ROP setRegisters #1019

zachriggle · 2017-09-01T20:58:25Z

The current issue with setRegisters is that it requires basic gadgets a la pop rdi; ret.

If we need to set rdi and rsi and we have the following gadget, it will fail:

pop rsi; pop rdi; ret

We can solve this in two ways.

Dirty matching

Just use whatever matches we can get away with. This will bloat our ROP stack.

Set cover problem

This is ultimately the Set Cover Problem. Given a set of registers R which we wish to modify, and a collection S of m sets each containing some of the registers, we want to optimize for total stack space used.

This is slightly different from the Set Cover Problem, because our desired set R is not all possible values in the union of all sets in S, but it is a subset. Separately, we want to optimize not for the cardinality of the selected sets, but the total stack space used (since all gadgets add a ret and some gadgets even have add esp).

The text was updated successfully, but these errors were encountered:

zachriggle · 2017-09-01T21:01:46Z

We should also cache the results of this operation, since it may be expensive.

zachriggle added the enhancement label Sep 1, 2017

zachriggle self-assigned this Sep 1, 2017

zachriggle mentioned this issue Oct 3, 2017

Overhaul ROP.setRegisters to support more complex cases needed by AMD64 #1044

Merged

zachriggle closed this as completed in #1044 Oct 11, 2017

zachriggle added this to the 3.11.0 milestone Oct 12, 2017

This was referenced Oct 12, 2017

Multi-Unused Register ROP Sets #937

Closed

ROP arch when no context() call #927

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ROP setRegisters #1019

ROP setRegisters #1019

zachriggle commented Sep 1, 2017

zachriggle commented Sep 1, 2017

ROP setRegisters #1019

ROP setRegisters #1019

Comments

zachriggle commented Sep 1, 2017

Dirty matching

Set cover problem

zachriggle commented Sep 1, 2017