If you want to build a program at run-time, you can find the addresses of blocks of code that do what you want, but are followed by a ret. These addresses are called gadgets. You can then execute your program by pushing these gadgets onto the stack in the order you want them to execute, and then returning with the ret instruction. This is called ROP: return-oriented programming.
RAP is “return-address protection”, and it’s a device where you save extra cookie someplace before calling a function, and then verifying that the cookie is in that place before returning. This allows you to detect if someone is using the end of your function as a gadget.
Is there an equivalent for J(ump)OP? Will we just see many ROP-using exploits switch to JOP or is there a practical reason that it’s unlikely to be the next iteration in the cat-and-mouse game?
It’s the predominant technique to achieve remote code execution in systems with ~“data execution prevention” or “write or execute” memory protections, which prevent exploits from executing malicious code directly.
Great time to announce, right after their recent twitter rampage. Inspires lots of confidence.
Careful or you might get blocked.
Does anybody else have no idea what RAP and ROP are?
If you want to build a program at run-time, you can find the addresses of blocks of code that do what you want, but are followed by a
ret. These addresses are called gadgets. You can then execute your program by pushing these gadgets onto the stack in the order you want them to execute, and then returning with theretinstruction. This is called ROP: return-oriented programming.RAP is “return-address protection”, and it’s a device where you save extra cookie someplace before calling a function, and then verifying that the cookie is in that place before returning. This allows you to detect if someone is using the end of your function as a gadget.
Is there an equivalent for J(ump)OP? Will we just see many ROP-using exploits switch to JOP or is there a practical reason that it’s unlikely to be the next iteration in the cat-and-mouse game?
I was curious about this too and found this paper: https://cseweb.ucsd.edu/~hovav/dist/noret.pdf.
This paper is one of the best ones I’ve read on it. It also wins points for a fantastic title:
https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf
It’s the predominant technique to achieve remote code execution in systems with ~“data execution prevention” or “write or execute” memory protections, which prevent exploits from executing malicious code directly.