Abstract
We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program’s address space, each of which ends in a “return” instruction.
Return-oriented programming defeats the W⊕X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code.
To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.
Supplemental Material
Available for Download
The proof is given in an electronic appendix, available online in the ACM Digital Library.
- Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2009. Control-flow integrity principles, implementations, and applications. ACM Trans. Info. Syst. Secur. 13, 1. Google ScholarDigital Library
- Aleph One. 1996. Smashing the stack for fun and profit. Phrack Mag. 49, 14. http://www.phrack.org/archives/49/p49_0x0e_Smashing%20The%20Stack%20For%20Fun%20And%20Profit_by_Aleph1.txt.Google Scholar
- Anonymous. 2001. Once upon a free().... Phrack Mag. 57, 9. http://www.phrack.org/archives/57/p57_0x09_Once%20upon%20a%20free()_by_%anonymous%20author.txt.Google Scholar
- Barrantes, E. G., Ackley, D. H., Forrest, S., and Stefanović, D. 2005. Randomized instruction set emulation. ACM Trans. Info. Syst. Secur. 8, 1, 3--40. Google ScholarDigital Library
- Blazakis, D. 2010. Interpreter exploitation. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’10). H. Shacham and C. Miller Eds., USENIX. Google ScholarDigital Library
- blexim. 2002. Basic integer overflows. Phrack Mag. 60, 10. http://www.phrack.org/archives/60/p60_0x0a_Basic%20Integer%20Overflows_%by_blexim.txt.Google Scholar
- Buchanan, E., Roemer, R., Shacham, H., and Savage, S. 2008. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). P. Syverson and S. Jha Eds., ACM Press, New York, NY, 27--38. Google ScholarDigital Library
- Bulba and Kil3r. 2000. Bypassing StackGuard and StackShield. Phrack Mag. 56, 5. http://www.phrack.org/archives/56/p56_0x05_Bypassing%20StackGuard%20and%20StackShield_by_Kil3r%20&%%20Bulba.txt.Google Scholar
- Checkoway, S., Feldman, A. J., Kantor, B., Halderman, J. A., Felten, E. W., and Shacham, H. 2009. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of the Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE’09). D. Jefferson, J. L. Hall, and T. Moran Eds., USENIX/ACCURATE/IAVoSS. Google ScholarDigital Library
- Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. 2010. Return-oriented programming without returns. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). A. Keromytis and V. Shmatikov Eds., ACM Press, New York, NY, 559--572. Google ScholarDigital Library
- Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. 2009. DROP: Detecting return-oriented programming malicious code. In Proceedings of the International Conference on Information Systems Security (ICISS’09). A. Prakash and I. Sengupta Eds., Lecture Notes in Computer Science, vol. 5905. Springer-Verlag, 163--177. Google ScholarDigital Library
- Cowan, C., Pu, C., Maier, D., Hinton, H., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. 1998. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In Proceedings of the USENIX Security Symposium. A. Rubin Ed., 63--78. Google ScholarDigital Library
- Dai Zovi, D. 2010. Return-oriented exploitation. Black Hat (Presentation slides). https://media.blackhat.com/bh-us-10/presentations/ Zovi/BlackHat-USA-2010-DaiZovi-Return-Oriented-Exploitation-slides.pdf.Google Scholar
- dark spyrit. 1999. Win32 buffer overflows (location, exploitation, and prevention). Phrack Mag. 55, 15. http://www.phrack.org/archives/55/p55_0x0f_Win32%20Buffer%20Overflows..._by_dark%20spyrit.txt.Google Scholar
- Davi, L., Sadeghi, A.-R., and Winandy, M. 2009. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the Technical Communication Summit. N. Asokan, C. Nita-Rotaru, and J.-P. Seifert Eds., ACM Press, 49--54. Google ScholarDigital Library
- Davi, L., Sadeghi, A.-R., and Winandy, M. 2011. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the ACM Symposium on Information Computer and Communications Security (ASIACCS). R. Sandhu and D. Wong Eds., ACM Press. Google ScholarDigital Library
- Dullien, T., Kornau, T., and Weinmann, R.-P. 2010. A framework for automated architecture-independent gadget search. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT). H. Shacham and C. Miller Eds., USENIX. Google ScholarDigital Library
- Durden, T. 2002. Bypassing PaX ASLR protection. Phrack Mag. 59, 9. http://www.phrack.org/archives/59/p59_0x09_Bypassing%20PaX%20ASLR%20pro%tection_by_Tyler%20Durden.txt.Google Scholar
- Erlingsson, U. 2007. Low-level software security: Attacks and defenses. In Foundations of Security Analysis and Design IV, A. Aldini and R. Gorrieri Eds., Lecture Notes in Computer Science, vol. 4677. Springer-Verlag, 92--134. Google ScholarDigital Library
- Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., and Necula, G. 2006. XFI: Software guards for system address spaces. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). B. Bershad and J. Mogul Eds., USENIX, 75--88. Google ScholarDigital Library
- Etoh, H. and Yoda, K. 2001. ProPolice: Improved stack-smashing attack detection. IPSJ SIGNotes Comp. Sec. 14, 25. http://www.trl.ibm.com/projects/security/ssp.Google Scholar
- Francillon, A. and Castelluccia, C. 2008. Code injection attacks on Harvard-architecture devices. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). P. Syverson and S. Jha Eds., ACM Press, 15--26. Google ScholarDigital Library
- Francillon, A., Perito, D., and Castelluccia, C. 2009. Defending embedded systems against control flow attacks. In Proceedings of the Workshop on Secure Executions of Untrusted Code (SecuCode). S. Lachmund and C. Schaefer Eds., ACM Press, 19--26. Google ScholarDigital Library
- Frantzen, M. and Shuey, M. 2001. StackGhost: Hardware facilitated stack protection. In Proceedings of the USENIX Security Symposium. D. Wallach Ed., USENIX, 55--66. Google ScholarDigital Library
- Garg, M. 2006a. About ELF auxiliary vectors. http://manugarg.googlepages.com/aboutelfauxiliaryvectors.Google Scholar
- Garg, M. 2006b. Sysenter-based system call mechanism in Linux 2.6. http://manugarg.googlepages.com/systemcallinlinux2_6.html.Google Scholar
- gera and riq. 2001. Advances in format string exploiting. Phrack Mag. 59, 7. http://www.phrack.org/archives/59/p59_0x07_Advances%20in%20format%20string%20exploitation_by_riq%20&%%20gera.txt.Google Scholar
- Heelan, S. 2010. Validity, satisfiability and code semantics. http://seanhn.wordpress.com/2010/10/02/validity-satisfiability- and-instruction-semantics/.Google Scholar
- Horovitz, O. 2002. Big loop integer protection. Phrack Mag. 60, 9. http://www.phrack.org/archives/60/p60_0x09_Big%20Loop%20Integer%20Protection_by_Oded%20Horovitz.txt.Google Scholar
- Hund, R., Holz, T., and Freiling, F. 2009. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the USENIX Security Symposium. F. Monrose Ed., USENIX, 383--398. Google ScholarDigital Library
- Intel Corporation. 2011. Intel 64 and IA-32 Architectures Software Developer’s Manual, Vols. 1--3B. Intel Corporation. http://www.intel.com/products/processor/manuals/.Google Scholar
- Iozzo, V. and Miller, C. 2009. Fun and games with Mac OS X and iPhone payloads. Black Hat Europe (Presentation slides). http://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf.Google Scholar
- Iozzo, V., Kornau, T., and Weinmann, R.-P. 2010. Everybody be cool this is a roppery! Black Hat. http://www.zynamics.com/downloads/bh10_paper.pdf.Google Scholar
- Ivaldi, M. 2007. Re: Older SPARC return-into-libc exploits. Penetration testing, SECLISTS. ORA.Google Scholar
- Kaempf, M. 2001. Vudo malloc tricks. Phrack Mag. 57, 8. http://www.phrack.org/archives/57/p57_0x08_Vudo%20malloc%20tricks_by_MaXX.txt.Google Scholar
- klog. 1999. The frame pointer overwrite. Phrack Mag. 55, 8. http://www.phrack.org/archives/55/p55_0x08_Frame%20Pointer%20Overwriting_by_klog.txt.Google Scholar
- Kornau, T. 2010. Return-oriented programming for the ARM architecture. M.S. thesis, Ruhr-Universität Bochum. http://zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf.Google Scholar
- Krahmer, S. 2005. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://www.suse.de/~krahmer/no-nx.pdf.Google Scholar
- Le, L. 2010. Payload already inside: Data re-use for ROP exploits. Black Hat. https://media.blackhat.com/bh-us-10/whitepapers/Le/BlackHat-USA-2010-Le-Paper-Payload-already-inside-data-reuse-for-ROP-exploits-wp.pdf.Google Scholar
- Li, J., Wang, Z., Jiang, X., Grace, M., and Bahram, S. 2010. Defeating return-oriented rootkits with “return-less” kernels. In Proceedings of the EuroSys Conference. G. Muller Ed., ACM Press, 195--208. Google ScholarDigital Library
- Lidner, F. 2009. Developments in Cisco IOS forensics. CONFidence 2.0. (Presentation slides). http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf.Google Scholar
- McDonald, J. 1999. Defeating Solaris/SPARC non-executable stack protection. Bugtraq.Google Scholar
- Miller, C. and Iozzo, V. 2009. Fun and games with Mac OS X and iPhone payloads. Presented at the BlackHat Europe 2009 Conference. https://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/ BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf.Google Scholar
- Naraine, R. 2010. Pwn2Own 2010: iPhone hacked, SMS database hijacked. http://blogs.zdnet.com/security/?p=5836.Google Scholar
- Nergal. 2001. The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 58, 4. http://www.phrack.org/archives/58/p58_0x04_Advanced%20return-into-lib(c)%20exploits%20(PaX%20case%20study)_by_nergal.txt.Google Scholar
- Newsham, T. 1997. Re: Smashing the stack: Prevention? Bugtraq. http://seclists.org/bugtraq/1997/Apr/129.Google Scholar
- Newsham, T. 2000. Non-exec stack. Bugtraq. http://seclists.org/bugtraq/2000/May/90.Google Scholar
- Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E. 2010. G-Free: Defeating return-oriented programming through gadget-less binaries. In Proceedings of the Annual Computer Security Applications Conferrence (ACSAC’10). M. Franz and J. McDermott Eds., ACM Press, 49--58. Google ScholarDigital Library
- Paul, R. P. 1999. SPARC Architecture, Assembly Language Programming, and C. Prentice Hall PTR, Upper Saddle River, NJ. Google ScholarDigital Library
- PaX Team. 2003a. PaX address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- PaX Team. 2003b. PaX non-executable pages design & implementation. http://pax.grsecurity.net/docs/noexec.txt.Google Scholar
- PaX Team. 2003c. SEGMEXEC: Segmentation based non-executable pages. http://pax.grsecurity.net/docs/segmexec.txt.Google Scholar
- Richarte, G. 2000. Re: Future of buffer overflows? Bugtraq. http://seclists.org/bugtraq/2000/Nov/32 and http://seclists.org/bugtraq/2000/Nov/26.Google Scholar
- Richarte, G. 2001. Insecure programming by example: Esoteric #2. http://community.corest.com/~gera/InsecureProgramming/e2.html.Google Scholar
- Roemer, R. 2009. Finding the bad in good code: Automated return-oriented programming exploit discovery. M.S. thesis, UC San Diego. https://cseweb.ucsd.edu/~rroemer/doc/thesis.pdf.Google Scholar
- Santa Cruz Operation 1996. System V Application Binary Interface: Intel386 Architecture Processor Supplement 4th Ed., The Santa Cruz Operation.Google Scholar
- Schwartz, E., Avgerinos, T., and Brumley, D. 2011. Q: Exploit hardening made easy. In Proceedings of the USENIX Security Symposium, D. Wagner Ed., USENIX. Google ScholarDigital Library
- Scut/team teso. 2001. Exploiting format string vulnerabilities. http://www.team-teso.net.Google Scholar
- Shacham, H. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07). S. D. Capitani and P. Syverson Eds., ACM Press, 552--561. Google ScholarDigital Library
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’04). B. Pfitzmann and P. Liu Eds., ACM Press, 298--307. Google ScholarDigital Library
- Solar Designer. 1997. Getting around non-executable stack (and fix). Bugtraq moving hot.Google Scholar
- Solar Designer. 1998. StackPatch. http://www.openwall.com/linux.Google Scholar
- Solar Designer. 2000. JPEG COM marker processing vulnerability in Netscape browsers. http://www.openwall.com/advisories/OW-002-netscape-jpeg/.Google Scholar
- SPARC Int. Inc. 1996. System V Application Binary Interface, SPARC Processor Supplement. SPARC Inc.Google Scholar
- Weaver, D. and Germond, T., Eds. 1994. The SPARC Architecture Manual Version 9. SPARC Int. Inc., Englewood Cliffs, NJ.Google Scholar
- Zalewski, M. 2001. Remote vulnerability in SSH daemon CRC32 compression attack detector. http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm.Google Scholar
Index Terms
- Return-Oriented Programming: Systems, Languages, and Applications
Recommendations
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityWe present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show ...
Return-oriented programming without returns
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityWe show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with ...
Control-flow integrity principles, implementations, and applications
Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, control-flow integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is ...
Comments