Difference between revisions of "Exploit Methods/Reused code chunks"
Jump to navigation
Jump to search
Line 4: | Line 4: | ||
= Examples = | = Examples = | ||
* [https://github.com/djrbliss/rose-exploit remote execution] ([http://vulnfactory.org/research/h2hc-remote.pdf slides]) | * [https://github.com/djrbliss/rose-exploit remote execution] ([http://vulnfactory.org/research/h2hc-remote.pdf slides]) | ||
* [https://github.com/01org/jit-spray-poc-for-ksp JIT spraying] | |||
= Mitigations = | = Mitigations = | ||
* compiler instrumentation for Control Flow Integrity (CFI) | * compiler instrumentation for Control Flow Integrity (CFI) | ||
* Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP]) | * Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP]) |
Revision as of 22:10, 4 May 2016
Details
This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executable memory to build a chain of gadgets in order to perform the attacker's exploit.
Examples
Mitigations
- compiler instrumentation for Control Flow Integrity (CFI)
- Return Address Protection, Indirect Control Transfer Protection (e.g. RAP)