Return-Oriented Programming
作者: Ryan Roemer , Erik Buchanan , Hovav Shacham , Stefan Savage
关键词: Subroutine 、 Declarative programming 、 Procedural programming 、 Computer science 、 Operating system 、 Compiler 、 Memory safety 、 Control flow analysis 、 Reactive programming 、 Extensible programming 、 Control flow 、 Programming paradigm
摘要: We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in program whose control flow he has diverted, without injecting any code. A chains together short instruction sequences already present program’s address space, each of ends “return” instruction.Return-oriented programming defeats the W⊕X protections recently deployed Microsoft, Intel, and AMD; this context, it be seen as generalization traditional return-into-libc attacks. But threat is more general. Return-oriented readily exploitable on multiple architectures systems. It also bypasses entire category security measures---those that seek to prevent malicious computation preventing execution code.To demonstrate wide applicability we construct Turing-complete set building blocks called gadgets using standard C libraries two very different architectures: Linux/x86 Solaris/SPARC. To power high-level, general-purpose language for describing exploits compiler translates gadgets.
acm.org
index-of.es
georgetown.edu 参考文章(31)
Felix C. Freiling, Ralf Hund, Thorsten Holz, Return-oriented rootkits: bypassing kernel code integrity protection mechanisms usenix security symposium. pp. 383- 398 ,(2009)
Úlfar Erlingsson, Low-level software security: attacks and defenses Foundations of security analysis and design IV. pp. 92- 134 ,(2007) , 10.1007/978-3-540-74810-6_4
Ping Chen, Hai Xiao, Xiaobin Shen, Xinchun Yin, Bing Mao, Li Xie, DROP: Detecting Return-Oriented Programming Malicious Code international conference on information systems security. ,vol. 5905, pp. 163- 177 ,(2009) , 10.1007/978-3-642-10772-6_13
Mike Frantzen, Mike Shuey, StackGhost: Hardware facilitated stack protection usenix security symposium. pp. 5- 5 ,(2001)
Jedidiah R. Crandall, S. Felix Wu, Frederic T. Chong, Experiences using minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities international conference on detection of intrusions and malware and vulnerability assessment. ,vol. 3548, pp. 32- 50 ,(2005) , 10.1007/11506881_3
Edward W. Felten, Hovav Shacham, J. Alex Halderman, Brian Kantor, Ariel J. Feldman, Stephen Checkoway, Can DREs provide long-lasting security? the case of return-oriented programming and the AVC advantage conference on electronic voting technology workshop on trustworthy elections. pp. 6- 6 ,(2009)
Richard P. Paul, Sparc Architecture, Assembly Language Programming, and C ,(1993)
Perry Wagle, Jonathan Walpole, Calton Pu, Steve Beattie, Aaron Grier, Crispin Cowan, Heather Hintony, Qian Zhang, Peat Bakke, Dave Maier, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks usenix security symposium. pp. 5- 5 ,(1998)
Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy, ROPdefender Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11. pp. 40- 51 ,(2011) , 10.1145/1966913.1966920
Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy, Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks scalable trusted computing. pp. 49- 54 ,(2009) , 10.1145/1655108.1655117