Upload
onofre
View
65
Download
0
Embed Size (px)
DESCRIPTION
The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) In Proceedings of the 14th ACM Conference on Computer and Communications Security, (CCS '07) Shacham (UC San Diego ). Presented by: WANG Zhi. Code and Behavior. - PowerPoint PPT Presentation
Citation preview
The Geometry of Innocent Flesh on the BoneReturn-into-libc without Function Calls (on the x86)
In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 07)
Shacham (UC San Diego )
Presented by WANG Zhi
Code and Behavior
bull Does ldquogoodrdquo codes always do ldquogoodrdquo behavior
malicious code
bull Insert and execute malicious code
Preventing malicious code
bull Check the integrity of good codes in the system
bull Isolate ldquobadrdquo code that has been introduced into the system (eg W-xor-X antivirus scanner)
W-xor-X model
bull Memory is either marked as writable or executable but may not be both
bull Widely deployed Linux (via PaX patches) OpenBSD Windows (since XP SP2) OS X (since 105) hellip
bull Hardware support Intel ldquoXDrdquo bit AMD ldquoNXrdquo bit
bull So it is very difficult to execute the inserted malicious codes
Ordinary programming
bull Instruction pointer (eip) determines which instruction to fetch amp execute
bull Once processor has executed the instruction it
automatically increments eip to next instructionbull Control flow by changing the value of eip
Return-oriented programming
bull The ldquoretrdquo instruction could transfers program control to a return address located on the top of the stack
bull Return-oriented programming introduces no new instructions just using carefully crafted stack to link existed code snippets together by ret instruction
bull Return-oriented programming generates a new execution path based on existed ldquogoodrdquo codes
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Code and Behavior
bull Does ldquogoodrdquo codes always do ldquogoodrdquo behavior
malicious code
bull Insert and execute malicious code
Preventing malicious code
bull Check the integrity of good codes in the system
bull Isolate ldquobadrdquo code that has been introduced into the system (eg W-xor-X antivirus scanner)
W-xor-X model
bull Memory is either marked as writable or executable but may not be both
bull Widely deployed Linux (via PaX patches) OpenBSD Windows (since XP SP2) OS X (since 105) hellip
bull Hardware support Intel ldquoXDrdquo bit AMD ldquoNXrdquo bit
bull So it is very difficult to execute the inserted malicious codes
Ordinary programming
bull Instruction pointer (eip) determines which instruction to fetch amp execute
bull Once processor has executed the instruction it
automatically increments eip to next instructionbull Control flow by changing the value of eip
Return-oriented programming
bull The ldquoretrdquo instruction could transfers program control to a return address located on the top of the stack
bull Return-oriented programming introduces no new instructions just using carefully crafted stack to link existed code snippets together by ret instruction
bull Return-oriented programming generates a new execution path based on existed ldquogoodrdquo codes
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
malicious code
bull Insert and execute malicious code
Preventing malicious code
bull Check the integrity of good codes in the system
bull Isolate ldquobadrdquo code that has been introduced into the system (eg W-xor-X antivirus scanner)
W-xor-X model
bull Memory is either marked as writable or executable but may not be both
bull Widely deployed Linux (via PaX patches) OpenBSD Windows (since XP SP2) OS X (since 105) hellip
bull Hardware support Intel ldquoXDrdquo bit AMD ldquoNXrdquo bit
bull So it is very difficult to execute the inserted malicious codes
Ordinary programming
bull Instruction pointer (eip) determines which instruction to fetch amp execute
bull Once processor has executed the instruction it
automatically increments eip to next instructionbull Control flow by changing the value of eip
Return-oriented programming
bull The ldquoretrdquo instruction could transfers program control to a return address located on the top of the stack
bull Return-oriented programming introduces no new instructions just using carefully crafted stack to link existed code snippets together by ret instruction
bull Return-oriented programming generates a new execution path based on existed ldquogoodrdquo codes
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Preventing malicious code
bull Check the integrity of good codes in the system
bull Isolate ldquobadrdquo code that has been introduced into the system (eg W-xor-X antivirus scanner)
W-xor-X model
bull Memory is either marked as writable or executable but may not be both
bull Widely deployed Linux (via PaX patches) OpenBSD Windows (since XP SP2) OS X (since 105) hellip
bull Hardware support Intel ldquoXDrdquo bit AMD ldquoNXrdquo bit
bull So it is very difficult to execute the inserted malicious codes
Ordinary programming
bull Instruction pointer (eip) determines which instruction to fetch amp execute
bull Once processor has executed the instruction it
automatically increments eip to next instructionbull Control flow by changing the value of eip
Return-oriented programming
bull The ldquoretrdquo instruction could transfers program control to a return address located on the top of the stack
bull Return-oriented programming introduces no new instructions just using carefully crafted stack to link existed code snippets together by ret instruction
bull Return-oriented programming generates a new execution path based on existed ldquogoodrdquo codes
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
W-xor-X model
bull Memory is either marked as writable or executable but may not be both
bull Widely deployed Linux (via PaX patches) OpenBSD Windows (since XP SP2) OS X (since 105) hellip
bull Hardware support Intel ldquoXDrdquo bit AMD ldquoNXrdquo bit
bull So it is very difficult to execute the inserted malicious codes
Ordinary programming
bull Instruction pointer (eip) determines which instruction to fetch amp execute
bull Once processor has executed the instruction it
automatically increments eip to next instructionbull Control flow by changing the value of eip
Return-oriented programming
bull The ldquoretrdquo instruction could transfers program control to a return address located on the top of the stack
bull Return-oriented programming introduces no new instructions just using carefully crafted stack to link existed code snippets together by ret instruction
bull Return-oriented programming generates a new execution path based on existed ldquogoodrdquo codes
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Ordinary programming
bull Instruction pointer (eip) determines which instruction to fetch amp execute
bull Once processor has executed the instruction it
automatically increments eip to next instructionbull Control flow by changing the value of eip
Return-oriented programming
bull The ldquoretrdquo instruction could transfers program control to a return address located on the top of the stack
bull Return-oriented programming introduces no new instructions just using carefully crafted stack to link existed code snippets together by ret instruction
bull Return-oriented programming generates a new execution path based on existed ldquogoodrdquo codes
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Return-oriented programming
bull The ldquoretrdquo instruction could transfers program control to a return address located on the top of the stack
bull Return-oriented programming introduces no new instructions just using carefully crafted stack to link existed code snippets together by ret instruction
bull Return-oriented programming generates a new execution path based on existed ldquogoodrdquo codes
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Return-oriented programming
bull Stack pointer (esp) determines which instruction sequence to fetch amp execute
bull Processor doesnrsquot automatically increment esp but the ldquoretrdquo at end of each instruction sequence does
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Useful Instruction Sequences
bull Useful Instruction Sequence For a instruction sequence to be potentially useful it needs only end in a return instruction
bull In the libc library there are sufficient useful instruction sequences
bull An attacker who controls the stack will be able to make the victim program to undertake arbitrary computation
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Side-effect of the x86 variable length instruction set
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Finding Useful sequences
bull Galileo Algorithmbull First to identify the ret (c3 byte) locationsbull Second to scan backwards from such locationsbull Does the single byte immediately preceding
represent a valid one-byte instructionbull Dose the two bytes immediately preceding
represent a valid two-byte instruction or two valid one-byte instructions
bull And so on up to the maximum length
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Instruction Sequence Challenges
bull 1048672 Code sequences are difficult to use
bull 1048672 short perform a small unit of work
bull 1048672 no standard function prologueepilogue
bull 1048672 haphazard interface not an ABI
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Gadget
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Gadget designbull Gadgets are built from found code sequencesbull Gadgets are intermediate organizational unit
and perform well-defined operations such as1048672 load-store operations arithmetic amp logic operations control flow
invoking system calls
The set of gadgets is Turing complete so return-oriented programming could construct arbitrary computations
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Loading a Constant to Register
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Loading From Memory
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Storing To Memory
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Arithmetic And Logic
Simple add into eax
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Return-Oriented Shellcode
bull An application of return-oriented shellcode
bull The shellcode invokes the execve system call to run a shell This requires
1 Setting the system call index in eax
2 Setting the path of the program to run in ebx
3 Setting the argument vector argv in ecx
4 Setting the environment vector envp in edx
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Return-oriented Shellcode
bull In this case the binary codes of shellcode given above
bull 3e 78 03 03 07 7f 02 03 0b 0b 0b 0b 18 ff ff 4fbull 30 7f 02 03 4f 37 05 03 bd ad 06 03 34 ff ff 4fbull 07 7f 02 03 2c ff ff 4f 30 ff ff 4f 55 d7 08 03bull 34 ff ff 4f ad fb ca de 2f 62 69 6e 2f 73 68 00
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Extension
bull Return-oriented programming has extended to the SPARC Atmel AVR PowerPC Z80 and ARM processors
bull Using return-like instructions such as indirect jump instructions rdquopop x jmp xrdquo
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
References
bull [CCS08] Buchanan et al When good instructions go bad Generalizing return-oriented programming to RISCCCS 2008
bull [USENIX Securiy09] Hund et al Return-oriented rootkits Bypassing kernel code integrity protection mechanisms
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Conclusions
bull Code injection is not necessary for arbitrary exploitation
bull Defenses that distinguish ldquogood coderdquo from ldquobad coderdquo are useless
bull Return-oriented programming likely possible on every architecture not just x86
Thanks
Thanks