Microgadgets: Size does matter in turing-complete return-oriented programming

6th USENIX Workshop on Offensive Technologies, WOOT 2012

Volumn , Issue , 2012, Pages

  Homescu, Andrei ^a   Stewart, Michael ^a   Larsen, Per ^a   Brunthaler, Stefan ^a   Franz, Michael ^a  

^a Irvine   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER OPERATING SYSTEMS; SEMANTICS;

BYTE-SEQUENCES; LINUX DISTRIBUTIONS; RETURN-ORIENTED PROGRAMMING; SEMANTIC ANALYSIS; TURING COMPLETENESS; TURING-COMPLETE;

SCANNING;

EID: 85084161742     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (19)

1. Metasploit Project, 2010. http://www.metasploit.com/ (April 2011).
2. BLETSCH, T., JIANG, X., FREEH, V. W., AND LIANG, Z. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (New York, NY, USA, 2011), ASIACCS’11, ACM, pp. 30–40.
3. BUCHANAN, E., ROEMER, R., SHACHAM, H., AND SAVAGE, S. When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security (2008), ACM, pp. 27–38.
4. CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A., SHACHAM, H., AND WINANDY, M. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (2010), ACM Press, pp. 559–72.
5. DAVI, L., DMITRIENKO, A., SADEGHI, A., AND WINANDY, M. Return-oriented programming without returns on ARM. Tech. rep., System Security Lab, Ruhr University Bochum, Germany, 2010.
6. DULLIEN, T., KORNAU, T., AND WEINMANN, R. A framework for automated architecture-independent gadget search. In Proceedings of the 4th USENIX conference on Offensive technologies (Berkeley, CA, USA, 2010), WOOT’10, USENIX Association, pp. 1–.
7. HUND, R., HOLZ, T., AND FREILING, F. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium (Berkeley, CA, USA, 2009), USENIX Association, pp. 383–398.
8. KORNAU, T. Return-oriented programming for the ARM architecture. Master’s thesis, Ruhr University Bochum, Germany, 2009.
9. ~krahmer/no-nx.pdf (February 2012).
10. LI, J., WANG, Z., JIANG, X., GRACE, M., AND BAHRAM, S. Defeating Return-oriented Rootkits with”Return-Less” Kernels. In Proceedings of the 5th European Conference on Computer Systems (New York, NY, USA, 2010), EuroSys’10, ACM, pp. 195–208.
11. MAVADDAT, F., AND PARHAMI, B. URISC: the Ultimate Reduced Instruction Set Computer. Research report. Fac. of Mathematics, Univ., 1987.
12. MOSER, J. Debian SbD: Position independent executables. http://d-sbd.alioth.debian.org/www/?page=pax_pie (February 2012).
13. PHP socket connect() stack buffer overflow, 2011. (CVE-2011-1938).
14. SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY, D. Q: Exploit Hardening Made Easy. In Proceedings of the 20th USENIX Security Symposium (2011), USENIX Association.
15. SHACHAM, H. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (2007), ACM Press, pp. 552–561.
16. SOLAR DESIGNER. Getting around non-executable stack (and fix), 1997. Bugtraq mailing list, http://www.securityfocus.com/archive/1/7480 (April 2011).
17. SOLE, P. Hanging on a ROPe. In ekoParty Security Conference (2010). http://www.immunitysec.com/downloads/DEPLIB20_ekoparty.pdf.
18. TRAN, M., ETHERIDGE, M., BLETSCH, T., JIANG, X., FREEH, V. W., AND NING, P. On the Expressiveness of Return-into-libc Attacks. In Proceedings of the 14th Interntional Symposium on Recent Advances in Intrusion Detection (2011). To appear.
19. ZOVI, D. Practical ROP, 2010. http://www.trailofbits.com/resources/practical_rop_ slides.pdf.