Two researchers from the University of California, Berkeley, released a paper introducing new attack techniques they contend break existing defenses against return-oriented programming (ROP)
The researchers, Nicholas Carlini and David Wagner, are slated to present their research this week at the 23rd USENIX Security Symposium in San Diego. According to Carlini and Wagner, the widespread adoption of Data Execution Prevention (DEP) as a security feature killed classic code injection attacks, and made ROP the attacker tactic of choice for modern exploits of memory-safety vulnerabilities.
"In a ROP attack, the attacker does not inject new code; instead, the malicious computation is performed by chaining together existing sequences of instructions (called gadgets)," the paper explained.
In response to this reality, defenses have been designed that fall into two broad categories, they argued. The first relies on recompilation to remove potential gadgets from the program binary or to enforce the control flow integrity (CFI) of the binary. The second category of defenses attempts to protect legacy binaries using run-time protections.
To defeat these defenses, they have developed three attack strategies.