Escape from Return-Oriented Programming: Return-Oriented Programming without Returns (on the x86)

By Stephen Checkoway and Hovav Shacham.

Technical Report CS2010-0954, UC San Diego, Feb. 2010.

Abstract

We show that on the x86 it is possible to mount a return-oriented programming attack without using any return instructions. Our new attack instead makes use of certain instruction sequences that behave like a return; we show that these sequences occur with sufficient frequency in large Linux libraries to allow creation of a Turing-complete gadget set.

Because it does not make use of return instructions, our new attack has negative implications for two recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream, and those that detect violations of the last-in, first-out invariant that is normally maintained for the return-address stack.

Material

available as UCSD technical report CS2010-0954

full paper, local copy (PDF)

See Also

This paper appeared at ACM CCS 2010, merged with a paper by Davi, Dmitrienko, Sadeghi, and Winandy. See here for the merged version.

Reference

@TechReport{CS10, author = {Stephen Checkoway and Hovav Shacham}, title = {Escape from Return-Oriented Programming: Return-Oriented Programming without Returns (on the x86)}, institution = {UC San Diego}, year = 2010, month = feb, number = {CS2010-0954} }