research-article

When good instructions go bad: generalizing return-oriented programming to RISC

Authors:

Stefan SavageAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 27 - 38

https://doi.org/10.1145/1455770.1455776

Published: 27 October 2008 Publication History

Abstract

This paper reconsiders the threat posed by Shacham's "return-oriented programming" -- a technique by which W-xor-X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-length x86 instructions -- creating short new instructions streams that then return. We believe this attack is both more general and a greater threat than the author appreciated. In fact, the vulnerability is not limited to the x86 architecture or any particular operating system, is readily exploitable, and bypasses an entire category of malware protections. In this paper we demonstrate general return-oriented programming on the SPARC, a fixed instruction length RISC architecture with structured control flow. We construct a Turing-complete library of code gadgets using snippets of the Solaris libc, a general purpose programming language, and a compiler for constructing return-oriented exploits. Finally, we argue that the threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code.

References

[1]

Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine, 56(5), May. 2000. http://www.phrack.org/archives/56/p56-0x05.

[2]

J. Cartwright. Protecting Solaris with ProPolice/SSP. May. 2003. http://www.grok.org.uk/docs/ssp.html.

[3]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conference, pages 63--78, San Antonio, Texas, Jan. 1998.

Digital Library

[4]

T. Durden. Bypassing PaX ASLR protection. Phrack Magazine, 59(9), June 2002. http://www.phrack.org/archives/59/p59-0x09.txt.

[5]

H. Etoh. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/.

[6]

M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium, pages 5--5, Berkeley, CA, USA, 2001. USENIX Association.

Digital Library

[7]

S. Hudson. JFlex -- the fast scanner generator for Java. http://www2.cs.tum.edu/projects/cup/.

[8]

M. Ivaldi. Re: Older SPARC return-into-libc exploits. Penetration Testing, Aug. 2007.

[9]

G. Klein. CUP LALR parser generator for Java. http://jflex.de/.

[10]

S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Sept. 2005. http://www.suse.de/krahmer/no-nx.pdf.

[11]

J. McDonald. Defeating Solaris/SPARC non-executable stack protection. Bugtraq, Mar. 1999.

[12]

Microsoft. /GS (buffer security check).

[13]

Microsoft. KB 875352: A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003, Sept. 2006. Online: http://support.microsoft.com/KB/875352.

[14]

Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/archives/58/p58-0x04.

[15]

J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS. The Internet Society, 2005.

[16]

A. Noordergraaf and KeithWatson. Solaris™ operating environment security. Jan. 2000.

[17]

OpenBSD Foundation. OpenBSD 3.3 release. May 2003. http://www.openbsd.org/33.html.

[18]

OpenBSD Foundation. OpenBSD 3.4 release. Nov. 2003. http://www.openbsd.org/34.html.

[19]

OpenBSD Foundation. OpenBSD 3.5 release. May. 2004. http://www.openbsd.org/35.html.

[20]

R. P. Paul. SPARC Architecture, Assembly Language Programming, and C. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1999.

Digital Library

[21]

PaX Team. Homepage of the PaX Team. http://pax.grsecurity.net/.

[22]

PaX Team. PaX address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.

[23]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of CCS 2007, pages 552--61. ACM Press, Oct. 2007.

Digital Library

[24]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 298--307, New York, NY, USA, 2004. ACM.

Digital Library

[25]

Solar Designer. Linux kernel patch from the Openwall project. http://www.openwall.com/linux.

[26]

Solar Designer. Getting around non--executable stack (and fix). Bugtraq, Aug. 1997.

[27]

SPARC Int'l, Inc. The SPARC Architecture Manual (Version 9). Prentice-Hall, Inc., Englewood Cliffs, NJ, USA, 1994.

Digital Library

[28]

SPARC Int'l, Inc. System V Application Binary Interface, SPARC Processor Supplement. 1996.

[29]

Vendicator. Stack Shield: A "stack smashing" technique protection tool for linux. http://www.angelfire.com/sk/stackshield/.

Cited By

Maar LNasahl PMangard SQuek TGao DZhou JCardenas A(2024)Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFIProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661135(1214-1230)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661135
Zhang NFeng ZXu D(2024)An In-Depth Analysis of the Code-Reuse Gadgets Introduced by Software ObfuscationApplied Cryptography and Network Security10.1007/978-3-031-54776-8_9(217-240)Online publication date: 29-Feb-2024
https://doi.org/10.1007/978-3-031-54776-8_9
Da Silva JBizarrias FDa Silva LPenha R(2023)Governança e Performance em Gestão de ProjetosRevista de Gestão e Secretariado (Management and Administrative Professional Review)10.7769/gesec.v14i3.185314:3(3836-3858)Online publication date: 22-Mar-2023
https://doi.org/10.7769/gesec.v14i3.1853
Show More Cited By

Index Terms

When good instructions go bad: generalizing return-oriented programming to RISC
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
On the expressiveness of return-into-libc attacks
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

Return-into-libc (RILC) is one of the most common forms of code-reuse attacks. In this attack, an intruder uses a buffer overflow or other exploit to redirect control flow through existing (libc) functions within the legitimate program. While dangerous, ...
Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Code reuse attacks such as return-oriented programming are one of the most powerful threats to contemporary software. ASLR was introduced to impede these attacks by dispersing shared libraries and the executable in memory. However, in practice its ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

268
Total Citations
View Citations
2,040
Total Downloads

Downloads (Last 12 months)70
Downloads (Last 6 weeks)9

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Maar LNasahl PMangard SQuek TGao DZhou JCardenas A(2024)Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFIProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661135(1214-1230)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661135
Zhang NFeng ZXu D(2024)An In-Depth Analysis of the Code-Reuse Gadgets Introduced by Software ObfuscationApplied Cryptography and Network Security10.1007/978-3-031-54776-8_9(217-240)Online publication date: 29-Feb-2024
https://doi.org/10.1007/978-3-031-54776-8_9
Da Silva JBizarrias FDa Silva LPenha R(2023)Governança e Performance em Gestão de ProjetosRevista de Gestão e Secretariado (Management and Administrative Professional Review)10.7769/gesec.v14i3.185314:3(3836-3858)Online publication date: 22-Mar-2023
https://doi.org/10.7769/gesec.v14i3.1853
Lamster LUnterguggenberger MSchrammel DMangard SCalandrino JTroncoso C(2023)HashTagProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620394(2797-2814)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620394
Maar LSchwarzl MRauscher FGruss DMangard S(2023)DOPE: DOmain Protection Enforcement with PKSProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627113(662-676)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627113
Wang YWu JZheng HNing ZHe BZhang F(2023)Raft: Hardware-assisted Dynamic Information Flow Tracking for Runtime Protection on RISC-VProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607246(595-608)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607246
Lin ZLi JLi BMa HGao DMa JMeng WJensen CCremers CKirda E(2023)TypeSqueezer: When Static Recovery of Function Signatures for Binary Executables Meets Dynamic AnalysisProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623214(2725-2739)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623214
Yadav NGanapathy VMeng WJensen CCremers CKirda E(2023)Whole-Program Control-Flow Path AttestationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616687(2680-2694)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616687
Lehniger KLangendörfer P(2023)Window Canaries: Re-Thinking Stack Canaries for Architectures With Register WindowsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.323074820:6(4637-4647)Online publication date: Nov-2023
https://doi.org/10.1109/TDSC.2022.3230748
Pei ZChen XYang SDuan HZhang C(2023)TAICHI: Transform Your Secret Exploits Into Mine From a Victim's PerspectiveIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.319169320:6(5278-5292)Online publication date: Nov-2023
https://doi.org/10.1109/TDSC.2022.3191693
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents