Why Don’t You Just Tell Me Where The ROP Isn’t Supposed To Go

DEF CON 22

Presented by: David Dorsey
Date: Friday August 08, 2014
Time: 17:00 - 17:20
Location: Track 3

Using a ROP chain to bypass operating system defenses is commonplace and detecting this technique while executing is still difficult. This talk will discuss a method built on Intel’s dynamic binary instrumentation tool, Pin, to dynamically detect ROP attacks against the Microsoft Windows operating system. The method is designed to detect ROP attacks that use the return instruction and the indirect call instruction. We will discuss how we determine if a return or indirect call is jumping to a valid location. Then we will show examples of the method working, discuss its effectiveness, and its limitations. After the talk, the source code for the pintool will be released.

David Dorsey

David has been in the security industry on the defensive side for nearly 10 years and has been focusing on file analysis for the last 5 years. He likes tearing apart shellcode and figuring out what the attack is trying to accomplish.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats