ROP Chain Execution Detection Using Intel PT

Presented at ekoparty 14 (2018), Sept. 28, 2018, 2:40 p.m. (50 minutes)

About Intel PT The Intel Core iX processors incorporate a new technology called Intel Processor Trace. Intel PT allows low-level monitoring of a running process. The information provided by Intel PT is related to the instructions that are being executed by the processor. This information is delivered in different kind of data packets with a specific format. Everything is achieved through dedicated hardware, which is inside the processor package and ensures a low impact on performance. The Idea Taking the information generated by Intel PT, especially the one related to the execution flow of a traced process, it is possible to apply some heuristics derived from the mitigation technique called Control Flow Integrity (CFI). The CFI mitigation suggests the use of tags in the prologues and epilogues of each function, as well as the use of shadow stacks. Then, by comparing the tags (origin and destination) in the call instructions and the values in the shadow stack with the return addresses in the return instructions, it is possible to confirm if a process is following a valid execution path or not. Our Implementation The point is… if we are using Intel PT. Why use shadow stacks? Considering the implementation of Intel PT, it is possible to avoid a software implemented shadow stack and use just the packets generated when a failure occurs because of a mismatch between the information stored in the LBR table and the trace information. So, having some specific sequences of packets, it is possible to confirm that a ROP chain is being executed.


  • Diego Provinciani
    Diego Provinciani is the best "Hello World" software developer have you ever seen. In addition, he is about to achieve the Computer Engineering degree at the Universidad Nacional de Córdoba and he has a lot of interest in vulnerability research and exploit/malware analysis. Ha has been working for 3 years at Intel/McAfee as a C++ software developer (error, he isn't working! he is enjoying what he loves doing!). More specifically he es working in an exploit-prevention component that is part of one of the most important security solutions of the company, deployed in millions of Endpoints. He took advantage of his working position at McAfee to be part of the OffSec TEAM. People in this team is rock! They spend time exploring and analyzing in deep the newest computer threats just to get new knowledge and because they really enjoy doing it. Currently, Diego is leading this team and is focused on giving presentations about binary exploitation and evasion techniques. Diego was born in a little town of Cordoba called Oncativo, where he lived his whole life. He loves physical activity and outdoor activities like mountain bike, running, and wakeboard.


Similar Presentations: