Return-oriented programming without returns

Authors:
Stephen Checkoway;Lucas Davi;Alexandra Dmitrienko;Ahmad-Reza Sadeghi;Hovav Shacham;Marcel Winandy
Affiliations:
University of California, San Diego, La Jolla, CA, USA;Ruhr-Universit ät Bochum, Bochum, Germany;Ruhr-Universit ät Bochum, Bochum, Germany;Ruhr-Universit ät Bochum, Bochum, Germany;University of California, San Diego, La Jolla, CA, USA;Ruhr-Universit ät Bochum, Bochum, Germany
Venue:
Proceedings of the 17th ACM conference on Computer and communications security
Year:
2010

Citing 20
Cited 37

RAD: A Compile-Time Solution to Buffer Overflow Attacks

ICDCS '01 Proceedings of the The 21st International Conference on Distributed Computing Systems
Pin: building customized program analysis tools with dynamic instrumentation

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Control-flow integrity

Proceedings of the 12th ACM conference on Computer and communications security
Dynamic code instrumentation to detect and recover from return address corruption

Proceedings of the 2006 international workshop on Dynamic systems analysis
Valgrind: a framework for heavyweight dynamic binary instrumentation

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
StackGhost: Hardware facilitated stack protection

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
XFI: software guards for system address spaces

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

Proceedings of the 14th ACM conference on Computer and communications security
Code injection attacks on harvard-architecture devices

Proceedings of the 15th ACM conference on Computer and communications security
When good instructions go bad: generalizing return-oriented programming to RISC

Proceedings of the 15th ACM conference on Computer and communications security
An empirical security study of the native code in the JDK

SS'08 Proceedings of the 17th conference on Security symposium
Native Client: A Sandbox for Portable, Untrusted x86 Native Code

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Defending embedded systems against control flow attacks

Proceedings of the first ACM workshop on Secure execution of untrusted code
Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks

Proceedings of the 2009 ACM workshop on Scalable trusted computing
DROP: Detecting Return-Oriented Programming Malicious Code

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Defeating return-oriented rootkits with "Return-Less" kernels

Proceedings of the 5th European conference on Computer systems
Can DREs provide long-lasting security? the case of return-oriented programming and the AVC advantage

EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Adapting software fault isolation to contemporary CPU architectures

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Experiences using minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Efficient detection of the return-oriented programming malicious code

ICISS'10 Proceedings of the 6th international conference on Information systems security
Return-oriented rootkit without returns (on the x86)

ICICS'10 Proceedings of the 12th international conference on Information and communications security
Privilege escalation attacks on android

ISC'10 Proceedings of the 13th international conference on Information security
Automatic construction of jump-oriented programming shellcode (on the x86)

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Jump-oriented programming: a new class of code-reuse attack

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
ROPdefender: a detection tool to defend against return-oriented programming attacks

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Q: exploit hardening made easy

SEC'11 Proceedings of the 20th USENIX conference on Security
Revisiting address space randomization

ICISC'10 Proceedings of the 13th international conference on Information security and cryptology
DriverGuard: a fine-grained protection on I/O flows

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Combining control-flow integrity and static analysis for efficient and validated data sandboxing

Proceedings of the 18th ACM conference on Computer and communications security
Mitigating code-reuse attacks with control-flow locking

Proceedings of the 27th Annual Computer Security Applications Conference
deRop: removing return-oriented programming from malware

Proceedings of the 27th Annual Computer Security Applications Conference
Poster: control-flow integrity for smartphones

Proceedings of the 18th ACM conference on Computer and communications security
Security breaches as PMU deviation: detecting and identifying security attacks using performance counters

Proceedings of the Second Asia-Pacific Workshop on Systems
Return-Oriented Programming: Systems, Languages, and Applications

ACM Transactions on Information and System Security (TISSEC) - Special Issue on Computer and Communications Security
libdft: practical dynamic data flow tracking for commodity systems

VEE '12 Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
Packed, printable, and polymorphic return-oriented programming

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
On the expressiveness of return-into-libc attacks

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
What if you can't trust your network card?

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Light-weight bounds checking

Proceedings of the Tenth International Symposium on Code Generation and Optimization
Branch regulation: low-overhead protection from code reuse attacks

Proceedings of the 39th Annual International Symposium on Computer Architecture
Jump oriented programming on windows platform (on the x86)

ICCSA'12 Proceedings of the 12th international conference on Computational Science and Its Applications - Volume Part III
Microgadgets: size does matter in turing-complete return-oriented programming

WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Binary stirring: self-randomizing instruction addresses of legacy x86 binary code

Proceedings of the 2012 ACM conference on Computer and communications security
Marlin: making it harder to fish for gadgets

Proceedings of the 2012 ACM conference on Computer and communications security
Secure and robust monitoring of virtual machines through guest-assisted introspection

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
A memory access validation scheme against payload injection attacks

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks

Proceedings of the 28th Annual Computer Security Applications Conference
Run-time control flow authentication: an assessment on contemporary x86 platforms

Proceedings of the 28th Annual ACM Symposium on Applied Computing
DriverGuard: Virtualization-Based Fine-Grained Protection on I/O Flows

ACM Transactions on Information and System Security (TISSEC)
HeapSentry: kernel-assisted protection against heap overflows

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Control flow integrity for COTS binaries

SEC'13 Proceedings of the 22nd USENIX conference on Security
Strato: a retargetable framework for low-level inlined-reference monitors

SEC'13 Proceedings of the 22nd USENIX conference on Security
Transparent ROP exploit mitigation using indirect branch tracing

SEC'13 Proceedings of the 22nd USENIX conference on Security
Jekyll on iOS: when benign apps become evil

SEC'13 Proceedings of the 22nd USENIX conference on Security
Booby trapping software

Proceedings of the 2013 workshop on New security paradigms workshop
RopSteg: program steganography with return oriented programming

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets. Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.