

Blind Return Oriented Programming [pdf] - ShaneWilton
http://www.scs.stanford.edu/brop/bittau-brop.pdf

======
ShaneWilton
The slides [1] and overview, with supplementary software [2], are also
available online.

[1] [http://www.scs.stanford.edu/brop/bittau-brop-
slides.pdf](http://www.scs.stanford.edu/brop/bittau-brop-slides.pdf)

[2] [http://www.scs.stanford.edu/brop/](http://www.scs.stanford.edu/brop/)

------
twic
An exceedingly clever and thorough bit of work!

Am i right in thinking that this would be stopped in its tracks by SafeStack:
[https://github.com/llvm-
mirror/llvm/commit/7ffec838a2b72e684...](https://github.com/llvm-
mirror/llvm/commit/7ffec838a2b72e6841d9fb993b5fe6a45f3b2a90)

~~~
ShaneWilton
I hadn't heard of SafeStack, but it sounds like very cool research. Thanks for
sharing!

I'm by no means an expert on binary exploitation, so I don't feel qualified to
answer your question. That being said, SafeStack sounds very similar to a
fairly recent exploit mitigation technique known as heap partitioning, or heap
isolation. My explanation wouldn't do the concept justice, but Google recently
wrote a great article on how they're using the technique to eliminate some of
the biggest causes of Flash 0day [1]. I don't know how effective the technique
is in practice, but it seems to be in use by a few major browsers now, and it
seems like Internet Explorer has been using it since June of last year [2].

[1] [http://googleprojectzero.blogspot.com/2015/07/significant-
fl...](http://googleprojectzero.blogspot.com/2015/07/significant-flash-
exploit-mitigations_16.html)

[2] [https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-
he...](https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends
---object-allocation-hardening-in-web-browsers/)

