changes

paper.bbl

@@ -6,6 +6,11 @@ Saif El-Sherei.
 \newblock
   \url{https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}.
 
+\bibitem[Nyf]{rny}
+Rene Nyffenegger.
+\newblock
+  \url{https://renenyffenegger.ch/notes/Linux/fhs/proc/sys/kernel/randomize_va_space}.
+
 \bibitem[Pix16]{pixis}
 Pixis.
 \newblock Rop - return oriented programming.

paper.blg

@@ -4,45 +4,45 @@ The top-level auxiliary file: paper.aux
 The style file: alpha.bst
 Database file #1: refs.bib
 Warning--to sort, need author or key in proggen-rop
-You've used 4 entries,
+You've used 5 entries,
             2543 wiz_defined-function locations,
-            582 strings with 5167 characters,
-and the built_in function-call counts, 1177 in all, are:
-= -- 111
-> -- 48
-< -- 2
-+ -- 16
-- -- 16
-* -- 71
-:= -- 192
-add.period$ -- 11
-call.type$ -- 4
-change.case$ -- 22
-chr.to.int$ -- 4
-cite$ -- 6
-duplicate$ -- 45
-empty$ -- 99
-format.name$ -- 20
-if$ -- 242
+            586 strings with 5305 characters,
+and the built_in function-call counts, 1430 in all, are:
+= -- 134
+> -- 56
+< -- 3
++ -- 18
+- -- 18
+* -- 81
+:= -- 231
+add.period$ -- 13
+call.type$ -- 5
+change.case$ -- 26
+chr.to.int$ -- 5
+cite$ -- 7
+duplicate$ -- 56
+empty$ -- 124
+format.name$ -- 24
+if$ -- 296
 int.to.chr$ -- 1
 int.to.str$ -- 0
 missing$ -- 1
-newline$ -- 22
-num.names$ -- 9
-pop$ -- 34
+newline$ -- 26
+num.names$ -- 12
+pop$ -- 46
 preamble$ -- 1
-purify$ -- 26
+purify$ -- 32
 quote$ -- 0
-skip$ -- 46
+skip$ -- 56
 stack$ -- 0
-substring$ -- 29
-swap$ -- 4
-text.length$ -- 2
-text.prefix$ -- 1
+substring$ -- 36
+swap$ -- 5
+text.length$ -- 3
+text.prefix$ -- 2
 top$ -- 0
-type$ -- 32
+type$ -- 40
 warning$ -- 1
-while$ -- 7
-width$ -- 5
-write$ -- 47
+while$ -- 9
+width$ -- 6
+write$ -- 56
 (There was 1 warning)

paper.tex

@@ -166,14 +166,15 @@ \section{Results}
 \end{figure}
 The only compiler features that had to be disabled were PIE and stack canaries. It is likely that there are systems still in use today which are vulnerable to this kind of attack. Since it allows almost arbitrary code execution it is very important to identify these devices and patch or replace them.
 \paragraph{ASLR}
-The information wether ROP works with ASLR enabled is inconsistent. While trying this attack with \bltInlineVerb{/proc/sys/kernel/randomize_va_space} set to \bltInlineVerb{2} meaning full randomization the attack still seemed to work. The inconsistent information probably arises due to different approaches being used. With executables that have PIE enabled ROP is still possible but only with ASLR disabled. With the compiler options used for this example PIE is disabled and ASLR seems to have no effect on the exploit. This is because
+The information wether ROP works with ASLR enabled is inconsistent. While trying this attack with \bltInlineVerb{/proc/sys/kernel/randomize_va_space} set to \bltInlineVerb{2} meaning full randomization the attack still seemed to work. The inconsistent information probably arises due to different approaches being used. With executables that have PIE enabled ROP is still possible but only with ASLR disabled. With the compiler options used for this example PIE is disabled and ASLR seems to have no effect on the exploit. This is because the ASLR settings \Verb+1+ and \Verb+2+ only randomize shared libraries and PIE binaries~\cite{rny}, since the program has been compiled with the \bltInlineVerb{-static} option, which implicitly compiles the program to not be position independent.
 
 \section{Protection}
 \paragraph{Stack canaries}
 Stack canaries are one of the most effective approaches against ROP, they are enabled by default and prevent most forms of buffer overflows, however, stack canaries can be based on a small entropy pool and can therfore be bruteforced with an effort significantly smaller than regular bruteforcing. Depending on the target it can still be profitable and possible to bruteforce it even with a big entropy pool and high randomness.
 \paragraph{NX}
 The activation of the NX bit has no effect on ROP since the program never executes code outside the segments marked with the \bltInlineVerb{CODE} flag like in a classical stack overflow attack.
 \paragraph{ASLR}
+ASLR is a good protection against ROP since libraries and code locations get randomized each time the program is run. 32 Bit binaries only use 16 Bit for ASLR
 \paragraph{PIE}
 
 \section{Discussion}

refs.bib

@@ -1,6 +1,7 @@
 @misc{pixis, title={Rop - Return Oriented Programming}, howpublished="\url{https://en.hackndo.com/return-oriented-programming/}", journal={hackndo}, publisher={Pixis}, author={Pixis}, year={2016}, month={Oct}}
 @misc{el-sherei, title={Return oriented programming (ROP FTW) - exploit-db.com}, howpublished="\url{https://www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf}", journal={Return-Oriented-Programming (ROP FTW)}, author={El-Sherei, Saif}}
-@misc{proggen-rop, title={Return-oriented Programming (ROP)}, howpublished="\url{https://www.proggen.org/doku.php?id=security%3Amemory-corruption%3Aexploitation%3Arop}", journal={Return-oriented Programming (ROP) - Raum für Ideen}} 
+@misc{proggen-rop, title={Return-oriented Programming (ROP)}, howpublished="\url{https://www.proggen.org/doku.php?id=security%3Amemory-corruption%3Aexploitation%3Arop}", journal={Return-oriented Programming (ROP) - Raum für Ideen}}
+@misc{rny, howpublished="\url{https://renenyffenegger.ch/notes/Linux/fhs/proc/sys/kernel/randomize_va_space}", journal={/proc/sys/kernel/randomize_va_space}, author={Nyffenegger, Rene}} 
 @article{ropsla,
 author = {Roemer, Ryan and Buchanan, Erik and Shacham, Hovav and Savage, Stefan},
 title = {Return-Oriented Programming: Systems, Languages, and Applications},