The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy

Presented at DEF CON 27 (2019), Aug. 9, 2019, 4 p.m. (20 minutes)

Return-oriented Programming (ROP) has been the predominate code-reuse attack for over a decade, but there are other options. Many mitigations can detect ROP due to heuristics, but these fail to detect Jump-oriented Programming (JOP). The JOP ROCKET is a reverse engineering framework dedicated to facilitating JOP exploits. It allows hackers to discover JOP gadgets. This includes dispatcher gadget's, which helps to subvert and direct the control flow, and functional gadgets, our primitives. This tool provides numerous options to give hackers flexibility on how to find gadgets, to narrow and expand possibilities. Additionally, the tool uses opcode-splitting to discover many unintended gadgets. All gadgets are classified based on operation as well as registers used and affected. Thus, hackers could easily obtain the desired functional gadgets, such as MOV EBX, [VALUE], using simple language commands. Because of JOP's much more complex set up, the tool provides this classification, so time isn't wasted hunting through results. JOP is rarely done in the wild. Part of that complexity is in set up, but another part is the lack of dedicated tools. Having to find JOP gadgets manually could be time-consuming and require expertise. JOP ROCKET simplifies that, allowing the JOP gadgets to be found quickly and easily. This talk will give brief content on ROP, and then it introduces JOP and its history. Then we will dive into JOP ROCKET, discussing its features, how to use it to find JOP gadgets, and how to set up your own JOP exploit. We will then demo the tool.

Presenters:

• Bramwell Brizendine - Assistant Professor of Computer and Cyber Sciences, Dakota State University   as Dr. Bramwell Brizendine
  Dr. Bramwell Brizendine graduated with a Ph.D. in Cyber Operations in May, 2019. He holds master's degrees in Computer Science and Information Assurance. Bramwell is a professor at Dakota State University where he teaches topics such as reverse engineering, software exploitation, and malware analysis. Bramwell is the creator of the the JOP ROCKET, or the Jump-oriented Programming Reversing Open Cyber Knowledge Expert Tool. Bramwell has been interested in code-reuse attacks for several years. Bramwell was overcome by the urge to present a tool that made JOP more practical and useful for hackers who may wish to attempt using this more arcane class of code-reuse attacks. The JOP ROCKET is a by product of his doctoral dissertation.
• Dr. Joshua Stroschien - Assistant Professor of Cyber Security/Network & Security Administration, Dakota State University
  Dr. Josh Stroschien is a professor at Dakota State University. Dr. Josh Stroschein teaches undergraduate and graduate courses in cyber security with a focus on malware analysis, reverse engineering and software exploitation. His research interests include malware analysis and software exploitation. Outside of DSU, you can find Josh providing training at such venues as DerbyCon, Hack-In-The-Box and ToorCon. Website: https://0xevilc0de.com

Links:

• https://defcon.org/html/defcon-27/dc-27-speakers.html#Brizendine
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Dr Bramwell Brizendine - The JOP ROCKET A Supremely Wicked Tool for JOP Gadget Discovery.mp4
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Dr Bramwell Brizendine - The JOP ROCKET A Supremely Wicked Tool for JOP Gadget Discovery.srt (subtitles)
• https://www.youtube.com/watch?v=PMihX693mPE

Similar Presentations:

• Black Hat Asia 2021 Virtual / Pre-built JOP Chains with the JOP ROCKET: Bypassing DEP without ROP
• DEF CON 27 (2019) / HackPac: Hacking Pointer Authentication in iOS User Space
• SOURCE Seattle 2016 / At the Dawn of CET: Hunting Valid Gadget with Big Data