research-article

Defeating return-oriented rootkits with "Return-Less" kernels

Authors:

Sina BahramAuthors Info & Claims

EuroSys '10: Proceedings of the 5th European conference on Computer systems

Pages 195 - 208

https://doi.org/10.1145/1755913.1755934

Published: 13 April 2010 Publication History

Abstract

Targeting the operating system (OS) kernel, kernel rootkits pose a formidable threat to computer systems and their users. Recent efforts have made significant progress in blocking them from injecting malicious code into the OS kernel for execution. Unfortunately, they cannot block the emerging so-called return-oriented rootkits (RORs). Without the need of injecting their own malicious code, these rootkits can discover and chain together "return-oriented gadgets" (that consist of only legitimate kernel code) for rootkit computation.

In this paper, we propose a compiler-based approach to defeat these return-oriented rootkits. Our approach recognizes the hallmark of return-oriented rootkits, i.e., the ret instruction, and accordingly aims to completely remove them in a running OS kernel. Specifically, one key technique named return indirection is to replace the return address in a stack frame into a return index and disallow a ROR from using their own return addresses to locate and assemble return-oriented gadgets. Further, to prevent legitimate instructions that happen to contain return opcodes from being misused,we also propose two other techniques, register allocation and peephole optimization, to avoid introducing them in the first place. We have developed a LLVM-based prototype and used it to generate a return-less FreeBSD kernel. Our evaluation results indicate that the proposed approach is generic, effective, and can be implemented on commodity hardware with a low performance overhead.

References

[1]

Driver Signing Requirements for Windows. http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx.

[2]

The LLVM Target-Independent Code Generator. http://llvm.org/docs/CodeGenerator.html.

[3]

W^X. http://en.wikipedia.org/wiki/W^ X.

[4]

Peephole Optimization. http://en.wikipedia.org/wiki/Peephole optimization.

[5]

Xinu. http://en.wikipedia.org/wiki/Xinu.

[6]

M. Abadi, M. Budiu, Ulfar Erilingsson, and J. Ligatti. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, October 2005.

Digital Library

[7]

AMD64 Architecture Programmers Manual Volume 3: General-Purpose and System Instructions. Advanced Micro Devices, 3.14 edition, September 2007.

[8]

P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In Proceedings of the 18th USENIX Security Symposium, August 2009.

Digital Library

[9]

Apache. Apache HTTP Server Project. http://httpd.apache.org/.

[10]

ApacheBench. http://httpd.apache.org/docs/2.2/programs/ab.html.

[11]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security, October 2008.

Digital Library

[12]

M. Castro, M. Costa, and T. Harris. Securing Software by Enforcing Data-Flow Integrity. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, November 2006.

Digital Library

[13]

G. J. Chaitin, M. A. Auslander, A. K. Chandra, J. Cocke, M. E. Hopkins, and P. W. Markstein. Register Allocation Via Coloring. Computer Languages, 6:47--57, 1981.

Digital Library

[14]

C. Cowan, C. Pu, D.Maier, J.Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium, January 1998.

Digital Library

[15]

J. Criswell, N. Geoffray, and V. Adve. Memory Safety for Low-Level Software/Hardware Interactions. In Proceedings of the 18th USENIX Security Symposium, August 2009.

Digital Library

[16]

D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceedings of the 28th International Conference on Software Engineering, May 2006.

Digital Library

[17]

H. Etoh. GCC extension for protecting applications from stack--smashing attacks. http://www.trl.ibm.com/projects/security/ssp/.

[18]

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network & Distributed System Security Symposium, February 2003.

[19]

R. Hund, T. Holz, and F. C. Freiling. Return-Oriented Rootkits: Bypasssing Kernel Code Integrity Protection Mechanisms. In Proceedings of the 18th USENIX Security Symposium, August 2009.

Digital Library

[20]

X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007.

Digital Library

[21]

T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference, June 2002.

Digital Library

[22]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution Via Program Shepherding. Proceedings of the 11th USENIX Security Symposium, San Francisco, USA, Aug. 2002.

Digital Library

[23]

C. Kruegel,W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In Proceedings of the 20th Annual Computer Security Applications Conference, December 2004.

Digital Library

[24]

A. Lanzi, M. Sharif, and W. Lee. K-Tracer: A System for Extracting Kernel Malware Behavior. In Proceedings of the 16th Annual Network & Distributed System Security Symposium, February 2009.

[25]

C. Lattner and V. Adve. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the 2004 International Symposium on Code Generation and Optimization, March 2004.

Digital Library

[26]

LMbench. LMbench -- Tools for Performance Analysis. http://www.bitmover.com/lmbench/lmbench.html/.

[27]

W. M. McKeeman. Peephole Optimization. Communications of the ACM, 8:443--444, 1965.

Digital Library

[28]

M. K. McKusick and G. V. Neville-Neil. The Design and Implementation of the FreeBSD Operating System. Addison-Wesley Professional, 2004. ISBN 0-201-70245-2.

Digital Library

[29]

S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Proceedings of the ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation, June 2009.

Digital Library

[30]

G. C. Necula, J. Condit, M. Harren, S. McPeak, and W.Weimer. CCured: Type-Safe Retrofitting of Legacy Software. ACM Transactions on Programming Languages and Systems, 27:477--526, 2005.

Digital Library

[31]

J. Nick L. Petroni and M. Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007.

Digital Library

[32]

J. Nick L. Petroni, T. Fraser, J. Molina, and W. A. Arbaugh. Copilot -- a Coprocessor-based Kernel Runtime Integrity Monitor. In Proceedings of the 13th Conference on USENIX Security Symposium, August 2004.

Digital Library

[33]

J. Nick L. Petroni, T. Fraser, A. Walters, and W. A. Arbaugh. An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In Proceedings of the 15th USENIX Security Symposium, July 2006.

Digital Library

[34]

H. Ozdoganoglu, T. N. Vijaykumar, C. E. Brodley, B. A. Kupperman, and A. Jalote. SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address. IEEE Transactions on Computers, 55:1271--1285, 2006.

Digital Library

[35]

B. D. Payne, M. Carbone, M. I. Sharif, and W. Lee. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, May 2008.

Digital Library

[36]

F. M. Q. Pereira and J. Palsberg. Register Allocation After Classical SSA Elimination is NP-Complete. In Proceedings of the 9th International Conference on Foundations of Software Science and Computation Structures, March 2006.

Digital Library

[37]

M. Poletto and V. Sarkar. Linear Scan Register Allocation. ACM Transactions on Programming Languages and Systems, 21:895--913, 1999.

Digital Library

[38]

R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, September 2008.

Digital Library

[39]

R. Riley, X. Jiang, and D. Xu. Multi-Aspect Profiling of Kernel Rootkit Behavior. In Proceedings of the 4th ACM European Conference on Computer Systems, March 2009.

Digital Library

[40]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, October 2007.

Digital Library

[41]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007.

Digital Library

[42]

T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, March 2009.

Digital Library

[43]

Vendicator. Stack Shield: A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield/info.html.

[44]

Y.-M.Wang, D. Beck, B. Vo, R. Roussev, and C. Verbowski. Detecting Stealth Software with Strider GhostBuster. In Proceedings of the 2005 International Conference on Dependable Systems and Networks, June 2005.

Digital Library

[45]

Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering Kernel Rootkits with Lightweight Hook Protection. In Proceedings of the 16th ACMConference on Computer and Communication Security, October 2009.

Digital Library

[46]

X. Yang, N. Cooprider, and J. Regehr. Eliminating the Call Stack to Save RAM. In Proceedings of the ACM Conference on Languages, Compilers, and Tools for Embedded Systems, June 2009.

Digital Library

[47]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007.

Digital Library

[48]

H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and Understanding Malware Hooking Behaviors. In Proceedings of the 16th Annual Network & Distributed System Security Symposium, February 2008.

Cited By

El-Zoghby ASaid Elsayed MJurcut AAzer M(2023)NG-MVEE: A New Proposed Hybrid Technique for Enhanced Mitigation of Code Re-Use AttackIEEE Access10.1109/ACCESS.2023.326988111(48169-48191)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3269881
Liu QBao KHagenmeyer V(2022)Binary Exploitation in Industrial Control Systems: Past, Present and FutureIEEE Access10.1109/ACCESS.2022.317192210(48242-48273)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3171922
Xu SWang Y(2022)Defending against Return-Oriented Programming attacks based on return instruction using static analysis and binary patch techniquesScience of Computer Programming10.1016/j.scico.2022.102768(102768)Online publication date: Jan-2022
https://doi.org/10.1016/j.scico.2022.102768
Show More Cited By

Index Terms

Defeating return-oriented rootkits with "Return-Less" kernels
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
Return-oriented programming without returns
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with ...
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09: Proceedings of the 18th conference on USENIX security symposium

Protecting the kernel of an operating system against attacks, especially injection of malicious code, is an important factor for implementing secure operating systems. Several kernel integrity protection mechanism were proposed recently that all have a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '10: Proceedings of the 5th European conference on Computer systems

April 2010

388 pages

ISBN:9781605585772

DOI:10.1145/1755913

General Chair:
Christine Morin
INRIA Rennes, France
,
Program Chair:
Gilles Muller
INRIA/LIP6, France

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '10

Sponsor:

SIGOPS

EuroSys '10: Fifth EuroSys Conference 2010

April 13 - 16, 2010

Paris, France

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

134
Total Citations
View Citations
1,045
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

El-Zoghby ASaid Elsayed MJurcut AAzer M(2023)NG-MVEE: A New Proposed Hybrid Technique for Enhanced Mitigation of Code Re-Use AttackIEEE Access10.1109/ACCESS.2023.326988111(48169-48191)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3269881
Liu QBao KHagenmeyer V(2022)Binary Exploitation in Industrial Control Systems: Past, Present and FutureIEEE Access10.1109/ACCESS.2022.317192210(48242-48273)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3171922
Xu SWang Y(2022)Defending against Return-Oriented Programming attacks based on return instruction using static analysis and binary patch techniquesScience of Computer Programming10.1016/j.scico.2022.102768(102768)Online publication date: Jan-2022
https://doi.org/10.1016/j.scico.2022.102768
Huang JXue SWang C(2022)Fast Out-of-Band Data Integrity Monitor to Mitigate Memory Corruption AttacksProvable and Practical Security10.1007/978-3-031-20917-8_10(139-155)Online publication date: 7-Nov-2022
https://doi.org/10.1007/978-3-031-20917-8_10
Zhong BWang ZGuo YZeng Q(2022)CryptKSP: A Kernel Stack Protection Model Based on AES-NI Hardware FeatureICT Systems Security and Privacy Protection10.1007/978-3-031-06975-8_16(270-286)Online publication date: 3-Jun-2022
https://doi.org/10.1007/978-3-031-06975-8_16
Brown MPruett MBigelow RMururu GPande S(2021)Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget setsProceedings of the ACM on Programming Languages10.1145/34855315:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485531
Jang D(2021)BadASLR: Exceptional Cases of ASLR Aiding ExploitationInformation Security Applications10.1007/978-3-030-89432-0_23(278-289)Online publication date: 27-Oct-2021
https://doi.org/10.1007/978-3-030-89432-0_23
Brookes S(2020)Transcending the Teetering Tower of TrustProceedings of the New Security Paradigms Workshop 202010.1145/3442167.3442168(90-98)Online publication date: 26-Oct-2020
https://dl.acm.org/doi/10.1145/3442167.3442168
El-Zoghby AAzer M(2020)Survey of Code Reuse Attacks and Comparison of Mitigation TechniquesProceedings of the 9th International Conference on Software and Information Engineering10.1145/3436829.3436865(88-96)Online publication date: 11-Nov-2020
https://dl.acm.org/doi/10.1145/3436829.3436865
van der Hoeven JLecerf G(2020)Ultimate complexity for numerical algorithmsACM Communications in Computer Algebra10.1145/3419048.341904954:1(1-13)Online publication date: 19-Aug-2020
https://dl.acm.org/doi/10.1145/3419048.3419049
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents