research-article

Return-Oriented Programming: Systems, Languages, and Applications

Authors:

Stefan SavageAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 15, Issue 1

Article No.: 2, Pages 1 - 34

https://doi.org/10.1145/2133375.2133377

Published: 01 March 2012 Publication History

Abstract

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program’s address space, each of which ends in a “return” instruction.

Return-oriented programming defeats the W⊕X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code.

To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.

Supplementary Material

PDF File (a2-roemer_appendix.pdf)

The proof is given in an electronic appendix, available online in the ACM Digital Library.

Download
926.92 KB

References

[1]

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2009. Control-flow integrity principles, implementations, and applications. ACM Trans. Info. Syst. Secur. 13, 1.

Digital Library

[2]

Aleph One. 1996. Smashing the stack for fun and profit. Phrack Mag. 49, 14. http://www.phrack.org/archives/49/p49_0x0e_Smashing&percnt;20The&percnt;20Stack&percnt;20For&percnt;20Fun&percnt;20And&percnt;20Profit_by_Aleph1.txt.

[3]

Anonymous. 2001. Once upon a free().... Phrack Mag. 57, 9. http://www.phrack.org/archives/57/p57_0x09_Once&percnt;20upon&percnt;20a&percnt;20free()_by_&percnt;anonymous&percnt;20author.txt.

[4]

Barrantes, E. G., Ackley, D. H., Forrest, S., and Stefanović, D. 2005. Randomized instruction set emulation. ACM Trans. Info. Syst. Secur. 8, 1, 3--40.

Digital Library

[5]

Blazakis, D. 2010. Interpreter exploitation. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’10). H. Shacham and C. Miller Eds., USENIX.

Digital Library

[6]

blexim. 2002. Basic integer overflows. Phrack Mag. 60, 10. http://www.phrack.org/archives/60/p60_0x0a_Basic&percnt;20Integer&percnt;20Overflows_&percnt;by_blexim.txt.

[7]

Buchanan, E., Roemer, R., Shacham, H., and Savage, S. 2008. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). P. Syverson and S. Jha Eds., ACM Press, New York, NY, 27--38.

Digital Library

[8]

Bulba and Kil3r. 2000. Bypassing StackGuard and StackShield. Phrack Mag. 56, 5. http://www.phrack.org/archives/56/p56_0x05_Bypassing&percnt;20StackGuard&percnt;20and&percnt;20StackShield_by_Kil3r&percnt;20&&percnt;&percnt;20Bulba.txt.

[9]

Checkoway, S., Feldman, A. J., Kantor, B., Halderman, J. A., Felten, E. W., and Shacham, H. 2009. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of the Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE’09). D. Jefferson, J. L. Hall, and T. Moran Eds., USENIX/ACCURATE/IAVoSS.

Digital Library

[10]

Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. 2010. Return-oriented programming without returns. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). A. Keromytis and V. Shmatikov Eds., ACM Press, New York, NY, 559--572.

Digital Library

[11]

Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. 2009. DROP: Detecting return-oriented programming malicious code. In Proceedings of the International Conference on Information Systems Security (ICISS’09). A. Prakash and I. Sengupta Eds., Lecture Notes in Computer Science, vol. 5905. Springer-Verlag, 163--177.

Digital Library

[12]

Cowan, C., Pu, C., Maier, D., Hinton, H., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. 1998. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In Proceedings of the USENIX Security Symposium. A. Rubin Ed., 63--78.

Digital Library

[13]

Dai Zovi, D. 2010. Return-oriented exploitation. Black Hat (Presentation slides). https://media.blackhat.com/bh-us-10/presentations/ Zovi/BlackHat-USA-2010-DaiZovi-Return-Oriented-Exploitation-slides.pdf.

[14]

dark spyrit. 1999. Win32 buffer overflows (location, exploitation, and prevention). Phrack Mag. 55, 15. http://www.phrack.org/archives/55/p55_0x0f_Win32&percnt;20Buffer&percnt;20Overflows..._by_dark&percnt;20spyrit.txt.

[15]

Davi, L., Sadeghi, A.-R., and Winandy, M. 2009. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the Technical Communication Summit. N. Asokan, C. Nita-Rotaru, and J.-P. Seifert Eds., ACM Press, 49--54.

Digital Library

[16]

Davi, L., Sadeghi, A.-R., and Winandy, M. 2011. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the ACM Symposium on Information Computer and Communications Security (ASIACCS). R. Sandhu and D. Wong Eds., ACM Press.

Digital Library

[17]

Dullien, T., Kornau, T., and Weinmann, R.-P. 2010. A framework for automated architecture-independent gadget search. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT). H. Shacham and C. Miller Eds., USENIX.

Digital Library

[18]

Durden, T. 2002. Bypassing PaX ASLR protection. Phrack Mag. 59, 9. http://www.phrack.org/archives/59/p59_0x09_Bypassing&percnt;20PaX&percnt;20ASLR&percnt;20pro&percnt;tection_by_Tyler&percnt;20Durden.txt.

[19]

Erlingsson, U. 2007. Low-level software security: Attacks and defenses. In Foundations of Security Analysis and Design IV, A. Aldini and R. Gorrieri Eds., Lecture Notes in Computer Science, vol. 4677. Springer-Verlag, 92--134.

Digital Library

[20]

Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., and Necula, G. 2006. XFI: Software guards for system address spaces. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). B. Bershad and J. Mogul Eds., USENIX, 75--88.

Digital Library

[21]

Etoh, H. and Yoda, K. 2001. ProPolice: Improved stack-smashing attack detection. IPSJ SIGNotes Comp. Sec. 14, 25. http://www.trl.ibm.com/projects/security/ssp.

[22]

Francillon, A. and Castelluccia, C. 2008. Code injection attacks on Harvard-architecture devices. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). P. Syverson and S. Jha Eds., ACM Press, 15--26.

Digital Library

[23]

Francillon, A., Perito, D., and Castelluccia, C. 2009. Defending embedded systems against control flow attacks. In Proceedings of the Workshop on Secure Executions of Untrusted Code (SecuCode). S. Lachmund and C. Schaefer Eds., ACM Press, 19--26.

Digital Library

[24]

Frantzen, M. and Shuey, M. 2001. StackGhost: Hardware facilitated stack protection. In Proceedings of the USENIX Security Symposium. D. Wallach Ed., USENIX, 55--66.

Digital Library

[25]

Garg, M. 2006a. About ELF auxiliary vectors. http://manugarg.googlepages.com/aboutelfauxiliaryvectors.

[26]

Garg, M. 2006b. Sysenter-based system call mechanism in Linux 2.6. http://manugarg.googlepages.com/systemcallinlinux2_6.html.

[27]

gera and riq. 2001. Advances in format string exploiting. Phrack Mag. 59, 7. http://www.phrack.org/archives/59/p59_0x07_Advances&percnt;20in&percnt;20format&percnt;20string&percnt;20exploitation_by_riq&percnt;20&&percnt;&percnt;20gera.txt.

[28]

Heelan, S. 2010. Validity, satisfiability and code semantics. http://seanhn.wordpress.com/2010/10/02/validity-satisfiability- and-instruction-semantics/.

[29]

Horovitz, O. 2002. Big loop integer protection. Phrack Mag. 60, 9. http://www.phrack.org/archives/60/p60_0x09_Big&percnt;20Loop&percnt;20Integer&percnt;20Protection_by_Oded&percnt;20Horovitz.txt.

[30]

Hund, R., Holz, T., and Freiling, F. 2009. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the USENIX Security Symposium. F. Monrose Ed., USENIX, 383--398.

Digital Library

[31]

Intel Corporation. 2011. Intel 64 and IA-32 Architectures Software Developer’s Manual, Vols. 1--3B. Intel Corporation. http://www.intel.com/products/processor/manuals/.

[32]

Iozzo, V. and Miller, C. 2009. Fun and games with Mac OS X and iPhone payloads. Black Hat Europe (Presentation slides). http://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf.

[33]

Iozzo, V., Kornau, T., and Weinmann, R.-P. 2010. Everybody be cool this is a roppery! Black Hat. http://www.zynamics.com/downloads/bh10_paper.pdf.

[34]

Ivaldi, M. 2007. Re: Older SPARC return-into-libc exploits. Penetration testing, SECLISTS. ORA.

[35]

Kaempf, M. 2001. Vudo malloc tricks. Phrack Mag. 57, 8. http://www.phrack.org/archives/57/p57_0x08_Vudo&percnt;20malloc&percnt;20tricks_by_MaXX.txt.

[36]

klog. 1999. The frame pointer overwrite. Phrack Mag. 55, 8. http://www.phrack.org/archives/55/p55_0x08_Frame&percnt;20Pointer&percnt;20Overwriting_by_klog.txt.

[37]

Kornau, T. 2010. Return-oriented programming for the ARM architecture. M.S. thesis, Ruhr-Universität Bochum. http://zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf.

[38]

Krahmer, S. 2005. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://www.suse.de/~krahmer/no-nx.pdf.

[39]

Le, L. 2010. Payload already inside: Data re-use for ROP exploits. Black Hat. https://media.blackhat.com/bh-us-10/whitepapers/Le/BlackHat-USA-2010-Le-Paper-Payload-already-inside-data-reuse-for-ROP-exploits-wp.pdf.

[40]

Li, J., Wang, Z., Jiang, X., Grace, M., and Bahram, S. 2010. Defeating return-oriented rootkits with “return-less” kernels. In Proceedings of the EuroSys Conference. G. Muller Ed., ACM Press, 195--208.

Digital Library

[41]

Lidner, F. 2009. Developments in Cisco IOS forensics. CONFidence 2.0. (Presentation slides). http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf.

[42]

McDonald, J. 1999. Defeating Solaris/SPARC non-executable stack protection. Bugtraq.

[43]

Miller, C. and Iozzo, V. 2009. Fun and games with Mac OS X and iPhone payloads. Presented at the BlackHat Europe 2009 Conference. https://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/ BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf.

[44]

Naraine, R. 2010. Pwn2Own 2010: iPhone hacked, SMS database hijacked. http://blogs.zdnet.com/security/?p=5836.

[45]

Nergal. 2001. The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 58, 4. http://www.phrack.org/archives/58/p58_0x04_Advanced&percnt;20return-into-lib(c)&percnt;20exploits&percnt;20(PaX&percnt;20case&percnt;20study)_by_nergal.txt.

[46]

Newsham, T. 1997. Re: Smashing the stack: Prevention? Bugtraq. http://seclists.org/bugtraq/1997/Apr/129.

[47]

Newsham, T. 2000. Non-exec stack. Bugtraq. http://seclists.org/bugtraq/2000/May/90.

[48]

Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E. 2010. G-Free: Defeating return-oriented programming through gadget-less binaries. In Proceedings of the Annual Computer Security Applications Conferrence (ACSAC’10). M. Franz and J. McDermott Eds., ACM Press, 49--58.

Digital Library

[49]

Paul, R. P. 1999. SPARC Architecture, Assembly Language Programming, and C. Prentice Hall PTR, Upper Saddle River, NJ.

Digital Library

[50]

PaX Team. 2003a. PaX address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.

[51]

PaX Team. 2003b. PaX non-executable pages design & implementation. http://pax.grsecurity.net/docs/noexec.txt.

[52]

PaX Team. 2003c. SEGMEXEC: Segmentation based non-executable pages. http://pax.grsecurity.net/docs/segmexec.txt.

[53]

Richarte, G. 2000. Re: Future of buffer overflows? Bugtraq. http://seclists.org/bugtraq/2000/Nov/32 and http://seclists.org/bugtraq/2000/Nov/26.

[54]

Richarte, G. 2001. Insecure programming by example: Esoteric #2. http://community.corest.com/~gera/InsecureProgramming/e2.html.

[55]

Roemer, R. 2009. Finding the bad in good code: Automated return-oriented programming exploit discovery. M.S. thesis, UC San Diego. https://cseweb.ucsd.edu/~rroemer/doc/thesis.pdf.

[56]

Santa Cruz Operation 1996. System V Application Binary Interface: Intel386 Architecture Processor Supplement 4th Ed., The Santa Cruz Operation.

[57]

Schwartz, E., Avgerinos, T., and Brumley, D. 2011. Q: Exploit hardening made easy. In Proceedings of the USENIX Security Symposium, D. Wagner Ed., USENIX.

Digital Library

[58]

Scut/team teso. 2001. Exploiting format string vulnerabilities. http://www.team-teso.net.

[59]

Shacham, H. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07). S. D. Capitani and P. Syverson Eds., ACM Press, 552--561.

Digital Library

[60]

Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’04). B. Pfitzmann and P. Liu Eds., ACM Press, 298--307.

Digital Library

[61]

Solar Designer. 1997. Getting around non-executable stack (and fix). Bugtraq moving hot.

[62]

Solar Designer. 1998. StackPatch. http://www.openwall.com/linux.

[63]

Solar Designer. 2000. JPEG COM marker processing vulnerability in Netscape browsers. http://www.openwall.com/advisories/OW-002-netscape-jpeg/.

[64]

SPARC Int. Inc. 1996. System V Application Binary Interface, SPARC Processor Supplement. SPARC Inc.

[65]

Weaver, D. and Germond, T., Eds. 1994. The SPARC Architecture Manual Version 9. SPARC Int. Inc., Englewood Cliffs, NJ.

[66]

Zalewski, M. 2001. Remote vulnerability in SSH daemon CRC32 compression attack detector. http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm.

Cited By

Li WWang WLi S(2024)CFIEE: An Open-Source Critical Metadata Extraction Tool for RISC-V Hardware-Based CFI SchemesElectronics10.3390/electronics1309168113:9(1681)Online publication date: 26-Apr-2024
https://doi.org/10.3390/electronics13091681
Wei JChen P(2024)DSLR–: A low-overhead data structure layout randomization for defending data-oriented programmingJournal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-230053
Zhou YWilkening MMickens JYu M(2024)SmartNIC Security Isolation in the Cloud with S-NICProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650071(851-869)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650071
Show More Cited By

Index Terms

Return-Oriented Programming: Systems, Languages, and Applications
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-oriented programming without returns
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with ...
When good instructions go bad: generalizing return-oriented programming to RISC
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

This paper reconsiders the threat posed by Shacham's "return-oriented programming" -- a technique by which W-xor-X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-...
Return-Oriented Programming on RISC-V
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction set architecture targeting embedded systems. We show the existence of a new class of gadgets, using several Linear Code Sequences ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 15, Issue 1

Special Issue on Computer and Communications Security

March 2012

126 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/2133375

Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 March 2012

Accepted: 01 June 2011

Revised: 01 April 2011

Received: 01 February 2009

Published in TISSEC Volume 15, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Division of Computer and Network Systems

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

348
Total Citations
View Citations
4,758
Total Downloads

Downloads (Last 12 months)248
Downloads (Last 6 weeks)12

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li WWang WLi S(2024)CFIEE: An Open-Source Critical Metadata Extraction Tool for RISC-V Hardware-Based CFI SchemesElectronics10.3390/electronics1309168113:9(1681)Online publication date: 26-Apr-2024
https://doi.org/10.3390/electronics13091681
Wei JChen P(2024)DSLR–: A low-overhead data structure layout randomization for defending data-oriented programmingJournal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-230053
Zhou YWilkening MMickens JYu M(2024)SmartNIC Security Isolation in the Cloud with S-NICProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650071(851-869)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650071
Yang YTu JShen WZhu SChang RZhou Y(2024)kCPA: Towards Sensitive Pointer Full Life Cycle Authentication for OS KernelsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.333426821:4(3768-3784)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3334268
Kang DLi XStoica IGuestrin CZaharia MHashimoto T(2024)Exploiting Programmatic Behavior of LLMs: Dual-Use Through Standard Security Attacks2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00018(132-143)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00018
Bai MPan RParmer G(2024)OmniWasm: Efficient, Granular Fault Isolation and Control-Flow Integrity for Arm Microcontrollers2024 IEEE 30th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS61025.2024.00027(239-251)Online publication date: 13-May-2024
https://doi.org/10.1109/RTAS61025.2024.00027
Moghadam VSerra GAromolo FButtazzo GPrinetto P(2024)Memory Integrity Techniques for Memory-Unsafe Languages: A SurveyIEEE Access10.1109/ACCESS.2024.338047812(43201-43221)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3380478
Lewis TRimal B(2024)Effects of Removing User-Land Hooks in Endpoint Protection During Attack ExperimentsIEEE Access10.1109/ACCESS.2024.335752512(15820-15844)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3357525
Llorente-Vazquez OSantos-Grueiro IPastor-Lopez IGarcia Bringas P(2024)Detection, exploitation and mitigation of memory errorsLogic Journal of the IGPL10.1093/jigpal/jzae00832:2(281-292)Online publication date: 16-Mar-2024
https://doi.org/10.1093/jigpal/jzae008
Linsner SDemuth KSurminski SDavi LReuter C(2024)Building trust in remote attestation through transparency – a qualitative user study on observable attestationBehaviour & Information Technology10.1080/0144929X.2024.2374889(1-21)Online publication date: 11-Jul-2024
https://doi.org/10.1080/0144929X.2024.2374889
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents