Return-oriented Programming: How to Perform Arbitrary Computation Without Code Injection - Lecture

Davi, Lucas
Name of Event:
5th European Trusted Infrastructure Summer School (ETISS)
Royal Holloway University of London, GB


Runtime attacks on software aim at subverting the control-flow of an application by redirecting execution to injected malicious code. Trusted Computing technologies such as IBM's integrity measurement architecture (IMA) cannot prevent such attacks, because they mainly ensure the load-time integrity of applications. Many runtime attacks, however, are based on corrupting functions' return addresses so that the affected function does not return to its original caller, but to the adversary's injected code.

On the other hand, new attacks induce malicious behavior by only using existing code of linked libraries instead of injecting codes (particularly because the recently proposed memory protection mechanisms prevent the execution of injected code). These attacks are generally referred to as "return-oriented" attacks, since they return to code of already linked libraries. A particular powerful attack of this category are based on "return-oriented programming (ROP)". They combine various small instruction sequences of different functions to constitute arbitrary program behavior. The attack method has shown to be Turing-complete and has been deployed to a broad range of architectures: Intel x86, SPARC, Atmel AVR, ARM, etc. In this lecture we provide an overview on ROP for different hardware architectures and present recently available exploits which are built upon the principles of ROP. Finally, we will discuss possible countermeasures.