[PATCH] Insert random noops to increase security against ROP attacks (llvm)

Andrei Homescu ahomescu at uci.edu
Tue Jan 6 16:28:55 PST 2015 

A few comments below:

> On Jan 6, 2015, at 3:39 PM, PaX Team <pageexec at gmail.com> wrote:
> 
> On 5 Jan 2015 at 21:23, Stephen Crane wrote:
> 
>> Hi all,
>> 
>> I completely agree that Blind ROP and JIT-ROP have the potential to
>> bypass diversity. However, these attacks are significantly harder than
>> conventional ROP and have additional requirements (restarting service
>> and client-side scripting respectively).
> 
> how do you measure 'harder'? also you realize that 'restarting service'
> describes about all remote services and 'client side scripting' describes
> about all browsers, in other words, two of the most relevant real life
> attack surfaces?
Blind ROP actually targets a very specific kind of restarting service: fork-based restarting from the same master process, which doesn’t even trigger ASLR.
Switching to execve() to restart the service would kill vanilla BROP by itself (can’t really say whether BROP could be adapted to work with that).

> 
> ASLR is not vulnerable to a single pointer disclosure (since you repeated
> this twice at least, i wonder where this myth comes from...).
> 
> what ASLR is vulnerable to (more precisely, wasn't designed to protect
> against) are attacks that can also leak addresses *and* memory content
> at those addresses (or when exploiting the bug doesn't even need an
> address of course).
ASLR is vulnerable to per-library single pointer disclosure, where getting a pointer to a known function inside a library gives you access to all code inside that library.
For example, finding where “strcmp” is inside libc post-ASLR gives you access to all of libc (keep in mind that the original ROP paper used only gadgets inside libc, so one library is all you need in most cases).
You don’t need to leak memory content if you assume that all targets have exactly the same software and libraries (let’s say you target all Ubuntu 14.10 and all Windows 7 systems), you only need to know where everything falls, since the code is the same on all machines.

Andrei

More information about the llvm-commits mailing list