Automatic Generation of ROP Chains

Explore the intricacies of Return-Oriented Programming (ROP) attacks and their automated generation in this 35-minute conference talk from the Hack In The Box Security Conference. Delve into the concept of Turing completeness and its application to ROP chains. Learn about EasyROP, a tool designed to automate the development of ROP attacks by identifying semantically equivalent gadgets for fundamental operations. Examine the analysis of Windows dynamic-link libraries in both 32-bit and 64-bit systems, with a focus on shell32.dll as a prime candidate for 32-bit attacks. Discover the challenges in building Turing-complete ROP chains for 64-bit systems. Gain practical insights through a real-world case study of CVE-2010-3333, demonstrating how to construct a ROP chain to bypass Data Execution Prevention (DEP) on Windows 7.

#HITB2018AMS CommSec D2 - Automatic Generation of ROP Chains - Ricardo. J. Rodríguez & Daniel Uroz