Return-Oriented Programming without Returns
By Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy.
In Proceedings of CCS 2010. ACM Press, October, 2010.
Abstract
We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.
Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.
Material
Reference
@InProceedings{checkoway-et-al:noret:ccs10,
author = {Stephen Checkoway and Lucas Davi and Alexandra Dmitrienko
and Ahmad-Reza Sadeghi and Hovav Shacham and Marcel Winandy},
title = {Return-Oriented Programming without Returns},
editor = {Angelos Keromytis and Vitaly Shmatikov},
booktitle = {Proceedings of CCS 2010},
publisher = {ACM Press},
year = 2010,
month = oct,
pages = {559-572},
url = {https://checkoway.net/papers/noret_ccs2010},
}