New Anti-ROP From Microsoft

Microsoft held a contest for computer scientists to come up with new ways to stop Return Oriented Programming (ROP) – a  technique used by hackers that allows them to easily bypass Data Execution Prevention (DEP.) Currently the most common anti-ROP technology is ASLR, headed by PaX. ASLR attempts to randomize as much of the address space as possible, which makes it difficult for hackers to find code that they can use for ROP. ASLR leaves much to be desired as if any part of the address space is not randomized it’s enough for an attacker to craft a ROP attack. There will always be static areas of address space.

Other techniques like EAF aren’t great, better for legacy exploits. And I’ve written before about techniques for defeating ROP.

Microsoft’s competition yielded three ‘top’ contributions and while the details aren’t entirely revealed I’m gonna comment on each based on the very tiny amount of information provided.

First is Jared DeMott’s /ROP.

To understand it you should know that ROP basically works by taking the compiled library and controlling the order that it executes… sorta. It means that absolutely no new code needs to be added to exploit the system.

The idea of /ROP is to check return instructions. This seems like a great idea, after all, return oriented programming without the return… just doesn’t work.

Without details it’s hard to criticize except that you don’t need return instructions for ROP. You can use ‘return-like’ instructions, which can do the same thing and create exploits just as well. What about jmp?

It’s also a detection system and only works on *known* areas of ROP. That doesn’t sound like such a big deal but it really is. It doesn’t stop anything fundamental, not really, and it’s reactive.

 Ivan Fratric

Ivan’s works by labeling specific functions as critical for ROP. And when those functions are called a check is made.

This reminds me a lot of EAF. We’ll see how it works and if it works in the real world.

Again, detection.

Vasilis Pappas

No clue how this one will work out, not enough detail given at all to make any kind of statement.

If one could simple remove the ability to ROP with magic or some such thing it would force attackers to come up with entirely new methods of exploitation. ROP is the way to get into a system right now. Hopefully one of these really does the trick. Personally I don’t quite understand why specific libraries aren’t compiled without gadgets – there are a few universally static areas of the Windows OS, why not just remove the gadgets? I really don’t know, probably some patenting bullshit.

Hopefully one of these actually drives up the cost. There just isn’t a ton of information out there right now.

I’d love to see more of these types of bounties in the future. Not patches, actual new techniques.