Return-Oriented Programming without Returns

[Nytro]

Return-Oriented Programming without Returns

ABSTRACT

We show that on both the x86 and ARM architectures it is possible

to mount return-oriented programming attacks without using return

instructions. Our attacks instead make use of certain instruction

sequences that behave like a return, which occur with sufficient

frequency in large libraries on (x86) Linux and (ARM) Android to

allow creation of Turing-complete gadget sets.

Because they do not make use of return instructions, our new

attacks have negative implications for several recently proposed

classes of defense against return-oriented programming: those that

detect the too-frequent use of returns in the instruction stream;

those that detect violations of the last-in, first-out invariant normally

maintained for the return-address stack; and those that modify

compilers to produce code that avoids the return instruction.

1. INTRODUCTION

This paper is about the feasibility of certain defenses against

return-oriented programming. In the last year, several natural defenses

have been proposed that target properties of return-oriented

attacks and are intended to be simpler and have lower overhead than

a comprehensive defense such as Control-Flow Integrity (CFI) [1,

14].1 In this paper, we show that these narrowly tailored defenses

are incomplete by devising a new variant of return-oriented programming

that evades them. Our results call into doubt the usefulness

of these ad-hoc defenses.

Download:

http://www.cs.jhu.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf