Breaking the (ROP)Chains: Simple, repeatable, mitigations for a class of attack

By Brian Callahan

Elevator Pitch

ROPChains are a powerful class of attack against binaries. We implemented a number of compiler-based mitigations for ROPChains in LLVM/Clang and GCC and benchmarked them to understand the security-performance tradeoff. Learn how to take simple, powerful steps to defend against this class of attack.

Description

Defending against ROPChain exploits can be significantly easier than you might believe. It takes only a few targeted, potentially unexpected, changes to your compiler to create binaries and shared libraries that no longer contain enough unique ROP gadgets to successfully create an exploitable ROPChain, defeating this class of attack. These changes can be implemented across a wide variety of compilers and operating systems, making a one-size-fits-all approach to ROPChain mitigations, so that these mitigations can be maximally beneficial to everyone.

Inspired by work spearheaded by the OpenBSD project, in this talk we outline what ROPChains are, why these attacks matter and are worth studying and developing mitigations for, what mitigations we chose to study and implement, and what the security-performance tradeoff is for these mitigations. We implemented these mitigations on LLVM/Clang and, for the first time that we know of, GCC. We will demonstrate how these mitigations work, discuss why these simple mitigations are so powerful, and recommend the best course of action for reducing your attack surface with these mitigations.

This talk comes with open source patches that you can apply to your compilers today to make a noticeable improvement to your security.

Notes

We are a team of university researchers at Rensselaer Polytechnic Institute (Troy, NY) who have taken binary exploitation courses, been studying how to exploit ROPChains on modern machines and defenses against such attacks, and are successful participants in national CTF tournaments. The submitter of this presentation is the professor who runs the research lab, and is writing this submission as a teaching tool to teach the students how to write conference proposals of their own. The co-presenters are the students who have taken the lead on this research and are the ones doing the heavy lifting. We intend for some subset of the co-presenters, many of whom are first-time speakers, to deliver the talk at the conference; the professor can also help deliver the talk if needed.

While we may be from Eastern NY, we are excited to meet many of our colleagues from Western NY.