[PATCH] Insert random noops to increase security against ROP attacks (llvm)

[PaX Team]

On 5 Jan 2015 at 19:23, Mehdi Amini wrote:

> > that's exactly what i'm wondering about: what is that class of attacks?
> > blind ROP can discover gadgets remotely without knowing the exact code
> > content. in-browser exploits can leak the same information and construct
> > exploits on-the-fly. so where does the added random padding help exactly?
> 
> I don’t know the statistics on gadget presence in software in general,

check this out: http://users.ece.cmu.edu/~ejschwar/bib/schwartz_2011_rop-abstract.html

tl;dr: a minimal executable (from 20kB on) likely provides enough gadgets, real life
executables and libraries (think glibc, apache, firefox, etc) have more than enough.

> but something that I found interesting in https://www.ics.uci.edu/~ahomescu/multicompiler_cgo13.pdf
> is how figure 2 shows that inserting a nop between instructions reduce the possibility of finding
> gadgets on x86 because of the variable-length encoding.

this is only true for gadgets that are composed of unintended byte sequences (i.e,
where the redirected control flow jumps into the middle of intended insns) and only
if such sequences cross intended insn boundaries. as you can see in the paper, there's
no case where gadgets are eliminated altogether, only their numbers are reduced and
that means that blind ROP will work against these binaries.