In-memory ROP payload detection

Justin Kim Microsoft

Since the introduction of DEP (Data Execution Prevention) to block shellcode from execution, the use of ROP (Return-Oriented Programming) in exploits has increased over the past decade. ASLR (Address Space Layout Randomization) helps mitigate ROP, but in recent years exploit writers have increasingly focused on finding ways to bypass ASLR and thereby enable ROP. ROP is an exploit technique that uses the mechanism of a calling convention to execute attacker-specified code locations that are linked as ROP chains.

In this paper, I will show how it is possible to detect these chains that are targeted towards various applications. For attackers to generate the malicious payload, they choose a combination of ROP gadgets collected from modules. However, this set of gadgets is finite and limited in number. This characteristic makes it possible to detect the finite combinations of gadgets. Even ROP attacks that depend on bypassing ASLR with a memory disclosure (info leak) vulnerability can be detected using relative offsets of the gadgets.

I will demonstrate scanning against in-the-wild exploits and show how to analyse the chain once found. Each address in the chain is mapped to an assembly instruction in the gadget database. In this way, the purpose of the ROP chain or what it is programmed to do can be revealed.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.