The SPARC architecture manual (version 9)
The SPARC architecture manual (version 9)
SPARC Architecture, Assembly Language Programming, and C
SPARC Architecture, Assembly Language Programming, and C
On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
StackGhost: Hardware facilitated stack protection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
Filter-resistant code injection on ARM
Proceedings of the 16th ACM conference on Computer and communications security
On the difficulty of software-based attestation of embedded devices
Proceedings of the 16th ACM conference on Computer and communications security
Proceedings of the 16th ACM conference on Computer and communications security
Countering kernel rootkits with lightweight hook protection
Proceedings of the 16th ACM conference on Computer and communications security
Hardware-enforced fine-grained isolation of untrusted code
Proceedings of the first ACM workshop on Secure execution of untrusted code
Proceedings of the 2009 ACM workshop on Scalable trusted computing
Automatically Adapting a Trained Anomaly Detector to Software Patches
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
DROP: Detecting Return-Oriented Programming Malicious Code
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Defeating return-oriented rootkits with "Return-Less" kernels
Proceedings of the 5th European conference on Computer systems
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Return-oriented programming without returns
Proceedings of the 17th ACM conference on Computer and communications security
SBAP: software-based attestation for peripherals
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
SegSlice: towards a new class of secure programming primitives for trustworthy platforms
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Extending IPsec for efficient remote attestation
FC'10 Proceedings of the 14th international conference on Financial cryptograpy and data security
VM-based security overkill: a lament for applied systems security research
Proceedings of the 2010 workshop on New security paradigms
G-Free: defeating return-oriented programming through gadget-less binaries
Proceedings of the 26th Annual Computer Security Applications Conference
IEEE Wireless Communications
A framework for automated architecture-independent gadget search
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Efficient detection of the return-oriented programming malicious code
ICISS'10 Proceedings of the 6th international conference on Information systems security
Return-oriented rootkit without returns (on the x86)
ICICS'10 Proceedings of the 12th international conference on Information and communications security
Automatic construction of jump-oriented programming shellcode (on the x86)
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Jump-oriented programming: a new class of code-reuse attack
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
ROPdefender: a detection tool to defend against return-oriented programming attacks
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Enforcing executing-implies-verified with the integrity-aware processor
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
Exploiting the hard-working DWARF: trojan and exploit techniques with no native executable code
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
SHELLOS: enabling fast detection and forensic analysis of code injection attacks
SEC'11 Proceedings of the 20th USENIX conference on Security
Q: exploit hardening made easy
SEC'11 Proceedings of the 20th USENIX conference on Security
Filter-resistant code injection on ARM
Journal in Computer Virology
Revisiting address space randomization
ICISC'10 Proceedings of the 13th international conference on Information security and cryptology
DriverGuard: a fine-grained protection on I/O flows
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
HyperCrop: a hypervisor-based countermeasure for return oriented programming
ICICS'11 Proceedings of the 13th international conference on Information and communications security
Mitigating code-reuse attacks with control-flow locking
Proceedings of the 27th Annual Computer Security Applications Conference
deRop: removing return-oriented programming from malware
Proceedings of the 27th Annual Computer Security Applications Conference
Return-Oriented Programming: Systems, Languages, and Applications
ACM Transactions on Information and System Security (TISSEC) - Special Issue on Computer and Communications Security
Isolating commodity hosted hypervisors with HyperLock
Proceedings of the 7th ACM european conference on Computer Systems
Scalable remote attestation with privacy protection
INTRUST'09 Proceedings of the First international conference on Trusted Systems
Packed, printable, and polymorphic return-oriented programming
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
On the expressiveness of return-into-libc attacks
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Prevent kernel return-oriented programming attacks using hardware virtualization
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
Branch regulation: low-overhead protection from code reuse attacks
Proceedings of the 39th Annual International Symposium on Computer Architecture
Microgadgets: size does matter in turing-complete return-oriented programming
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Binary stirring: self-randomizing instruction addresses of legacy x86 binary code
Proceedings of the 2012 ACM conference on Computer and communications security
Analysis of existing remote attestation techniques
Security and Communication Networks
Proceedings of the 2012 workshop on New security paradigms
ChameleonSoft: Software Behavior Encryption for Moving Target Defense
Mobile Networks and Applications
Run-time control flow authentication: an assessment on contemporary x86 platforms
Proceedings of the 28th Annual ACM Symposium on Applied Computing
BISSAM: automatic vulnerability identification of office documents
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Protecting function pointers in binary
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
DriverGuard: Virtualization-Based Fine-Grained Protection on I/O Flows
ACM Transactions on Information and System Security (TISSEC)
ASIST: architectural support for instruction set randomization
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Control flow integrity for COTS binaries
SEC'13 Proceedings of the 22nd USENIX conference on Security
Jekyll on iOS: when benign apps become evil
SEC'13 Proceedings of the 22nd USENIX conference on Security
Proceedings of the 2013 workshop on New security paradigms workshop
RopSteg: program steganography with return oriented programming
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.00 |
This paper reconsiders the threat posed by Shacham's "return-oriented programming" -- a technique by which W-xor-X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-length x86 instructions -- creating short new instructions streams that then return. We believe this attack is both more general and a greater threat than the author appreciated. In fact, the vulnerability is not limited to the x86 architecture or any particular operating system, is readily exploitable, and bypasses an entire category of malware protections. In this paper we demonstrate general return-oriented programming on the SPARC, a fixed instruction length RISC architecture with structured control flow. We construct a Turing-complete library of code gadgets using snippets of the Solaris libc, a general purpose programming language, and a compiler for constructing return-oriented exploits. Finally, we argue that the threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code.