Next-Generation Technologies & Secure Development
,
Security Operations
,
Web Application Firewalls (WAF)
Assistant Professor Bramwell Brizendine on Process Injection, Advanced Mitigation
Return-oriented programming poses a big threat to system defenses by exploiting existing executable code in memory, allowing attackers to bypass common mitigations, said Bramwell Brizendine, an assistant professor at the University of Alabama in Huntsville.
See Also: Application Infrastructure Modernization Trends
In these attacks, Brizendine said, attackers identify vulnerable binaries for injection and string together instructions, or “gadgets,” found in process memory to gain control over a system. ROP-based process injection remains difficult to detect and mitigate due to the manipulation of system memory by attackers, and Brizendine said ROP attacks often remain hidden if proper EDR systems aren’t in place (see: Windows 10 Security Feature Broken, CERT/CC Warns).
“You have to pinpoint specifically which process you’re going to attack, so that requires you to be able to somehow identify that,” Brizendine said. “Traditionally, you would need to have some type of string comparison when you’re doing that with return-oriented programming, which can be difficult because you’re limited to only a certain small set of gadgets that the attack surface can support.”
In this video interview with Information Security Media Group at DEF CON 2024, Brizendine discussed:
- How return-oriented programming often bypasses common security mitigations;
- The role of novel string comparison techniques in enhancing ROP-based attacks;
- The role of tools such as ROP Rocket in advancing automated ROP chain generation.
Brizendine has taught numerous courses in reverse engineering, advanced software exploitation, malware analysis and offensive security. He is the author of several cybersecurity tools, including JOP ROCKET, SHAREM, ShellWasp and ROP ROCKET, which are open source and freely available.