Mac OS X Return-Oriented Exploitation presented at REcon 2010

by Dino Dai Zovi,


Summary : The latest advances in exploitation of memory corruption vulnerabilities revolve around applying return-oriented exploitation techniques to evade non-executable memory protections such as Microsoft's Data Execution Prevention (DEP), CPU-supported non-executable memory (NX/XD), and mandatory code-signing such as on iPhone OS. Although the ideas behind these exploitation techniques can be traced quite far back, they are receiving more attention as non-executable memory protections become more prevalent. This presentation will describe how return-oriented exploitation techniques can be applied to bypass non-executable memory protections in 32-bit x86 processes on Mac OS X Leopard and Snow Leopard. While most processes in Snow Leopard are 64-bit x64 processes, many key parts of the client-side attack surface remain 32-bit x86 processes (3rd party web browser plugins for Safari, Mozilla Firefox, and Google Chrome). Finally, the presentation will conclude with a review of the key differences in the exploitation environment between 32-bit and 64-bit processes on Snow Leopard, detailing how 64-bit processes are more difficult to exploit by default.