ASLR BROP
Fine-grained ASLR
Randomize even relative addresses
- shuffle around (parts of) functions.
- rewrite functions: change registers, replace instructions, add random NOPs
- only possible at compile time, sharing (e.g. libraries) becomes difficult
Breaking with JIT-ROP:
- suppose attacker can leak single code pointer
- then:
- Recursively
- use code pointers to read target code page (this is safe)
- identify gadgets on that code page
- leak code pointers on that page
- “Compile” ROP payload on the fly (Just In Time)
Side channel: crash/no-crash
- requirements: stack vulnerability and knowing how to trigger it, server process that respawns after crash
Blind Return-Oriented Programming (BROP):
- Break ASLR
- stack reading:
- overwrite single byte with value X
- no crash: stack had value X
- crash: guess X was correct
- three types of gadgets:
- stop gadget: never crashes (always e.g. hangs)
- crash gadgets: always crashes
- useful gadget: crash depends on return
- Leak binary: