ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
When good instructions go bad: generalizing return-oriented programming to RISC
Full text PdfPdf (415 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 15th ACM conference on Computer and communications security table of contents
Alexandria, Virginia, USA
SESSION: Attacks 1 table of contents
Pages 27-38  
Year of Publication: 2008
ISBN:978-1-59593-810-7
Authors
Erik Buchanan  University of California, San Diego, La Jolla, CA, USA
Ryan Roemer  University of California, San Diego, La Jolla, CA, USA
Hovav Shacham  University of California, San Diego, La Jolla, CA, USA
Stefan Savage  University of California, San Diego, La Jolla, CA, USA
Sponsors
ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 32,   Downloads (12 Months): 257,   Citation Count: 1
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1455770.1455776
What is a DOI?

ABSTRACT

This paper reconsiders the threat posed by Shacham's "return-oriented programming" -- a technique by which W-xor-X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-length x86 instructions -- creating short new instructions streams that then return. We believe this attack is both more general and a greater threat than the author appreciated. In fact, the vulnerability is not limited to the x86 architecture or any particular operating system, is readily exploitable, and bypasses an entire category of malware protections. In this paper we demonstrate general return-oriented programming on the SPARC, a fixed instruction length RISC architecture with structured control flow. We construct a Turing-complete library of code gadgets using snippets of the Solaris libc, a general purpose programming language, and a compiler for constructing return-oriented exploits. Finally, we argue that the threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine, 56(5), May. 2000. http://www.phrack.org/archives/56/p56-0x05.
 
2
J. Cartwright. Protecting Solaris with ProPolice/SSP. May. 2003. http://www.grok.org.uk/docs/ssp.html.
 
3
Crispin Cowan , Calton Pu , Dave Maier , Heather Hintony , Jonathan Walpole , Peat Bakke , Steve Beattie , Aaron Grier , Perry Wagle , Qian Zhang, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks, Proceedings of the 7th conference on USENIX Security Symposium, p.5-5, January 26-29, 1998, San Antonio, Texas
 
4
T. Durden. Bypassing PaX ASLR protection. Phrack Magazine, 59(9), June 2002. http://www.phrack.org/archives/59/p59-0x09.txt.
 
5
H. Etoh. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/.
 
6
Mike Frantzen , Mike Shuey, StackGhost: Hardware facilitated stack protection, Proceedings of the 10th conference on USENIX Security Symposium, p.5-5, August 13-17, 2001, Washington, D.C.
 
7
S. Hudson. JFlex -- the fast scanner generator for Java. http://www2.cs.tum.edu/projects/cup/.
 
8
M. Ivaldi. Re: Older SPARC return-into-libc exploits. Penetration Testing, Aug. 2007.
 
9
G. Klein. CUP LALR parser generator for Java. http://jflex.de/.
 
10
S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Sept. 2005. http://www.suse.de/krahmer/no-nx.pdf.
 
11
J. McDonald. Defeating Solaris/SPARC non-executable stack protection. Bugtraq, Mar. 1999.
 
12
Microsoft. /GS (buffer security check).
 
13
Microsoft. KB 875352: A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003, Sept. 2006. Online: http://support.microsoft.com/KB/875352.
 
14
Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/archives/58/p58-0x04.
 
15
J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS. The Internet Society, 2005.
 
16
A. Noordergraaf and KeithWatson. Solaris™ operating environment security. Jan. 2000.
 
17
OpenBSD Foundation. OpenBSD 3.3 release. May 2003. http://www.openbsd.org/33.html.
 
18
OpenBSD Foundation. OpenBSD 3.4 release. Nov. 2003. http://www.openbsd.org/34.html.
 
19
OpenBSD Foundation. OpenBSD 3.5 release. May. 2004. http://www.openbsd.org/35.html.
 
20
Richard P. Paul, SPARC Architecture, Assembly Language Programming, and C, Prentice Hall PTR, Upper Saddle River, NJ, 1999
 
21
PaX Team. Homepage of the PaX Team. http://pax.grsecurity.net/.
 
22
PaX Team. PaX address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.
23
Hovav Shacham, The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86), Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315313]
24
Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030124]
 
25
Solar Designer. Linux kernel patch from the Openwall project. http://www.openwall.com/linux.
 
26
Solar Designer. Getting around non--executable stack (and fix). Bugtraq, Aug. 1997.
 
27
CORPORATE SPARC International, Inc., The SPARC architecture manual (version 9), Prentice-Hall, Inc., Upper Saddle River, NJ, 1994
 
28
SPARC Int'l, Inc. System V Application Binary Interface, SPARC Processor Supplement. 1996.
 
29
Vendicator. Stack Shield: A "stack smashing" technique protection tool for linux. http://www.angelfire.com/sk/stackshield/.

CITED BY
Ryan Riley , Xuxian Jiang , Dongyan Xu, Multi-aspect profiling of kernel rootkit behavior, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection


General Terms:
Algorithms, Security


Keywords:
RISC, SPARC, return-into-libc, return-oriented programming

Collaborative Colleagues:
Erik Buchanan: colleagues
Ryan Roemer: colleagues
Hovav Shacham: colleagues
Stefan Savage: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player