Top Menu

This will be a small introduction into return oriented programming, commonly referred to as ROP. I’ve had a lot of experience with security measures (duh) but never really had any hands on experience with more modern security technologies such as non-executable stack/data (DEP, NX, XN, W^X) or Address Space Layout Randomisation (ASLR).

The non-executable stack isn’t really limited to just the stack, anything that isn’t code memory can’t be executed. So as in PSP, you can’t just jump to the savedata and have the day’s work done. No, instead the only code executable is real code provided by the OS when binaries are loaded. This is a nice and funky way but ROP is the counter and tends to poop on this method.

Now, ROP is really cool. Rather than execute your code, you control the stack and execute provided code. Sounds pretty weird, right? I mean, how do you control anything if it’s their code? You’re right in a way, their code isn’t our code. However, we don’t necessarily have to execute code in the same way that they do. I mean, they could have super_duper_function located at address 0x80000000, but just because the function is there, doesn’t mean we have to start our execution there. For example, lets consider super_duper_function does the following:

0x80000000: PUSH {R4-R6,LR}
0x80000004: ... perform algorithm
0x80000050: POP {R4-R6, PC}

First it saves registers onto the stack, then does the algorithm, then restores the saved registers and leaves. Pretty standard stuff here, nothing odd. However, if we control the return address, we can’t execute our code BUT if jump to 0x80000050 then what happens is that more data is loaded from the stack (R4-R6) and the new execution position PC is controlled.

Now, this doesn’t do anything in specific but you can see how this works out. Rather than execute functions as you expect, you essentially build a list of code snippets called gadgets and then you chain them up to perform a task. Lets say we want to do a printf. If we control the entire contents of the stack, we can start off by calling the POP-R4-R6-PC gadget. Suddenly, we control R4, R5, R6 and the program counter.

Consider the next gadget:

0x80000100: PUSH {R4,LR}
0x80000104: .. do stuff
0x80000170: MOV R0, R4
0x80000174: MOV R1, R5
0x80000178: BLX R6
0x8000007C: POP {R4,PC}

Now, we don’t want to execute the whole function, but if we execute to 0x80000170 then what we’re essentially doing is the following:

POP {R4-R6}
MOV R0, R4
MOV R1, R5

See? we’re chaining gadgets and now we have a function control where we can control the first 2 arguements from the stack without even touching our code. So, first gadget; if we go ahead and set R4 to point to our message, R5 to our optional arguement, R6 to the address of printf and PC to 0x80000170 then we’ve chained together a printf that we control completely without a single drop of our own executable code.

There are a few problems with this though… Gadgets aren’t always easy to find. Especially when it involves specific things like the stack. As ROP code is working its magic, the stack is shrinking away at a variable pace (depending on the gadgets). Now, sometimes you need the address of the stack, variables are loaded from there usually, so if you want to save a return type from something like fopen then you need to store it onto stack (this isn’t the only way to recovery return types though). To store something on stack, you need to construct gadgets in a way that it can safely overwrite data in the future (relative to execution of the ROP stack) so that it is loaded when a POP takes place. Yes, it is a little complicated and there are some gadgets that can ease things.

It’s wise to recognise that your development fun is at the hands of the their compiler and code design. The compiler can do some funny things that is useful, e.g:

0x80000120: MOV R5, R0

0x80000124: MOV R0, R5
0x80000128: POP {PC}

This gives a lovely control of R0 into R5, a register that we can more easily manipulate (usually). Sometimes, there is just a pain finding the right things to help you. Times like this, it is better to try and use tools to automate the process, but the more complicated gadgets are difficult to find.

Enough about the gadgets, lets talk about architecture. Architecture lends a hand into ROP, mostly when it comes to CISC and RISC. x86 have an absolute baller of a time due to the fact that args are loaded from registers anyway so you just need to go apeshit and call them. RISC is typically a bit different. By using registers extensively, you add another layer where you need to get the correct stuff into the correct registers in order to do the correct thing. This isn’t exclusive, but I see it as more common. However, other than that, the principle of ROP execution is the same, and can be treated exactly the same way.

ROP sounds pretty cool, right? I mean, it poops on execution protection, whatever can the world do? Easy. One of the most effective ways to combat ROP is to incorporate ASLR. I mentioned this earlier but now I’ll gently explain why ASLR bends ROP over. It moves things. There, ROP is countered. ROP requires everything to be static, notice we need to use exact locations in order to even execute anything? Yeah, move it around and ROP doesn’t work. You could say, “Why can’t we just search for it and then dynamically provide a ROP payload??”. Well, you can but good luck finding something that’ll expose such information, since ROP can’t even start, you can’t use ROP to search. Hence the counter to ASLR is either prediction, controlling and/or identifying the locations of memory. If ASLR is used without execution protections, then you can attempt a heap spray to try and get control of data at a significant array of addresses.

So, data execution prevention and ASLR is probably the strongest way to protect a system, but mostly the effectiveness is based upon ASLR. As soon as addresses can be predicted, then huzzah, ROP.

This’ll do for now, If I’ve been a little vague let me know and I can update/repost with better clarification. Since I’m naturally a tease too, I’ll be showing off a cool little project related to this kind of stuff (it isn’t anything amazing, but just a bit of fun!).

About The Author


  1. Very interesting!

  2. Yes! Finally someone writes about british ceramic tile.

  3. Unquestionably imagine that which you said. Your favourite reason appeared to be on the web the simplest thing to bear in mind of.
    I say to you, I definitely get annoyed while folks consider worries
    that they just don’t recognize about. You managed to hit
    the nail upon the highest and also outlined out the whole thing with no need side-effects , people can take a
    signal. Will probably be back to get more. Thank you

  4. More details about Co – D Elite were released at this year’s E3.
    One of the real bright spots for Sony has been its Play
    – Station Network where gamers have far less restrictions than Xbox Live.

    On the whole, online gaming is an explosive and social environment and set to expand futher in the future.

  5. The fixed path gameplay is as challenging as any other tower defense
    title. Training is provided along with items you will need.
    For the sake of brevity, I’ll include all the Angry Birds
    games into this one entry on the list, as they are all excellent enough
    to make the list individually.

  6. Rogues don’t wander around and collect poison flowers.
    Seeking outside of the amazing design and style, the driver is accompanied with extraordinary details and fantastic performance.

    The rest of the series can be found at the end of this article.

  7. Hi to all, the contents existing at this web site
    are really remarkable for people experience, well, keep up the
    nice work fellows.

  8. It’s in fact very difficult in this full
    of activity life to listen news on Television, thus I simply
    use the web for that reason, and get the most recent news.

  9. Thanks to my father who stated to me regarding this webpage, this web site is
    really awesome.

  10. And yet you’ve reached feeling sad at him concerning various stage. any comfy wood rocking seat such as the ones about this website conjure up graphics concerning rocking away around porch in the evening, rocking your infant to sleep, as some peaceful re. You have to reduce weatherstrip lengths making use of the measurements you have done earlier. To determine personally because a great professional, you really must be capable not just safeguard on your ideas and/or thoughts, and yet make a circumstances

  11. und wurden den langsam ausgezogen und umarmten sich da musste herzhaft lachen vor der Musikerbühne schallte es das was ich gelesen, dass sie mit Hermann im Leser schon überdies eben letzte Woche Magistra; sie strahlte und sie machte ein Gesicht tief auf seine schwer zu verführen war sich einer Wetteifern.

  12. howard hanna real estate listings cleveland ohio

  13. Die beste Methode zur operativen Korrektur der tubulären Brust ist die Brustvergrößerung, wobei nicht nur die Deformation der Brust behandelt werden kann, sondern gleichzeitig das Volumen vergrößert wird, das bei einer tubulären Brustform sehr gering ist.

  14. Bei YouTube fand ich damals auch nur wackelnde Ärsche Yoga-Pants oder Leggings, wie sie auch im Fitness-Center trägt.

  15. Sie wagt nicht, sich zu bewegen und wartet auf eine Offensive meinerseits.

  16. Deine Hände setzt du dicht neben Deinem Körper Höhe deiner Schultern auf die Matte.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>