skip to content W3C SVG

TRAPSLED

Suggested by Theo de Raadt and implemented in 2017 by Todd Mortimer, TRAPSLED simply turns the padding between functions from nop to int3.

In the words of its author:

I have attached a patch that converts NOP padding from the assembler into INT3 padding on amd64. The idea is to remove potentially convenient NOP sleds from programs and libraries, which makes it harder for an attacker to hit any ROP gadgets or other instructions after a NOP sled.

I don’t think that there is a single use-case for this: NOP sleds were useful back in the days where the stack was executable and ASLR non-existent or not random enough; to prefix your shellcode with to accommodate environment variations. But nowadays, nobody is using such constructions any more.

TRAPSLED doesn’t make hitting gadgets harder: if you can bypass ASLR, odds are that you can either jump before or after it, and since those traps are prefixed by a jmp to allow the control-flow to jump over them, they won’t alter a single gadget.

But on the other hand, this is a super-cheap change, that doesn’t introduce complexity at all, and might help to catch some misalignment bugs, but this definitively isn’t, by any means, a security feature.

It’s amusing to notice that Microsoft Visual Studio also uses int3 as padding since at least its 2010 edition, and that it never was branded as a security mechanism.

In 2019, Kees Cook changed the Linux kernel’s functions padding from 0x90 to 0xCC:

Instead of using 0x90 (NOP) to fill bytes between functions, which makes it easier to sloppily target functions in function pointer overwrite attacks, fill with 0xCC (INT3) to force a trap.

Interestingly, in 2019, grsecurity started to add an int3 instruction after every ret, to mitigate Straight Line Speculation.

Alex Ionescu said, sarcastically, about TRAPSLED, in 2017:

#TRAPSLED is a revolutionary OpenBSD mitigation against COOP, a bleeding edge attack technique.

Bruce Leidl said, in 2017:

NOP sliding into ROP gadgets is not a thing btw

Francisco Falcon, ex-exploit writer at Core, now at Quarkslab, said, in June 2017:

Has anyone nominated “trapsled” for the @PwnieAwards yet?

Lazytyped, said, in August 2017:

My brain had decided to selectively remove any trace of trapsled :)

Jacques Fortier, manager of the Trusted Kernel team at Apple, and previously working on iPhone security there, said in August 2017, when mocking RETGUARD:

This comes from the same people responsible for trapsled, so … https://www.mail-archive.com/tech@openbsd.org/msg39742.html

Ralf (RPW), baseband exploit writer, speaker at the 30c3, said in June 2017, about TRAPSLED:

Shadow-mitigating (designing a mitigation without being informed by actual data), OpenBSD edition: https://marc.info/?l=openbsd-tech&m=149792179514439&w=2 (HT @bleidl)