Return-oriented programming: Systems, languages, and applications

ACM Transactions on Information and System Security

Volumn 15, Issue 1, 2012, Pages

  Roemer, Ryan ^a   Buchanan, Erik ^a,b   Shacham, Hovav ^a,b   Savage, Stefan ^a,b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Algorithms; Security

Indexed keywords

ADDRESS SPACE; BUILDING BLOCKES; CONTROL FLOWS; MALICIOUS CODES; MICROSOFT; SECURITY; SOLARIS;

ALGORITHMS; COMPUTER SYSTEMS PROGRAMMING;

C (PROGRAMMING LANGUAGE);

EID: 84859457954     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/2133375.2133377     Document Type: Conference Paper

References (66)

1. ABADI, M., BUDIU, M., ERLINGSSON, U., AND LIGATTI, J. 2009. Control-flow integrity principles, implementations, and applications. ACM Trans. Info. Syst. Secur. 13, 1.
2. ALEPH ONE. 1996. Smashing the stack for fun and profit. Phrack Mag. 49, 14. http://www.phrack.org/archives/49/p49-0x0e- Smashing%20The%20Stack%20For%20Fun% 20And%20Profit-by-Aleph1.txt.
3. ANONYMOUS. 2001. Once upon a free(). . . . Phrack Mag. 57, 9. http://www.phrack.org/archives/57/ p57-0x09-Once%20upon%20a%20free()-by- %anonymous%20author.txt.
4. BARRANTES, E. G., ACKLEY, D. H., FORREST, S., AND STEFANOVIĆ, D. 2005. Randomized instruction set emulation. ACM Trans. Info. Syst. Secur. 8, 1, 3-40. (Pubitemid 40479428)
5. BLAZAKIS, D. 2010. Interpreter exploitation. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT'10). H. Shacham and C. Miller Eds., USENIX.
6. BLEXIM. 2002. Basic integer overflows. Phrack Mag. 60, 10. http://www.phrack.org/archives/60/p60-0x0a-Basic%20Integer%20Overflows-%by- blexim.txt.
7. BUCHANAN, E., ROEMER, R., SHACHAM, H., AND SAVAGE, S. 2008. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). P. Syverson and S. Jha Eds., ACM Press, New York, NY, 27-38.
8. BULBA AND KIL3R. 2000. Bypassing StackGuard and StackShield. Phrack Mag. 56, 5. http://www.phrack.org/archives/56/p56-0x05- Bypassing%20StackGuard%20and%20StackShield- by-Kil3r%20&%20Bulba.txt.
9. CHECKOWAY, S., FELDMAN, A. J., KANTOR, B., HALDERMAN, J. A., FELTEN, E. W., AND SHACHAM, H. 2009. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of the Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE'09). D. Jefferson, J. L. Hall, and T. Moran Eds., USENIX/ACCURATE/ IAVoSS.
10. CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., SHACHAM, H., AND WINANDY, M. 2010. Return-oriented programming without returns. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). A. Keromytis and V. Shmatikov Eds., ACM Press, New York, NY, 559-572.
11. CHEN, P., XIAO, H., SHEN, X., YIN, X., MAO, B., AND XIE, L. 2009. DROP: Detecting return-oriented programming malicious code. In Proceedings of the International Conference on Information Systems Security (ICISS'09). A. Prakash and I. Sengupta Eds., Lecture Notes in Computer Science, vol. 5905. Springer-Verlag, 163-177.
12. COWAN, C., PU, C.,MAIER, D., HINTON, H., BAKKE, P., BEATTIE, S., GRIER, A.,WAGLE, P., AND ZHANG, Q. 1998. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In Proceedings of the USENIX Security Symposium. A. Rubin Ed., 63-78.
13. DAI ZOVI, D. 2010. Return-oriented exploitation. Black Hat (Presentation slides). https://media.blackhat.com/bh-us-10/presentations/Zovi/BlackHat-USA- 2010-DaiZovi- Return-Oriented-Exploitation-slides.pdf.
14. DARK SPYRIT. 1999. Win32 buffer overflows (location, exploitation, and prevention). Phrack Mag. 55, 15. http://www.phrack.org/archives/55/p55-0x0f- Win32%20Buffer%20Overflows...-by-dark% 20spyrit.txt.
15. DAVI, L., SADEGHI, A.-R., AND WINANDY, M. 2009. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the Technical Communication Summit. N. Asokan, C. Nita-Rotaru, and J.-P. Seifert Eds., ACM Press, 49-54.
16. DAVI, L., SADEGHI, A.-R., AND WINANDY, M. 2011. ROPdefender: A detection tool to defend against returnoriented programming attacks. In Proceedings of the ACM Symposium on Information Computer and Communications Security (ASIACCS). R. Sandhu and D. Wong Eds., ACM Press.
17. DULLIEN, T., KORNAU, T., AND WEINMANN, R.-P. 2010. A framework for automated architectureindependent gadget search. In Proceedings of the USENIXWorkshop on Offensive Technologies (WOOT). H. Shacham and C. Miller Eds., USENIX.
18. DURDEN, T. 2002. Bypassing PaX ASLR protection. Phrack Mag. 59, 9. http://www.phrack.org/archives/59/p59-0x09-Bypassing%20PaX%20ASLR%20protection- by-Tyler% 20Durden.txt.
19. ERLINGSSON, U. 2007. Low-level software security: Attacks and defenses. In Foundations of Security Analysis and Design IV, A. Aldini and R. Gorrieri Eds., Lecture Notes in Computer Science, vol. 4677. Springer-Verlag, 92-134.
20. ERLINGSSON, U., ABADI, M., VRABLE, M., BUDIU, M., AND NECULA, G. 2006. XFI: Software guards for system address spaces. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). B. Bershad and J. Mogul Eds., USENIX, 75-88.
21. ETOH, H. AND YODA, K. 2001. ProPolice: Improved stack-smashing attack detection. IPSJ SIGNotes Comp. Sec. 14, 25. http://www.trl.ibm.com/projects/ security/ssp.
22. FRANCILLON, A. AND CASTELLUCCIA, C. 2008. Code injection attacks on Harvard-architecture devices. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). P. Syverson and S. Jha Eds., ACM Press, 15-26.
23. FRANCILLON, A., PERITO, D., AND CASTELLUCCIA, C. 2009. Defending embedded systems against control flow attacks. In Proceedings of the Workshop on Secure Executions of Untrusted Code (SecuCode). S. Lachmund and C. Schaefer Eds., ACM Press, 19-26.
24. FRANTZEN, M. AND SHUEY, M. 2001. StackGhost: Hardware facilitated stack protection. In Proceedings of the USENIX Security Symposium. D. Wallach Ed., USENIX, 55-66.
25. GARG, M. 2006a. About ELF auxiliary vectors. http://manugarg.googlepages. com/aboutelfauxiliaryvectors.
26. GARG, M. 2006b. Sysenter-based system call mechanism in Linux 2.6. http://manugarg.googlepages.com/systemcallinlinux2-6.html.
27. GERA AND RIQ. 2001. Advances in format string exploiting. Phrack Mag. 59, 7. http://www.phrack.org/archives/59/p59-0x07-Advances%20in%20format%20string% 20exploitation-by-riq%20&%20gera.txt.
28. HEELAN, S. 2010. Validity, satisfiability and code semantics. http://seanhn.wordpress.com/2010/10/02/validity-satisfiability-and-instruction- semantics/.
29. HOROVITZ, O. 2002. Big loop integer protection. Phrack Mag. 60, 9. http://www.phrack.org/archives/60/ p60-0x09-Big%20Loop%20Integer%20Protection- by-Oded%20Horovitz.txt.
30. HUND, R., HOLZ, T., AND FREILING, F. 2009. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the USENIX Security Symposium. F. Monrose Ed., USENIX, 383-398.
31. INTEL CORPORATION. 2011. Intel 64 and IA-32 Architectures Software Developer'sManual, Vols. 1-3B. Intel Corporation. http://www.intel.com/products/ processor/manuals/.
32. IOZZO, V. AND MILLER, C. 2009. Fun and games with Mac OS X and iPhone payloads. Black Hat Europe (Presentation slides). http://www.blackhat.com/ presentations/bh-europe-09/ Miller-Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX- IPhone-Payloads-whitepaper.pdf.
33. IOZZO, V., KORNAU, T., AND WEINMANN, R.-P. 2010. Everybody be cool this is a roppery! Black Hat. http://www.zynamics.com/downloads/bh10-paper.pdf.
34. IVALDI, M. 2007. Re: Older SPARC return-into-libc exploits. Penetration testing, SECLISTS. ORA.
35. KAEMPF, M. 2001. Vudo malloc tricks. Phrack Mag. 57, 8. http://www.phrack.org/archives/57/p57-0x08-Vudo%20malloc%20tricks-by-MaXX.txt.
36. KLOG. 1999. The frame pointer overwrite. Phrack Mag. 55, 8. http://www.phrack.org/archives/55/p55-0x08-Frame%20Pointer%20Overwriting-by- klog.txt.
37. KORNAU, T. 2010. Return-oriented programming for the ARM architecture. M.S. thesis, Ruhr-Universität Bochum. http://zynamics.com/downloads/kornau- tim-diplomarbeit-rop.pdf.
38. KRAHMER, S. 2005. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://www.suse.de/~krahmer/no-nx.pdf.
39. LE, L. 2010. Payload already inside: Data re-use for ROP exploits. Black Hat. https://media.blackhat.com/bh-us-10/whitepapers/Le/BlackHat-USA-2010-Le- Paper-Payloadalready- inside-data-reuse-for-ROP-exploits-wp.pdf.
