Return-oriented rootkit without returns (on the x86)

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6476 LNCS, Issue , 2010, Pages 340-354

  Chen, Ping ^a   Xing, Xiao ^a   Mao, Bing ^a   Xie, Li ^a  

^a NANJING UNIVERSITY   (China)

Author keywords

[No Author keywords available]

Indexed keywords

INTEGRITY PROTECTION; MEMORY LAYOUT; RETURN-ORIENTED PROGRAMMING;

SECURITY OF DATA; ARTIFICIAL INTELLIGENCE;

COMPUTER SCIENCE; COMPUTERS;

EID: 78650906305     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-17650-0_24     Document Type: Conference Paper

References (36)

1. Felix "fx" lidner. Developments in cisco ios forensics. CONFidence 2.0, http://www.recurity-labs.com/content/pub/FX-Router-Exploitation. pdf
2. The x86 instruction set architecture, http://www.ugrad.cs.ubc.ca/~cs411/ 2009W2/downloads/x86.pdf
3. Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 340-353. ACM, New York (2005)
4. Bovet, D.P., Cesati, M.: Understanding the linux kernel, 3rd edn., p. 85. O'Reilly Media, Inc., Sebastopol (2006)
5. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27-38. ACM, New York (2008)
6. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: 17th ACM Conference on Computer and Communications Security (2010)
7. Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the avc advantage. In: Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS (2009)
8. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163-177. Springer, Heidelberg (2009)
9. Corporation, I.: Ia-32 intel architecture software developers manual. Instruction set reference, vol. 2 (2006)
10. Dalton, M., Kannan, H., Kozyrakis, C.: Real-world buffer overflow protection for userspace & kernelspace. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 395-410. USENIX Association, Berkeley (2008)
11. Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49-54 (2009)
12. Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: A detection tool to defend against return-oriented programming attacks. Technical Report HGI-TR-2010-001 (2010), http://www.trust.rub.de/home/-publications/LuSaWi10/
13. Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 19-26. ACM, New York (2009)
14. Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Syverson, P., Jha, S. (eds.) Proceedings of CCS 2008, pp. 15-26 (2008)
15. Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: Proceedings of USENIX Security 2001, pp. 55-65 (2001)
16. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium (February 2003)
17. Grizzard, J.: Towards self-healing systems:re-establishing trust in compromised systems. In: PhD thesis. Georgia Institute of Technology (2006)
18. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium, San Jose, CA, USA (2009)
19. Kornau, T.: Return oriented programming for the arm architecture. Master's thesis, Ruhr-Universitat Bochum (2010), http://zynamics.com/downloads/ kornau-tim-diplomarbeit-rop.pdf
20. Krahmer, S.: X86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Phrack Magazine (2005), http://www.suse.de/krahmer/no- nx.pdf
21. Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with 'return-less' kernels. In: Proceedings of the 5th ACMSIGOPS EuroSys Conference, EuroSys 2010 (2010)
22. McDonald, J.: Defeating solaris/sparc non-executable stack protection. Bugtraq (1999)
23. Microsoft: Digital signatures for kernel modules on systems running windows vista (2007), http://download.microsoft.com/download/9/c/5/9c5b2167- 8017-4bae-9fde-d599bac8184a/kmsigning.doc
24. Microsoft: A detailed description of the data execution prevention (dep) feature in windows xp service pack 2 (2008), http://support.microsoft.com/kb/ 875352
25. Mueller, U.: Brainfuck: An eight-instruction turing-complete programming language, http://www.muppetlabs.com/~breadbox/bf/
26. Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine (2001), http://www.phrack.org/archives/58/p58-0x04
27. noir: Smashing the kernel stack for fun and profit. Phrack Magazine (2006), http://www.phrack.com/issues.html?issue=60&id=6
28. Petroni, N., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 103-115. ACM, New York (2007)
29. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1-20. Springer, Heidelberg (2008)
30. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 335-350. ACM, New York (2007)
31. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552-561. ACM, New York (2007)
32. Team, P.: Documentation for the pax project overall description (2008), http://pax.grsecurity.net/docs/pax.txt
33. Turing, A.M.: On computable numbers, with an application to the entscheidungsproblem. Proc. London Math. Soc., 230-265 (1936)
34. Bletsch, T., Jiang, X., Freeh, V.: Jump-oriented programming: A new class of code-reuse attack. Technical Report TR-2010-8 (2010)
35. Viro, A.: Linux kernel sendmsg() local buffer overflow vulnerability (2005), http://www.securityfocus.com/bid/14785
36. Wikipedia: Exec shield, http://en.wikipedia.org/wiki/Exec-Shield