We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.
Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.
%0 Conference Paper
%1 CDDSSW2010
%A Checkoway, Stephen
%A Davi, Lucas
%A Dmitrienko, Alexandra
%A Sadeghi, Ahmad-Reza
%A Shacham, Hovav
%A Winandy, Marcel
%B ACM Conference on Computer and Communications Security (CCS)
%D 2010
%K International-Conference-Workshop-Papers-Book-Chapters myown
%T Return-Oriented Programming without Returns
%X We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.
Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.
@inproceedings{CDDSSW2010,
abstract = {We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.
Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.},
added-at = {2020-05-03T20:09:10.000+0200},
author = {Checkoway, Stephen and Davi, Lucas and Dmitrienko, Alexandra and Sadeghi, Ahmad-Reza and Shacham, Hovav and Winandy, Marcel},
biburl = {https://www.bibsonomy.org/bibtex/20066c4849a5feca48f3b120b0734bf22/sssgroup},
booktitle = {ACM Conference on Computer and Communications Security (CCS)},
interhash = {6bc39ec5432643824752b3948defeeaa},
intrahash = {0066c4849a5feca48f3b120b0734bf22},
keywords = {International-Conference-Workshop-Papers-Book-Chapters myown},
location = {Chicago, USA},
month = {October},
pdf = {https://se2.informatik.uni-wuerzburg.de/publications/download/paper/1530.pdf},
timestamp = {2022-12-20T00:43:51.000+0100},
title = {Return-Oriented Programming without Returns},
venue = {ACM CCS},
year = 2010
}