research-article

G-Free: defeating return-oriented programming through gadget-less binaries

Authors:

Kaan Onarlioglu,

Davide Balzarotti,

Engin KirdaAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 49 - 58

https://doi.org/10.1145/1920261.1920269

Published: 06 December 2010 Publication History

Abstract

Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. A recent exploitation technique, called Return-Oriented Programming (ROP), has lately attracted a considerable attention from academia. Past research on the topic has mostly focused on refining the original attack technique, or on proposing partial solutions that target only particular variants of the attack.

In this paper, we present G-Free, a compiler-based approach that represents the first practical solution against any possible form of ROP. Our solution is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-branch instructions to prevent them from being misused by an attacker. We developed a prototype based on our approach, and evaluated it by compiling GNU libc and a number of real-world applications. The results of the experiments show that our solution is able to prevent any form of return-oriented programming.

References

[1]

Phoronix test suite. http://www.phoronix-test-suite.com/.

[2]

Rop attack against data execution prevention technology, 2009. http://www.h-online.com/security/news/item/Exploit-s-new-technology-trick-%dodges-memory-protection-959253.html.

[3]

Symantec: Internet Security Threat Report. http://www4.symantec.com/Vrt/wl?tu_id=jLac123913792490340803, 2009.

[4]

Intel 64 and IA-32 Architectures Software Developer's Manuals. http://www.intel.com/products/processor/manuals/, 2010.

[5]

Aleph One. Smashing the stack for fun and profit. In Phrack Magazine n. 49, 1996.

[6]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), 2008.

Digital Library

[7]

S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage. In Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS, 2009.

Digital Library

[8]

S. Checkoway and H. Shacham. Escape from return-oriented programming: Return-oriented programming without returns (on the x86). Technical report, 2010.

[9]

P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. Drop: Detecting return-oriented programming malicious code. In Lecture Notes in Computer Science, 2009.

Digital Library

[10]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities. In Proceedings of the 12th Usenix Security Symposium, 2003.

Digital Library

[11]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7^th USENIX Security Symposium, USA, 1998.

Digital Library

[12]

C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and Defenses for the Vulnerability of the Decade. In Proceedings of the DARPA Information Survivability Conference and Exposition, 2000.

[13]

L. Davi, A. R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings ACM workshop on Scalable trusted computing, 2009.

Digital Library

[14]

Felix Lidner. Confidence 2.0,. Developments in Cisco IOS forensics.

[15]

A. Francillon and C. Castelluccia. Code injection attacks on harvard-architecture devices. In Proceedings of CCS, 2008.

Digital Library

[16]

A. Francillon, D. Perito, and C. Castelluccia. Defending embedded systems against control flow attacks. In Proceedings of the first ACM workshop on Secure execution of untrusted code, 2008.

Digital Library

[17]

M. Frantsen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Proceedings of USENIX security, 2001.

Digital Library

[18]

Hiroaki Etoh. GCC Extension for Protecting Applications from Stack-Smashing Attacks (ProPolice). In http://www.trl.ibm.com/projects/security/ssp/, 2003.

[19]

R. Hund, T. Holz, and F. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In Proceedings of the 18th USENIX Security Symposium, USA, 2009.

Digital Library

[20]

V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191--206, Berkeley, CA, USA, 2002. USENIX Association.

Digital Library

[21]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating Return-Oriented Rootkits with Return-less Kernels. In Proceedings of the 5th ACM SIGOPS EuroSys Conference, 2010.

Digital Library

[22]

M. W. Lucas Davi, Ahmad-Reza Sadeghi. Ropdefender: A detection tool to defend against return-oriented programming attacks. Technical report, Technical Report HGI-TR-2010-001.

[23]

Nergal. The advanced return-into-lib(c) exploits. In Phrack Magazine n. 58, 2001.

[24]

R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pages 1--20, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[25]

G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25^th Annual Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA., pages 60--69. IEEE Computer Society, Dec. 2009.

Digital Library

[26]

Scut, Team Teso. Exploiting format string vulnerabilities. 2001.

[27]

Sebastian Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, 2005. http://www.suse.de/~krahmer/no-nx.pdf.

[28]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Proceedings of Operating System Symposium SOSP, 2007.

Digital Library

[29]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007.

Digital Library

[30]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CSS), 2004.

Digital Library

[31]

Solar Designer. return-to-libc attack. Technical report, bugtraq, 1997.

[32]

The PaX Team. Pax address space layout randomization. Technical report, http://pax.grsecurity.net/docs/aslr.txt.

