Modern operating systems employ a variety of anti-exploit mechanisms known as exploit mitigation techniques to prevent and limit the success of malicious activities on a system. Yet, skilled attackers and malware creators continually develop methods to bypass these defenses. Here are several modern anti-exploit mechanisms and ways they might be circumvented:
- Address Space Layout Randomization (ASLR): ASLR randomizes the memory address locations where program executables are loaded, making it difficult for an attacker to predict target addresses. To bypass ASLR, attackers can use techniques such as return-oriented programming (ROP), which aims to reuse existing code in a manner that its original developers didn’t intend to[1].
- Data Execution Prevention (DEP): DEP prevents an application or service from executing code in a non-executable memory region. This helps to prevent certain buffer-overflow exploits. However, this can be bypassed with techniques such as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), which reuse existing executable code fragments in memory to perform malicious actions.
- Stack Canaries: Stack canaries protect against stack overflow by checking if the canary value changes. However, if the overflow vulnerability is in a heap-based buffer, or if the overflow does not overwrite the return address, then the canary will not detect it.
- Control-Flow Integrity (CFI): CFI mechanisms prevent redirection of execution flow to an unexpected location. Attackers can potentially bypass CFI by chaining together ROP gadgets in an executable’s own code or by exploiting weaknesses in CFI implementations.
- Relocation Read-Only (RELRO): RELRO can make certain data sections of an executable read-only, preventing overwrite attacks. However, if only partial RELRO is implemented, the binary can still be vulnerable to attacks.
As a malware analyst, understanding these exploit mitigation techniques can help you analyze the techniques used in malware. It’s also important to note that even with these bypass techniques, the complexity and risk for an attacker significantly increase compared to situations where such defenses are not in place.