Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 Nov 2015 12:08:21 +0100
From: Jonathan Salwan <>
Cc: Florian Weimer <>, Solar Designer <>, Jeff Law <>, 
	Bernd Schmidt <>,
Subject: Re: Re: Fwd: x86 ROP mitigation

Hey Steve,

> What I found was that the list of libraries or programs that ROPgadget could
> build a chain for is fairly small. I thought about reasons why that might be
> the case and then considered that maybe if the gadgets from several libraries
> were combined, maybe it would find more.

The build chain of ROPgadget is pretty "stupid", we search a series of
patterns [1] which would allow us to build our payload. If these
patterns are not present we don't build the payload. Then, we don't
search through others libraries. That's why you got a small list. The
best way to build a ROP-chain automatically, is to build the chain
from the instruction semantics (take a look from slide 53 to 62 of
this lecture [2]).

> But I think ASLR would make too many
> moving parts for that to be practical. If you use a whole library or
> application, then everything moves together up or down as a unit to the new
> offset.

If you find the base address from the plt/got you win. Florian
Gaultier proved that it was possible [3].

> Another thought in explaining why the list was so small is that the quality of
> the chaining that ROPgadget has needs a lot of improvement.

So true :).


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