When good instructions go bad

Erik Buchanan, Ryan Roemer, Hovav Shacham, Stefan Savage
2008 Proceedings of the 15th ACM conference on Computer and communications security - CCS '08  
This paper reconsiders the threat posed by Shacham's "return-oriented programming" -a technique by which W⊕X-style hardware protections are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-length x86 instructions -creating short new instructions streams that then return. We believe this attack is both more general and a greater threat than the author appreciated. In fact, the vulnerability is not limited to the x86 architecture or any
more » ... ular operating system, is readily exploitable, and bypasses an entire category of malware protections. In this paper we demonstrate general return-oriented programming on the SPARC, a fixed instruction length RISC architecture with structured control flow. We construct a Turing-complete library of code gadgets using snippets of the Solaris libc, a general purpose programming language, and a compiler for constructing return-oriented exploits. Finally, we argue that the threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code.
doi:10.1145/1455770.1455776 dblp:conf/ccs/BuchananRSS08 fatcat:l4lwa63lcrcrzpfjiq44imxvry