• Corpus ID: 207884209

4 6 7 3 5 Return to next sequence 2 Stack pointer Move 1 Code Program Memory Return Return Libraries ( lib ) Instruction Sequence Instruction Sequence Data Return

  title={4 6 7 3 5 Return to next sequence 2 Stack pointer Move 1 Code Program Memory Return Return Libraries ( lib ) Instruction Sequence Instruction Sequence Data Return},
  author={Lucas Davi and Ahmad-Reza Sadeghi and Marcel Winandy},
Modern runtime attacks increasingly make use of the powerful return-oriented programming (ROP) attack techniques and principles such as recent attacks on Apple iPhone and Acrobat products to name some. These attacks even work under the presence of modern memory protection mechanisms such as data execution prevention (DEP). In this paper, we present our tool, ROPdefender , that dynamically detects conventional ROP attacks (that are based on return instructions). In contrast to existing solutions… 

Figures and Tables from this paper


Return-oriented programming without returns
We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction
Transparent Runtime Shadow Stack : Protection against malicious return address modifications
This paper introduces the use of a T ransparent RUntime Shadow Stack (TRUSS) to protect against function return address modification and discusses the implementation details of the scheme as well as provides a performance evaluation.
When good instructions go bad: generalizing return-oriented programming to RISC
It is argued that the threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code.
G-Free: defeating return-oriented programming through gadget-less binaries
G-Free is presented, a compiler-based approach that represents the first practical solution against any possible form of ROP, and is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-Branch instructions to prevent them from being misused by an attacker.
DROP: Detecting Return-Oriented Programming Malicious Code
A tool DROP is presented, which is focused on dynamically detecting ROP malicious code, and preliminary experimental results show that DROP can efficiently detect ROP malware, and have no false positives and negatives.
Surgically Returning to Randomized lib(c)
It is concluded that position independent executables (PIE) are essential to complement ASLR and to prevent the attack presented in this paper, which can exploit the majority of programs vulnerable to stack-based buffer overflows surgically.
This paper will show how it can extend old advanced return-to-libc techniques to multistage techniques that can bypass ASLR and ASCII-Armor mapping and make ROP/return- to- libc exploitation on modern Linux x86 become easy.
Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks
This work proposes new runtime integrity monitoring techniques that use tracking instrumentation of program binaries based on taint analysis and dynamic tracing and describes how these techniques can be employed in a dynamic integrity measurement architecture (DynIMA).
Defeating return-oriented rootkits with "Return-Less" kernels
This approach recognizes the hallmark of return-oriented rootkits, i.e., the ret instruction, and accordingly aims to completely remove them in a running OS kernel, and developed a LLVM-based prototype and used it to generate a return-less FreeBSD kernel.
Defending embedded systems against control flow attacks
This paper presents a control flow enforcement technique based on an Instruction Based Memory Access Control (IBMAC) implemented in hardware. It is specifically designed to protect low-cost embedded