[PATCH] Insert random noops to increase security against ROP attacks (llvm)

[PaX Team]

On 6 Jan 2015 at 16:28, Andrei Homescu wrote:

> Blind ROP actually targets a very specific kind of restarting service:
> fork-based restarting from the same master process, which doesn’t even
> trigger ASLR.

this is how the majority of UNIX services are implemented. fork+(re)exec
is a rare (and unfortunately) rather late trend (what does it besides
openssh?). also ASLR is in full force then and obviates the need for
further randomization approaches.

> ASLR is vulnerable to per-library single pointer disclosure, where getting
> a pointer to a known function inside a library gives you access to all code
> inside that library.

not true, you also need to know the precise *content* of the library
a priori (or leak that as well but then we're way beyond a mere pointer
leak). a simple pointer disclosure doesn't give you that information.
if you think it does then let me give you a pointer value to strcmp
and you write me a ROP payload based on it: 0x12345678 ;).

> (keep in mind that the original ROP paper used only gadgets inside
> libc, so one library is all you need in most cases).

this is true and this is why i never saw the point in per-mmap randomization
myself.

> You don’t need to leak memory content if you assume that all targets
> have exactly the same software and libraries (let’s say you target all
> Ubuntu 14.10 and all Windows 7 systems), you only need to know where
> everything falls, since the code is the same on all machines. 

not true, there are (or eventually will be) several different binaries
available for each system so an exploit must try each one of them (or
leak/learn the precise version information but then we're again beyond
a mere pointer leak). this is not even a new problem actually, even
before ASLR (think 90's) exploits often had offset/address tables specific
to distro versions.