[33]

The PaX Team. Pax non-executable pages. Technical report, http://pax.grsecurity.net/docs/noexec.txt.

[34]

Tim Kornau. Return oriented programming for the arm architecture. Technical report, Master's thesis, Ruhr-Universität Bochum, 2010.

[35]

Vendicator. Stackshield: A "stack smashing" technique protection tool for linux. Technical report, http://www.angelfire.com/sk/stackshield/.

[36]

Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS, 2009.

Digital Library

Cited By

Niu WZhang KYan RLi JZhang YZhang X(2025)ROPGMN: Effective ROP and variants discovery using dynamic feature and graph matching networkFuture Generation Computer Systems10.1016/j.future.2024.107567164(107567)Online publication date: Mar-2025
https://doi.org/10.1016/j.future.2024.107567
Wang HSinghal ALiu P(2023)Tackling imbalanced data in cybersecurity with transfer learning: a case with ROP payload detectionCybersecurity10.1186/s42400-022-00135-86:1Online publication date: 5-Jan-2023
https://doi.org/10.1186/s42400-022-00135-8
Jiang ZChen YGong XZhang JWang WYew P(2023)JiuJITsu: Removing Gadgets with Safe Register Allocation for JIT Code GenerationACM Transactions on Architecture and Code Optimization10.1145/3631526Online publication date: 3-Nov-2023
https://dl.acm.org/doi/10.1145/3631526
Show More Cited By

Index Terms

G-Free: defeating return-oriented programming through gadget-less binaries
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
Return-Oriented Programming

Attackers able to compromise the memory of a target machine can change its behavior and usually gain complete control over it. Despite the ingenious prevention and protection mechanisms that have been implemented in modern operating systems, memory ...
SeBROP: blind ROP attacks without returns
Abstract
Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

158
Total Citations
View Citations
1,037
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)3

Reflects downloads up to 18 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Niu WZhang KYan RLi JZhang YZhang X(2025)ROPGMN: Effective ROP and variants discovery using dynamic feature and graph matching networkFuture Generation Computer Systems10.1016/j.future.2024.107567164(107567)Online publication date: Mar-2025
https://doi.org/10.1016/j.future.2024.107567
Wang HSinghal ALiu P(2023)Tackling imbalanced data in cybersecurity with transfer learning: a case with ROP payload detectionCybersecurity10.1186/s42400-022-00135-86:1Online publication date: 5-Jan-2023
https://doi.org/10.1186/s42400-022-00135-8
Jiang ZChen YGong XZhang JWang WYew P(2023)JiuJITsu: Removing Gadgets with Safe Register Allocation for JIT Code GenerationACM Transactions on Architecture and Code Optimization10.1145/3631526Online publication date: 3-Nov-2023
https://dl.acm.org/doi/10.1145/3631526
Wang WLiu WChen HWang XTian HLin D(2023)Trust Beyond Border: Lightweight, Verifiable User Isolation for Protecting In-Enclave ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313842720:1(522-538)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3138427
Barral HJaloyan GNaccache D(2023)Emoji shellcoding in RISC-V2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00028(255-263)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00028
Gurung DGurung SPradhan M(2023)Moving Target Defense - Challenges, Problems and Suitability for Internet of Things2023 4th International Conference on Computing and Communication Systems (I3CS)10.1109/I3CS58314.2023.10127263(1-4)Online publication date: 16-Mar-2023
https://doi.org/10.1109/I3CS58314.2023.10127263
El-Zoghby ASaid Elsayed MJurcut AAzer M(2023)NG-MVEE: A New Proposed Hybrid Technique for Enhanced Mitigation of Code Re-Use AttackIEEE Access10.1109/ACCESS.2023.326988111(48169-48191)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3269881
Alnaim AAlwakeel AFernandez E(2022)Towards a Security Reference Architecture for NFVSensors10.3390/s2210375022:10(3750)Online publication date: 14-May-2022
https://doi.org/10.3390/s22103750
Alnaim A(2022)Misuse Patterns from the Threat of Modification of Non-Control Data in Network Function VirtualizationFuture Internet10.3390/fi1407020114:7(201)Online publication date: 30-Jun-2022
https://doi.org/10.3390/fi14070201
Li JNiu WYan RDuan ZLi BZhang X(2022)IDROP: Intelligently detecting Return-Oriented Programming using real-time execution flow and LSTM2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00033(167-174)Online publication date: Dec-2022
https://doi.org/10.1109/TrustCom56396.2022.00033
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents