“A concept is a brick. It can be used to build a courthouse of reason. Or it can be thrown through the window.” ― Gilles Deleuze
Ever since Smashing the Stack For Fun And Profit was published by Aleph One almost a quarter century ago the security world has completely changed the way it defends exploitation. Canary stack, DEP, ASLR, CFI and various other mitigation techniques were developed to address various exploit techniques. Yet, ROP remains a prominent practice employed by many exploits even today.
ROP is the most common exploitation method for attackers to mutate memory bugs on target process into malicious executable code. “Next Gen” endpoint security products try to address ROP and other exploitation methods. Windows embraces many mitigation techniques as well. However, these mitigation features such as CFG can in fact be leveraged and increase ROP’s attack surface and allow it to even bypass exploit protections!
If you are intrigued by ROP, want to learn about methods in Windows that protect against ROP and how to bypass them - this talk is for you! On top of that a novel method of bypassing ROP mitigation of most products will also be revealed.
Omer is End-Point team lead at Symantec (formerly Javelin Networks). His team focuses on methods to covertly manipulate OS internals. Before Symantec he was a malware researcher at IBM Trusteer for two years focusing on financial malware families. In the past he has worked at Algotec for six years developing medical imaging software and at IDF's technology unit for three years as dev team lead. Omer lectured on DerbyCon 8, Virus Bulletin and Zero Nights conferences. In his free time he revives historical photographic processes. Twitter: @yair_omer