40. LI, J., WANG, Z., JIANG, X., GRACE, M., AND BAHRAM, S. 2010. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the EuroSys Conference. G. Muller Ed., ACM Press, 195-208.
41. LIDNER, F. 2009. Developments in Cisco IOS forensics. CONFidence 2.0. (Presentation slides). http://www.recurity-labs.com/content/pub/FX-Router- Exploitation.pdf.
42. MCDONALD, J. 1999. Defeating Solaris/SPARC non-executable stack protection. Bugtraq.
43. MILLER, C. AND IOZZO, V. 2009. Fun and games with Mac OS X and iPhone payloads. Presented at the BlackHat Europe 2009 Conference. https://www. blackhat.com/presentations/bh-europe-09/ Miller-Iozzo/BlackHat-Europe-2009- Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf.
44. NARAINE, R. 2010. Pwn2Own 2010: iPhone hacked, SMS database hijacked. http://blogs.zdnet.com/security/?p=5836.
45. NERGAL. 2001. The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 58, 4. http://www.phrack.org/archives/58/p58-0x04-Advanced%20return- into-lib(c)%20exploits% 20(PaX%20case%20study)-by-nergal.txt.
46. NEWSHAM, T. 1997. Re: Smashing the stack: Prevention? Bugtraq. http://seclists.org/bugtraq/1997/Apr/129.
47. NEWSHAM, T. 2000. Non-exec stack. Bugtraq. http://seclists.org/bugtraq/ 2000/May/90.
48. ONARLIOGLU, K., BILGE, L., LANZI, A., BALZAROTTI, D., AND KIRDA, E. 2010. G-Free: Defeating returnoriented programming through gadget-less binaries. In Proceedings of the Annual Computer Security Applications Conferrence (ACSAC'10). M. Franz and J. McDermott Eds., ACM Press, 49-58.
49. PAUL, R. P. 1999. SPARC Architecture, Assembly Language Programming, and C. Prentice Hall PTR, Upper Saddle River, NJ.
50. PAX TEAM. 2003a. PaX address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.
51. PAX TEAM. 2003b. PaX non-executable pages design & implementation. http://pax.grsecurity.net/docs/noexec.txt.
52. PAX TEAM. 2003c. SEGMEXEC: Segmentation based non-executable pages. http://pax.grsecurity.net/docs/segmexec.txt.
53. RICHARTE, G. 2000. Re: Future of buffer overflows? Bugtraq. http://seclists.org/bugtraq/2000/Nov/32 and http://seclists.org/bugtraq/2000/ Nov/26.
54. RICHARTE, G. 2001. Insecure programming by example: Esoteric #2. http://community.corest.com/~gera/InsecureProgramming/e2.html.
55. ROEMER, R. 2009. Finding the bad in good code: Automated return-oriented programming exploit discovery. M.S. thesis, UC San Diego. https://cseweb.ucsd. edu/~rroemer/doc/thesis.pdf.
56. SANTA CRUZ OPERATION 1996. System V Application Binary Interface: Intel386 Architecture Processor Supplement 4th Ed., The Santa Cruz Operation.
57. SCHWARTZ, E., AVGERINOS, T., AND BRUMLEY, D. 2011. Q: Exploit hardening made easy. In Proceedings of the USENIX Security Symposium, D. Wagner Ed., USENIX.
58. SCUT/TEAM TESO. 2001. Exploiting format string vulnerabilities. http://www.team-teso.net.
59. SHACHAM, H. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the ACM Conference on Computer and Communications Security (CCS'07). S. D. Capitani and P. Syverson Eds., ACM Press, 552-561.
60. SHACHAM, H., PAGE, M., PFAFF, B., GOH, E.-J.,MODADUGU, N., AND BONEH, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS'04). B. Pfitzmann and P. Liu Eds., ACM Press, 298-307. (Pubitemid 40338211)
61. SOLAR DESIGNER. 1997. Getting around non-executable stack (and fix). Bugtraq moving hot.
62. SOLAR DESIGNER. 1998. StackPatch. http://www.openwall.com/linux.
63. SOLAR DESIGNER. 2000. JPEG COM marker processing vulnerability in Netscape browsers. http://www.openwall.com/advisories/OW-002-netscape-jpeg/.
64. SPARC INT. INC. 1996. System V Application Binary Interface, SPARC Processor Supplement. SPARC Inc.
65. WEAVER, D. AND GERMOND, T., Eds. 1994. The SPARC Architecture Manual Version 9. SPARC Int. Inc., Englewood Cliffs, NJ.
66. ZALEWSKI, M. 2001. Remote vulnerability in SSH daemon CRC32 compression attack detector. http://www.bindview.com/Support/RAZOR/Advisories/2001/adv- ssh1crc.cfm.