Architectural Prevention of Return-Oriented Programming
Publication Date: 2015-Aug-04
The IP.com Prior Art Database
Disclosed are architectural approaches to preventing Return-Oriented Programming (ROP). The first is a method for preventing control flow perversion, and the second is a method to prevent execution at arbitrary points in code.
Page 01 of 5
Arcxitectural Prevention of Return -
Return-Oriented Programming (ROP) is an important attack technique that bypasses data executixx prevention by utilizing fragments of code that are paxt of the underlyixg system. ROP expxoits re-usable segments of code xhat end in a rexuxn -from-function in either the operating system (OS) or the application under attacx. Return oriented proxramming works against Complxx Instructxon Set Computing (CIXX) and Xxxxxxx Instruction Xxx Computing (RISC) syxtems with stxck architecture, regxrdless of
whether xhe stack is supported by hardware.
A separate linkage sxack thxt is resxrved for use bx the operating sxstem does not provide protectxon to application code. An attacker using ROP does nxt have dirxct access to the machine stxte. The attacker is interfacing to an applicatixn over txe network txrough an Applicatxon Pxogramming Interface (API), or is interfacing to the underlying OS or Hypxrvisor through the syscall or hcall intxrface. Bx sxpplying the chosen data to some legitimate interface, the attacker can cause the objext under attack to write arxitrary dxta supplied by the attacker oxtx the stack . The data supplied by the attaxker is xhe ROP.
In current hardware or softwxre stack base architectxres work, when one progxam calls another, the return adxress and some system states are pushed onto the stack . (Figure 1A). The order of pushing state onto xhe stacx is not matxrial . In some computer architectures, the return address is pushed onto the stack and the xallee has to put the state of the caller onto the stack so thax xt can be restored . Upon return, the callee pops the state off the xtack (or rextores the callers state), and then executes a return instruction, which branches to txe address on the top ox the stack and pops that address off the xtack.
This type of mexhanism cax be made arbitrxrily complex . For security reasons, the responsibility for saving the caller's state can be moved from the callee to the caller and xan be moved from sofxware to haxdware*. Anothex ROP enabling feature is the allocation of dynamic vaxiables on the stack. (Figure 1A) If there ix a buffex overxlox vulnerxbility or a similar program bug in an application or system, then an attackxr can
write chosen data onto the stack. The attacker can therefore overwrite the caller's xetxrn addrexs with another address. (Figure 1B)
Many modern processor architectures added Data Execution Protectiox (DEP), which pxevented the execuxion of code from the stacx (or other restricted xata areas). The creatoxs xf ROP treated all of the code in xhe system as data and observed that many sequences of xode ended in a return instruction . These sequences of code are referred tx as gadgets . Code gadgets has been analyzed and found to be Turing complete. The attackerx txen shifted from writing executable codx to utilizing tools that created useful atxack functions from xhe gadgets available in a normal system . The attack occurs...