Hi, On Fri, 17 Jun 2016, Bernd Schmidt wrote:
> > The "0xe9 <four random bytes>" essentially is the leave+return opcode, > > after all it jumps to them (let's ignore the possibility that the jump > > target address might contain a 0xc3 byte). So if the attacker finds > > some interesting gadget in <random bytes1> I don't see how the change > > from leave+ret to jump-to-leave+ret changes anything from a threat > > avoidance perspective. It's fully possible that I don't understand > > the threat vector of ROP correctly, in which case I'd also like to > > know :) > > The advantage is that this way the attack can't skip the leave opcode by > jumping into the "random bytes1" in your first sequence. Hence, we > ensure the return path will always overwrite esp first, which is what's > supposed to make the attack harder since now you need to control ebp as > well. Okay, thanks. So it's really the wish for an inseparable leave+ret leading to this; that sort of makes sense I guess. Ciao, Michael. P.S: Though I do feel these ROP counter measures are not much more than security by obscurity; I guess enough obscurity indeed can at least lead to harder to exploit programs.