Return-oriented programming without returns

Abstract: We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defe… Show more

“…Again, the number of instructions executed increases by a few times, although it has little effect on the detectability (please refer to Appendix B for an example of the packed ROP shellcode). [7]. In this section, we show that decoders in printable shellcode produced by our two-layer packer could be constructed without returns.…”

“…The search space can be further extended to include other binary files when needed. Table 6 shows some useful gadgets that we find on Windows XP, whose functionality includes Trampoline (an update-load-branch [7] sequence which acts as the ret instruction), loading and storing data, and arithmetic.…”

“…Return-oriented programming (ROP) [23] and its variations [6][7][8]12,15,16] have been shown to be able to perform arbitrary computation without executing injected code. It executes machine instructions immediately prior to return (or return-like [7]) instructions within the existing program or library code.…”

“…It executes machine instructions immediately prior to return (or return-like [7]) instructions within the existing program or library code. Both the address words pointing to these instructions and the corresponding data words are usually called gadgets.…”

“…As an extension, we demonstrate another use of our ROP packer as a polymorphic converter to make the resulting packed code immune to signature-based detection. We also show that our packer works not only on ROP using return gadgets, but also ROP using non-return gadgets [5,7].…”

Packed, Printable, and Polymorphic Return-Oriented Programming

“…Again, the number of instructions executed increases by a few times, although it has little effect on the detectability (please refer to Appendix B for an example of the packed ROP shellcode). [7]. In this section, we show that decoders in printable shellcode produced by our two-layer packer could be constructed without returns.…”

“…The search space can be further extended to include other binary files when needed. Table 6 shows some useful gadgets that we find on Windows XP, whose functionality includes Trampoline (an update-load-branch [7] sequence which acts as the ret instruction), loading and storing data, and arithmetic.…”

“…Return-oriented programming (ROP) [23] and its variations [6][7][8]12,15,16] have been shown to be able to perform arbitrary computation without executing injected code. It executes machine instructions immediately prior to return (or return-like [7]) instructions within the existing program or library code.…”

“…It executes machine instructions immediately prior to return (or return-like [7]) instructions within the existing program or library code. Both the address words pointing to these instructions and the corresponding data words are usually called gadgets.…”

“…As an extension, we demonstrate another use of our ROP packer as a polymorphic converter to make the resulting packed code immune to signature-based detection. We also show that our packer works not only on ROP using return gadgets, but also ROP using non-return gadgets [5,7].…”

Packed, Printable, and Polymorphic Return-Oriented Programming

IoT Device Attestation

Survey of return-oriented programming defense mechanisms