Can't Stop the ROP: Automating Universal ASLR Bypasses for Windows

Presented at DEF CON 33 (2025), Aug. 10, 2025, 10:30 a.m. (45 minutes).

High-entropy ASLR was supposed to make bypasses of ASLR on Windows virtually impossible - until now! This talk will debut nine novel bypasses of the strongest form of ASLR on Windows, which makes attacks such as brute-forcing totally infeasible. This talk showcases how mostly simple, easy-to-find ROP gadgets can be used to construct highly reliable, universal ASLR bypasses to key Windows system DLLs, allowing ROP gadgets from those DLLs to be used freely in exploits! The end result? The attack surface is greatly expanded, making it possible to do more attacks on binaries previously constrained by limited gadgets. What may have been impossible before due to insufficient ROP gadgets, now is quite possible! While this talk focuses primarily on ASLR bypass for x64, we will also briefly touch upon similar attacks for x86. As part of this talk, for the first time ever, I am also releasing and open-sourcing a new mini-tool that will generate complete, x64 ROP chains for each of these bypasses! We will see this ASLR bypass attack in action with demo. We conclude with recommendations to help remediate the problem. This talk is an in-depth technical deep dive into Windows internals and the design of this technique, but it will also be presented in an accessible way to beginners. References: - J. Thompson, “Six facts about address space layout randomization on Windows,” Aug. 2020. [link](https://cloud.google.com/blog/topics/threat-intelligence/six-facts-about-address-space-layout-randomization-on-windows) - Microsoft Security Response Center, “Software defense: Mitigating common exploitation techniques,” Dec. 2013. [link](https://msrc.microsoft.com/blog/2013/12/software-defense-mitigating-common-exploitation-techniques) - INCIBE-CERT, “ASLR: Essential protection against memory exploitation,” Mar. 29, 2025. [link](https://www.incibe.es/en/incibe-cert/blog/aslr-essential-protection-against-memory-exploitation) - L. Binosi, G. Barzasi, M. Carminati, S. Zanero, and M. Polino, “The illusion of randomness: An empirical analysis of address space layout randomization implementations,” arXiv preprint arXiv:2408.15107, 2024. - J. Ganz and S. Peisert, “ASLR: How robust is the randomness?” IEEE, 2017. - D. H. Aristizabal, D. M. Rodriguez, and R. Y. Guevara, “Measuring ASLR implementations on modern operating systems,” in 2013 47th International Carnahan Conference on Security Technology (ICCST), IEEE, 2013, pp. 1–6. - R. Hund, C. Willems, and T. Holz, “Practical timing side channel attacks against kernel space ASLR,” in 2013 IEEE Symposium on Security and Privacy, IEEE, 2013, pp. 191–205. - K. Lu, C. Song, B. Lee, S. P. Chung, T. Kim, and W. Lee, “ASLR-Guard: Stopping address space leakage for code reuse attacks,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 280–291. - C. Miller, “Mobile attacks and defense,” IEEE Security & Privacy, vol. 9, no. 4, pp. 68–70, 2011. - S. Liebergeld and M. Lange, “Android security, pitfalls and lessons learned,” in Information Sciences and Systems 2013: Proceedings of the 28th International Symposium on Computer and Information Sciences, Springer, 2013, pp. 409–417. - D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard, “Prefetch side channel attacks: Bypassing SMAP and kernel ASLR,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 368–379. - Microsoft Corporation, “High-Entropy VA / Support for 64-bit ASLR,” 2025. [link](https://learn.microsoft.com/en-us/cpp/build/reference/highentropyva-support-64-bit-aslr) - R. V. Díaz, M. Rivera-Dourado, R. Pérez-Jove, P. V. Avendaño, and J. M. Vázquez-Naya, “Address space layout randomization comparative analysis on Windows 10 and Ubuntu 18.04 LTS,” Engineering Proceedings, vol. 7, no. 1, p. 26, 2021. - Nergal, “The advanced return-into-lib(c) exploits: PaX case study,” Phrack Magazine, vol. 58, Dec. 2001. - T. Durden, “Bypassing PaX ASLR protection,” Phrack Magazine, vol. 11, issue 59, Jul. 2002, Phile #0x09 of 0x12. - M. A. Butt, Z. Ajmal, Z. I. Khan, M. Idrees, and Y. Javed, “An in-depth survey of bypassing buffer overflow mitigation techniques,” Applied Sciences, vol. 12, no. 13, p. 6702, 2022. - X. Zhang, J. Huang, and Y. Feng, “A comprehensive approach to mitigate return-oriented programming attacks: Combining operating system protection mechanisms and hardware-assisted techniques,” in Proc. IEEE 8th Int. Conf. on Software Engineering and Computer Systems (ICSECS), 2023, pp. 453–458. - R. Roemer, E. Buchanan, H. Shacham, and S. Savage, “Return-oriented programming: Systems, languages, and applications,” ACM Transactions on Information and System Security (TISSEC), vol. 15, no. 1, pp. 1–34, 2012. - D. Dai Zovi, “Practical return-oriented programming,” Source Boston, 2010. - M. Prandini and M. Ramilli, “Return-oriented programming,” IEEE Security & Privacy, vol. 10, no. 6, pp. 84–87, 2012. - V. Pappas, “KBouncer: Efficient and transparent ROP mitigation,” vol. 1, pp. 1–2, Apr. 2012. - E. Göktas, B. Kollenda, P. Koppe, E. Bosman, G. Portokalidis, T. Holz, H. Bos, and C. Giuffrida, “Position-independent code reuse: On the effectiveness of ASLR in the absence of information disclosure,” in IEEE European Symposium on Security and Privacy (EuroS&P), IEEE, 2018, pp. 227–242.

Presenters:

• Bramwell Brizendine - Director at VERONA Lab
  Dr. Bramwell Brizendine has a Ph.D. in Cyber Operations and is the Director of the VERONA Lab. Bramwell has regularly spoken at DEFCON and presented at all regional editions of Black Hat (USA, Europe, Asia, MEA), as well as at Hack in the Box Amsterdam and Wild West Hackin' Fest. Bramwell received a $300,000 NSA research grant to create the SHAREM shellcode analysis framework, which brings unprecedented capabilities to shellcode analysis. He has additionally authored ShellWasp, which facilitates using Windows syscalls in shellcode, as well as two code-reuse attack frameworks, ROP ROCKET and JOP ROCKET. Bramwell has previously taught undergraduate, master's, and Ph.D. courses on software exploitation, reverse engineering, offensive security, and malware analysis. He currently teaches cybersecurity courses at the University of Alabama in Huntsville.

Similar Presentations:

• DEF CON 31 (2023) / Advanced ROP Framework: Pushing ROP to Its Limits
• DeepSec 2014 „Do you want to know more?“ / On the Effectiveness of Full-ASLR on 64-bit Linux
• ToorCon San Diego 16 (2014) / EMET 5.0 - armor or curtain?