research-article

Return-oriented programming without returns

Authors:

Stephen Checkoway,

Alexandra Dmitrienko,

Ahmad-Reza Sadeghi,

Marcel WinandyAuthors Info & Claims

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Pages 559 - 572

https://doi.org/10.1145/1866307.1866370

Published: 04 October 2010 Publication History

Abstract

We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.

Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.

References

[1]

}}M. Abadi, M. Budiu, ´ U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In V. Atluri, C. Meadows, and A. Juels, editors, Proceedings of CCS 2005, pages 340--53. ACM Press, Nov. 2005.

Digital Library

[2]

}}ARM Limited. Procedure call standard for the ARM architecture. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0042d/IHI0042D_aapcs.pdf, 2009.

[3]

}}E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In P. Syverson and S. Jha, editors, Proceedings of CCS 2008, pages 27--38. ACM Press, Oct. 2008.

Digital Library

[4]

}}S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC Advantage. In D. Jefferson, J. L. Hall, and T. Moran, editors, Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS, Aug. 2009.

Digital Library

[5]

}}S. Checkoway and H. Shacham. Escape from return-oriented programming: Return-oriented programming without returns (on the x86). Technical Report CS2010-0954, UC San Diego, Feb. 2010.

[6]

}}P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In A. Prakash and I. Sengupta, editors, Proceedings of ICISS 2009, volume 5905 of LNCS, pages 163--77. Springer-Verlag, Dec. 2009.

Digital Library

[7]

}}T. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In P. Dasgupta and W. Zhao, editors, Proceedings of ICDCS 2001, pages 409--17. IEEE Computer Society, Apr. 2001.

Digital Library

[8]

}}J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In K. Julisch and C. Krugel, editors, Proceedings of DIMVA 2005, volume 3548 of LNCS, pages 32--50. Springer-Verlag, July 2005.

Digital Library

[9]

}}D. Dai Zovi. Practical return-oriented programming. SOURCE Boston 2010, Apr. 2010. Presentation. Slides: http://trailofbits.files.wordpress.com/2010/04/practical- rop.pdf.

[10]

}}dark spyrit. Win32 buffer overflows (location, exploitation and prevention). Phrack Magazine, 55(15), Sept. 1999. http://www.phrack.org/archives/55/p55_0x0f_Win32%20Buffer%20Overflows... _by_dark%20spyrit.txt.

[11]

}}L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Return-oriented programming without returns on ARM. Technical Report HGI-TR-2010-002, Ruhr-University Bochum, July 2010. Online: http://www.trust.rub.de/home/_publications/DaDmSaWi2010/.

[12]

}}L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In N. Asokan, C. Nita-Rotaru, and J.-P. Seifert, editors, Proceedings of STC 2009, pages 49--54. ACM Press, Nov. 2009.

Digital Library

[13]

}}L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. Technical Report HGI-TR-2010-001, Ruhr-University Bochum, Mar. 2010. Online: http://www.trust.rub.de/home/_publications/LuSaWi10/.

[14]

}}´ U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: Software guards for system address spaces. In B. Bershad and J. Mogul, editors, Proceedings of OSDI 2006, pages 75--88. USENIX, Nov. 2006.

Digital Library

[15]

}}A. Francillon and C. Castelluccia. Code injection attacks on Harvard-architecture devices. In P. Syverson and S. Jha, editors, Proceedings of CCS 2008, pages 15--26. ACM Press, Oct. 2008.

Digital Library

[16]

}}A. Francillon, D. Perito, and C. Castelluccia. Defending embedded systems against control flow attacks. In S. Lachmund and C. Schaefer, editors, Proceedings of SecuCode 2009, pages 19--26. ACM Press, Nov. 2009.

Digital Library

[17]

}}M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In D. Wallach, editor, Proceedings of USENIX Security 2001, pages 55--66. USENIX, Aug. 2001.

Digital Library

[18]

}}S. Gupta, P. Pratap, H. Saran, and S. Arun-Kumar. Dynamic code instrumentation to detect and recover from return address corruption. In N. Gupta and A. Podgurski, editors, Proceedings of WODA 2006, pages 65--72. ACM Press, May 2006.

