Publications

Publications

Type of Publication: Article in Collected Edition

Return-Oriented Programming without Returns

Author(s):
Checkoway, Stephen; Davi, Lucas; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; Shacham, Hovav; Winandy, Marcel
Title of Anthology:
Proc. of 17th ACM conference on Computer and Communications Security (CCS)
Publication Date:
2010
Digital Object Identifier (DOI):
doi:10.1145/1866307.1866370
Link to complete version:
https://dl.acm.org/authorize?N28543
Citation:
LABEL-FOR-eidrisexport

Abstract

We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.

Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.