Journal ArticleDOI
Return-Oriented Programming: Systems, Languages, and Applications
Ryan Glenn Roemer,Erik Buchanan,Hovav Shacham,Stefan Savage +3 more
- Vol. 15, Iss: 1, pp 2
Reads0
Chats0
TLDR
This work presents a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets, and constructs a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures.Abstract:
We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program’s address space, each of which ends in a “return” instruction.Return-oriented programming defeats the W⊕X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code.To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.read more
Citations
More filters
Proceedings ArticleDOI
SoK: Eternal War in Memory
TL;DR: The current knowledge about various protection techniques are systematized by setting up a general model for memory corruption attacks, and what policies can stop which attacks are shown, to analyze the reasons why protection mechanisms implementing stricter polices are not deployed.
Proceedings ArticleDOI
Return-oriented programming without returns
Stephen Checkoway,Lucas Davi,Alexandra Dmitrienko,Ahmad-Reza Sadeghi,Hovav Shacham,Marcel Winandy +5 more
TL;DR: It is shown that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions, and these attacks instead make use of certain instruction sequences that behave like a return.
Proceedings ArticleDOI
Code-pointer integrity
TL;DR: This chapter describes code-pointer integrity (CPI), a new design point that guarantees the integrity of all code pointers in a program and thereby prevents all control-flow hijack attacks that exploit memory corruption errors, including attacks that bypass control- flow integrity mechanisms, such as control-flows bending.
Proceedings Article
Enforcing forward-edge control-flow integrity in GCC & LLVM
Caroline Tice,Tom Roeder,Peter Collingbourne,Stephen Checkoway,Úlfar Erlingsson,Luis Lozano,Geoff Pike +6 more
TL;DR: The fine-grained, forward-edge CFI enforcement and analysis for GCC and LLVM has been presented in this article, where the authors evaluate the security, performance, and resource consumption of these mechanisms applied to the SPEC CPU2006 benchmarks and common benchmarks for the Chromium web browser.
Proceedings ArticleDOI
Hacking Blind
TL;DR: This work implemented Braille, a fully automated exploit that yielded a shell in under 4,000 requests (20 minutes) against a contemporary nginx vulnerability, yaSSL + MySQL, and a toy proprietary server written by a colleague.
References
More filters
Proceedings Article
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
James Newsome,Dawn Song +1 more
TL;DR: TaintCheck as mentioned in this paper performs dynamic taint analysis by performing binary rewriting at run time, which can reliably detect most types of exploits and produces no false positives for any of the many different programs that were tested.
Proceedings Article
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
Crispin Cowan,Calton Pu,Dave Maier,Heather Hintony,Jonathan Walpole,Peat Bakke,Steve Beattie,Aaron Grier,Perry Wagle,Qian Zhang +9 more
TL;DR: StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
Proceedings ArticleDOI
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
TL;DR: A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.
Proceedings ArticleDOI
On the effectiveness of address-space randomization
TL;DR: Aderandomization attack is demonstrated that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization, and it is concluded that, on 32-bit architectures, the only benefit of PaX-like address- space randomization is a small slowdown in worm propagation speed.