Nytro Posted November 10, 2013 Report Share Posted November 10, 2013 Return-Oriented Programming without ReturnsABSTRACTWe show that on both the x86 and ARM architectures it is possibleto mount return-oriented programming attacks without using returninstructions. Our attacks instead make use of certain instructionsequences that behave like a return, which occur with sufficientfrequency in large libraries on (x86) Linux and (ARM) Android toallow creation of Turing-complete gadget sets.Because they do not make use of return instructions, our newattacks have negative implications for several recently proposedclasses of defense against return-oriented programming: those thatdetect the too-frequent use of returns in the instruction stream;those that detect violations of the last-in, first-out invariant normallymaintained for the return-address stack; and those that modifycompilers to produce code that avoids the return instruction.1. INTRODUCTIONThis paper is about the feasibility of certain defenses againstreturn-oriented programming. In the last year, several natural defenseshave been proposed that target properties of return-orientedattacks and are intended to be simpler and have lower overhead thana comprehensive defense such as Control-Flow Integrity (CFI) [1,14].1 In this paper, we show that these narrowly tailored defensesare incomplete by devising a new variant of return-oriented programmingthat evades them. Our results call into doubt the usefulnessof these ad-hoc defenses.Download:http://www.cs.jhu.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf Quote Link to comment Share on other sites More sharing options...