Digital Library

[19]

}}R. Hund. Listing of gadgets constructed on ten evaluation machines. Online: http://pi1.informatik.uni-mannheim.de/filepool/projects/return-oriented-rootkit/measurements- ro.tgz, May 2009.

[20]

}}R. Hund, T. Holz, and F. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In F. Monrose, editor, Proceedings of USENIX Security 2009, pages 383--98. USENIX, Aug. 2009.

Digital Library

[21]

}}Intel Corporation. IA-32 Intel Architecture Software Developer's Manual, Volume 3: System Programming Guide, 2001.

[22]

}}V. Iozzo and C. Miller. Fun and games with Mac OS X and iPhone payloads. Black Hat Europe 2009, Apr. 2009. Presentation. Slides: http://www.blackhat.com/presentations/bh-europe- 09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf.

[23]

}}T. Kornau. Return oriented programming for the ARM architecture. Master's thesis, Ruhr-Universit ¨at Bochum, Jan. 2010. Online: http://zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf.

[24]

}}S. Krahmer. x86--64 buffer overflow exploits and the borrowed code chunks exploitation technique, Sept. 2005. http://www.suse.de/~krahmer/no-nx.pdf.

[25]

}}J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with return-less" kernels. In G. Muller, editor, Proceedings of EuroSys 2010, pages 195--208. ACM Press, Apr. 2010.

Digital Library

[26]

}}F. Lidner. Developments in Cisco IOS forensics. CONFidence 2.0, Nov. 2009. Presentation. Slides: http://www.recurity- labs.com/content/pub/FX_Router_Exploitation.pdf.

[27]

}}D. Litchfield. Defeating the stack based buffer overflow prevention mechanism of Microsoft Windows 2003 Server, Sept. 2003. Online: http://www.ngssoftware.com/papers/defeating- w2k3-stack-protection.pdf.

[28]

}}C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In V. Sarkar and M. W. Hall, editors, Proceedings of PLDI 2005, pages 190--200. ACM Press, June 2005.

Digital Library

[29]

}}J. McDonald. Defeating Solaris/SPARC non-executable stack protection. Bugtraq, Mar. 1999. Online: http://seclists.org/bugtraq/1999/Mar/4.

[30]

}}R. Naraine. Pwn2Own 2010: iPhone hacked, SMS database hijacked. Online: http://blogs.zdnet.com/security/?p=5836, Mar. 2010.

[31]

}}Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/archives/58/p58_0x04_Advanced%20return-into-lib(c)%20exploits%20(PaX%20case%20study)_by_nergal.txt

[32]

}}N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. In J. Ferrante and K. S. McKinley, editors, Proceedings of PLDI 2007, pages 89--100. ACM Press, June 2007.

Digital Library

[33]

}}T. Newsham. Re: Smashing the stack: prevention? Bugtraq, Apr. 1997. Online: http://seclists.org/bugtraq/1997/Apr/129.

[34]

}}PaX Team. What the future holds for PaX, Mar. 2003. Online: http://pax.grsecurity.net/docs/pax-future.txt.

[35]

}}M. Prasad and T. Chiueh. A binary rewriting defense against stack based overflow attacks. In B. Noble, editor, Proceedings of USENIX Technical 2003, pages 211--24. USENIX, June 2003.

[36]

}}G. Richarte. Re: Future of buffer overflows? Bugtraq, Oct. 2000. Online: http://seclists.org/bugtraq/2000/Nov/32 and http://seclists.org/bugtraq/2000/Nov/26.

[37]

}}G. Richarte. Insecure programming by example: Esoteric #2. Online: http://community.corest.com/~gera/InsecureProgramming/e2.html, July 2001.

[38]

}}R. Roemer. Finding the bad in good code: Automated return-oriented programming exploit discovery. Master's thesis, UC San Diego, Mar. 2009. Online: https://cseweb.ucsd.edu/~rroemer/doc/thesis.pdf.

[39]

}}R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. Manuscript, 2009. Online: https://cseweb.ucsd.edu/~hovav/papers/rbss09.html.

[40]

}}D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary CPU architectures. In I. Goldberg, editor, Proceedings of USENIX Security 2010, pages 1--11. USENIX, Aug. 2010.

Digital Library

[41]

}}H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In S. De Capitani di Vimercati and P. Syverson, editors, Proceedings of CCS 2007, pages 552--61. ACM Press, Oct. 2007.

Digital Library

[42]

}}S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702, 2008.

[43]

}}A. Sotirov and M. Dowd. Bypassing browser memory protections in Windows Vista. Online: http://www.phreedom.org/research/bypassing-browser-memory-protections/, Aug. 2008. Presented at Black Hat 2008.

[44]

}}G. Tan and J. Croft. An empirical security study of the native code in the JDK. In P. Van Oorschot, editor, Proceedings of USENIX Security 2008, pages 365--77. USENIX, July 2008.

Digital Library

[45]

}}Vendicator. Stack Shield: A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield.

[46]

}}P. Vreugdenhil. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit. Online: vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf, Mar. 2010.

[47]

}}B.-J. S. Wever. ALPHA2: Zero tolerance, Unicode-proof uppercase alphanumeric shellcode encoding. Online: http://skypher.com/wiki/index.php/ALPHA2, 2004.

[48]

}}B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In A. Myers and D. Evans, editors, Proceedings of IEEE Security and Privacy ("Oakland") 2009, pages 79--93. IEEE Computer Society, May 2009.

Digital Library

Cited By

Sah PHicks MDoupé AMilburn A(2024)RIPencapsulationProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696943(117-132)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696943
Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
CHEN CWAN HZHAO X(2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
https://doi.org/10.1360/SSI-2024-0042
Show More Cited By

Index Terms

Return-oriented programming without returns
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
Return-Oriented Programming on RISC-V
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction set architecture targeting embedded systems. We show the existence of a new class of gadgets, using several Linear Code Sequences ...
RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

Return-oriented programming (ROP) is a powerful run-time exploitation technique to attack vulnerable software. Modern RISC architectures like RISC-V and ARM64 pose new challenges for ROP execution due to the lack of a stack-based return instruction and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

October 2010

782 pages

ISBN:9781450302456

DOI:10.1145/1866307

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Angelos D. Keromytis
Columbia University, USA
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4 - 8, 2010

Illinois, Chicago, USA

Acceptance Rates

CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

399
Total Citations
View Citations
3,060
Total Downloads

Downloads (Last 12 months)154
Downloads (Last 6 weeks)9

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sah PHicks MDoupé AMilburn A(2024)RIPencapsulationProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696943(117-132)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696943
Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
CHEN CWAN HZHAO X(2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
https://doi.org/10.1360/SSI-2024-0042
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
Tyler LDe Oliveira Nunes I(2024)Untrusted Code Compartmentalization for Bare Metal Embedded DevicesIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.344469143:11(3419-3430)Online publication date: Nov-2024
https://doi.org/10.1109/TCAD.2024.3444691
Chilese MMitev ROrenbach MThorburn RAtamli ASadeghi A(2024)One for All and All for One: GNN-based Control-Flow Attestation for Embedded Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00251(3346-3364)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00251
Sah SSah L(2024)VRT: A Runtime Protection Against Back-Edge Control Flow Integrity Violation2024 IEEE 67th International Midwest Symposium on Circuits and Systems (MWSCAS)10.1109/MWSCAS60917.2024.10658658(665-668)Online publication date: 11-Aug-2024
https://doi.org/10.1109/MWSCAS60917.2024.10658658
Xu SLei LWang YHuang H(2024)KPDP: Kernel Permission Data Protection Against Data-Oriented Attacks2024 9th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP61881.2024.10671512(538-543)Online publication date: 12-Jul-2024
https://doi.org/10.1109/ICSIP61881.2024.10671512
Ilahi SOmotosho AHammer C(2024)Towards Anomaly Detection in Embedded Systems Application Using LLVM Passes2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00393(2448-2453)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00393
Díez-Franco IUgarte-Pedrero XGarcía-Bringas P(2024)Optimized Data-Flow Integrity for Modern CompilersIEEE Access10.1109/ACCESS.2024.345455112(124171-124182)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3454551
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten