Escape From Return-Oriented Programming: Return-oriented Programming without Returns (on the x86)

By Stephen Checkoway and Hovav Shacham.

Technical Report CS2010-0954, UC San Diego, February 2010.

Abstract

We show that on the x86 it is possible to mount a return-oriented programming attack without using any return instructions. Our new attack instead makes use of certain instruction sequences that behave like a return; we show that these sequences occur with sufficient frequency in large Linux libraries to allow creation of a Turing-complete gadget set.

Because it does not make use of return instructions, our new attack has negative implications for two recently proposed classes of defense against return oriented programming: those that detect the too- frequent use of returns in the instruction stream, and those that detect violations of the last-in, first-out invariant that is normally maintained for the return-address stack.

Material

• Technical report version.
• Full version, local copy, updated 2010-03-22 in PDF and PS.

Reference

@Techreport{checkoway-shacham:noret:ucsd10,
  author =      {Stephen Checkoway and Hovav Shacham},
  title =       {Escape From Return-Oriented Programming:
                 Return-oriented Programming without Returns (on the x86)},
  institution = {UC San Diego},
  number =      {CS2010-0954},
  year =        2010,
  month =       feb,
  url =         {https://checkoway.net/papers/noret2010},
}