Return-Oriented Programming: Systems, Languages, and Applications

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2012-03-01 DOI:10.1145/2133375.2133377

Ryan Roemer, E. Buchanan, H. Shacham, S. Savage

{"title":"Return-Oriented Programming: Systems, Languages, and Applications","authors":"Ryan Roemer, E. Buchanan, H. Shacham, S. Savage","doi":"10.1145/2133375.2133377","DOIUrl":null,"url":null,"abstract":"We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program’s address space, each of which ends in a “return” instruction.\n Return-oriented programming defeats the W⊕X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code.\n To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"98 1","pages":"2:1-2:34"},"PeriodicalIF":0.0000,"publicationDate":"2012-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"520","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2133375.2133377","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 520

Abstract

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program’s address space, each of which ends in a “return” instruction. Return-oriented programming defeats the W⊕X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code. To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.

查看原文本刊更多论文

面向回报的程序设计:系统、语言和应用

我们介绍了面向返回的编程，通过这种技术，攻击者可以在他转移控制流的程序中诱导任意行为，而无需注入任何代码。面向返回的程序将已经存在于程序地址空间中的短指令序列串在一起，每个短指令序列都以“返回”指令结束。面向返回的编程打败了微软、英特尔和AMD最近部署的W⊕X保护;在这种情况下，它可以被视为传统的回归攻击的概括。但威胁更为普遍。面向返回的编程很容易在多个体系结构和系统上使用。它还绕过了一整类安全措施——那些试图通过阻止恶意代码的执行来阻止恶意计算的措施。为了演示面向返回的编程的广泛适用性，我们使用两种非常不同的体系结构(Linux/x86和Solaris/SPARC)的标准C库构建了一组称为gadget的图灵完备构建块。为了演示面向返回的编程的强大功能，我们提供了一种高级通用语言，用于描述面向返回的漏洞利用，并提供了将其转换为gadget的编译器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.