Abstract
Return Oriented Programming(ROP) is a new technique which can be leveraged to construct a rootkit by reusing the existing code within the kernel. Such ROP rootkit can be designed to evade existing kernel integrity protection mechanism. In this paper, we show that, it is also possible to mount a new type of return-oriented programming rootkit without using any return instructions on x86 platform. Our new attack makes use of certain instruction sequences ending in jmp instead of ret; we show that these sequences occur with sufficient frequency in OS kernel, thereby enabling to construct arbitrary x86 behaviors. Since it does not make use of return instructions, our new attack has negative implications for existing defense methods against traditional ROP attack. Further, we present a design of memory layout arrangement technique for this type of ROP rootkit, whose size is not limited by the kernel stack. Finally, we propose the implementation of this practical attack to demonstrate the feasibility and effectiveness of our approach.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Felix “fx” lidner. Developments in cisco ios forensics. CONFidence 2.0, http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf
The x86 instruction set architecture, http://www.ugrad.cs.ubc.ca/~cs411/2009W2/downloads/x86.pdf
Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 340–353. ACM, New York (2005)
Bovet, D.P., Cesati, M.: Understanding the linux kernel, 3rd edn., p. 85. O’Reilly Media, Inc., Sebastopol (2006)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27–38. ACM, New York (2008)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: 17th ACM Conference on Computer and Communications Security (2010)
Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the avc advantage. In: Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS (2009)
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)
Corporation, I.: Ia-32 intel architecture software developers manual. Instruction set reference, vol. 2 (2006)
Dalton, M., Kannan, H., Kozyrakis, C.: Real-world buffer overflow protection for userspace & kernelspace. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 395–410. USENIX Association, Berkeley (2008)
Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54 (2009)
Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: A detection tool to defend against return-oriented programming attacks. Technical Report HGI-TR-2010-001 (2010), http://www.trust.rub.de/home/_publications/LuSaWi10/
Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 19–26. ACM, New York (2009)
Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Syverson, P., Jha, S. (eds.) Proceedings of CCS 2008, pp. 15–26 (2008)
Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: Proceedings of USENIX Security 2001, pp. 55–65 (2001)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium (February 2003)
Grizzard, J.: Towards self-healing systems:re-establishing trust in compromised systems. In: PhD thesis. Georgia Institute of Technology (2006)
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium, San Jose, CA, USA (2009)
Kornau, T.: Return oriented programming for the arm architecture. Master’s thesis, Ruhr-Universitat Bochum (2010), http://zynamics.com/downloads/kornau-tim–diplomarbeit–rop.pdf
Krahmer, S.: X86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Phrack Magazine (2005), http://www.suse.de/krahmer/no-nx.pdf
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ‘return-less’ kernels. In: Proceedings of the 5th ACM SIGOPS EuroSys Conference, EuroSys 2010 (2010)
McDonald, J.: Defeating solaris/sparc non-executable stack protection. Bugtraq (1999)
Microsoft: Digital signatures for kernel modules on systems running windows vista (2007), http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/kmsigning.doc
Microsoft: A detailed description of the data execution prevention (dep) feature in windows xp service pack 2 (2008), http://support.microsoft.com/kb/875352
Mueller, U.: Brainfuck: An eight-instruction turing-complete programming language, http://www.muppetlabs.com/~breadbox/bf/
Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine (2001), http://www.phrack.org/archives/58/p58-0x04
noir: Smashing the kernel stack for fun and profit. Phrack Magazine (2006), http://www.phrack.com/issues.html?issue=60&id=6
Petroni, N., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 103–115. ACM, New York (2007)
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350. ACM, New York (2007)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552–561. ACM, New York (2007)
Team, P.: Documentation for the pax project overall description (2008), http://pax.grsecurity.net/docs/pax.txt
Turing, A.M.: On computable numbers, with an application to the entscheidungsproblem. Proc. London Math. Soc., 230–265 (1936)
Bletsch, T., Jiang, X., Freeh, V.: Jump-oriented programming: A new class of code-reuse attack. Technical Report TR-2010-8 (2010)
Viro, A.: Linux kernel sendmsg() local buffer overflow vulnerability (2005), http://www.securityfocus.com/bid/14785
Wikipedia: Exec shield, http://en.wikipedia.org/wiki/Exec_Shield
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chen, P., Xing, X., Mao, B., Xie, L. (2010). Return-Oriented Rootkit without Returns (on the x86). In: Soriano, M., Qing, S., López, J. (eds) Information and Communications Security. ICICS 2010. Lecture Notes in Computer Science, vol 6476. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17650-0_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-17650-0_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17649-4
Online ISBN: 978-3-642-17650-0
eBook Packages: Computer ScienceComputer Science (R0)