On 06/17/2016 04:29 PM, Michael Matz wrote:
On Fri, 17 Jun 2016, Bernd Schmidt wrote:
On 06/17/2016 04:03 PM, Michael Matz wrote:
But does this really improve something? Essentially you're replacing
<random bytes1> 0xc9 0xc3 <random bytes2>
(the end of a function containing "leave;ret") with
<random bytes1> 0xe9 <four random bytes> <random bytes2>
where the four random bytes are different for each rewritten function
return (but correlated as they differ exactly by their position
difference).
I'm not sure why the latter sequence is better?
I think I'm missing what you're trying to say. The latter sequence does not
contain a return opcode hence it ought to be better?
The "0xe9 <four random bytes>" essentially is the leave+return opcode,
after all it jumps to them (let's ignore the possibility that the jump
target address might contain a 0xc3 byte). So if the attacker finds some
interesting gadget in <random bytes1> I don't see how the change from
leave+ret to jump-to-leave+ret changes anything from a threat avoidance
perspective. It's fully possible that I don't understand the threat
vector of ROP correctly, in which case I'd also like to know :)
The advantage is that this way the attack can't skip the leave opcode by
jumping into the "random bytes1" in your first sequence. Hence, we
ensure the return path will always overwrite esp first, which is what's
supposed to make the attack harder since now you need to control ebp as
well.
Bernd
