Identify and exploit their limitations
• ROP
  • Learn how ROP attacks work
  • Be able to execute a ROP attack
  • Analyze the implications of ROP for software defenses

Control-Flow Defenses

• Stack Canaries/Cookies
  • How do they work?
  • What makes a good canary/cookie?
  • How can they be bypassed?
• Data Execution Prevention (DEP) / No eXecute (NX)
  • How does it work?
  • How can it be bypassed?
• ASLR
  • What does it do and why does it break standard attacks?
  • What are four classes of ASLR bypass?
    • Why would you choose one over the other?
  • Why is ASLR an incomplete defense in practice?

ROP techniques

• How can we implement shellcode with semantically equivalent gadgets?
• How do we string together the execution of multiple gadgets?
• How does standard disassembly work?
• Compare/contrast intended vs. unintended gadgets
  • How do unintended gadgets arise?
  • How can we find them?
• What are some examples of useful gadgets?
• What do ROP attacks imply for the software defenses we’ve seen so far?
  • E.g., canaries, DEP, ASLR, sanitizing library functions