Code Reuse Attacks

Question 1

ROP

Answer 1

Return Oriented Programming

Question 2

When is ROP suitable?

Answer 2

When your data is not executable.

Question 3

ROP Gadgets

Answer 3

Snippets of executable code that end in a ret instruction.

Question 4

In system call 64 bit convention, which register changes for what argument and to which?

Answer 4

Argument 4, from RCX to R10

Question 5

Register that gives the reference to which syscall is being called

Answer 5

RAX

Question 6

SROP

Answer 6

Signal Return Oriented Programming

Question 7

Advantage of SROP

Answer 7

Only need a sigreturn trampoline a.k.a. syscall gadget for it to work in addition to ROP requirements.

Question 8

When to use SROP?

Answer 8

You are missing ROP gadgets.
Portable exploits.

Question 9

ret2csu

Answer 9

csu_init function adds code that gives us a gadget to control rbx,rbp,r12,r13,r14,r15 and allows us to call an arbitrary function pointer with three controlled arguments.

Question 10

JOP

Answer 10

Jump Oriented Programming

Question 11

Definition of JOP

Answer 11

Uses dispatchers in order to jump between code and circumvent back-edge CFI checks by not executing ret instructions.

Question 12

Dispatcher Gadget

Answer 12

Snippet of code executable code that ends with a call or jump instruction.