Advertisement

Return-Oriented Rootkit without Returns (on the x86)

  • Ping Chen
  • Xiao Xing
  • Bing Mao
  • Li Xie
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6476)

Abstract

Return Oriented Programming(ROP) is a new technique which can be leveraged to construct a rootkit by reusing the existing code within the kernel. Such ROP rootkit can be designed to evade existing kernel integrity protection mechanism. In this paper, we show that, it is also possible to mount a new type of return-oriented programming rootkit without using any return instructions on x86 platform. Our new attack makes use of certain instruction sequences ending in jmp instead of ret; we show that these sequences occur with sufficient frequency in OS kernel, thereby enabling to construct arbitrary x86 behaviors. Since it does not make use of return instructions, our new attack has negative implications for existing defense methods against traditional ROP attack. Further, we present a design of memory layout arrangement technique for this type of ROP rootkit, whose size is not limited by the kernel stack. Finally, we propose the implementation of this practical attack to demonstrate the feasibility and effectiveness of our approach.

Keywords

Instruction Sequence Malicious Code Kernel Space Instruction Stream Callback Routine 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full conference paper text

References

  1. 1.
    Felix “fx” lidner. Developments in cisco ios forensics. CONFidence 2.0, http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf
  2. 2.
    The x86 instruction set architecture, http://www.ugrad.cs.ubc.ca/~cs411/2009W2/downloads/x86.pdf
  3. 3.
    Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 340–353. ACM, New York (2005)Google Scholar
  4. 4.
    Bovet, D.P., Cesati, M.: Understanding the linux kernel, 3rd edn., p. 85. O’Reilly Media, Inc., Sebastopol (2006)Google Scholar
  5. 5.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27–38. ACM, New York (2008)Google Scholar
  6. 6.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: 17th ACM Conference on Computer and Communications Security (2010)Google Scholar
  7. 7.
    Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the avc advantage. In: Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS (2009)Google Scholar
  8. 8.
    Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Corporation, I.: Ia-32 intel architecture software developers manual. Instruction set reference, vol. 2 (2006)Google Scholar
  10. 10.
    Dalton, M., Kannan, H., Kozyrakis, C.: Real-world buffer overflow protection for userspace & kernelspace. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 395–410. USENIX Association, Berkeley (2008)Google Scholar
  11. 11.
    Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54 (2009)Google Scholar
  12. 12.
    Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: A detection tool to defend against return-oriented programming attacks. Technical Report HGI-TR-2010-001 (2010), http://www.trust.rub.de/home/_publications/LuSaWi10/
  13. 13.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 19–26. ACM, New York (2009)CrossRefGoogle Scholar
  14. 14.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Syverson, P., Jha, S. (eds.) Proceedings of CCS 2008, pp. 15–26 (2008)Google Scholar
  15. 15.
    Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: Proceedings of USENIX Security 2001, pp. 55–65 (2001)Google Scholar
  16. 16.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium (February 2003)Google Scholar
  17. 17.
    Grizzard, J.: Towards self-healing systems:re-establishing trust in compromised systems. In: PhD thesis. Georgia Institute of Technology (2006)Google Scholar
  18. 18.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium, San Jose, CA, USA (2009)Google Scholar
  19. 19.
    Kornau, T.: Return oriented programming for the arm architecture. Master’s thesis, Ruhr-Universitat Bochum (2010), http://zynamics.com/downloads/kornau-tim–diplomarbeit–rop.pdfGoogle Scholar
  20. 20.
    Krahmer, S.: X86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Phrack Magazine (2005), http://www.suse.de/krahmer/no-nx.pdf
  21. 21.
    Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ‘return-less’ kernels. In: Proceedings of the 5th ACM SIGOPS EuroSys Conference, EuroSys 2010 (2010)Google Scholar
  22. 22.
    McDonald, J.: Defeating solaris/sparc non-executable stack protection. Bugtraq (1999)Google Scholar
  23. 23.
    Microsoft: Digital signatures for kernel modules on systems running windows vista (2007), http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/kmsigning.doc
  24. 24.
    Microsoft: A detailed description of the data execution prevention (dep) feature in windows xp service pack 2 (2008), http://support.microsoft.com/kb/875352
  25. 25.
    Mueller, U.: Brainfuck: An eight-instruction turing-complete programming language, http://www.muppetlabs.com/~breadbox/bf/
  26. 26.
    Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine (2001), http://www.phrack.org/archives/58/p58-0x04
  27. 27.
    noir: Smashing the kernel stack for fun and profit. Phrack Magazine (2006), http://www.phrack.com/issues.html?issue=60&id=6Google Scholar
  28. 28.
    Petroni, N., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 103–115. ACM, New York (2007)Google Scholar
  29. 29.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. 30.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350. ACM, New York (2007)CrossRefGoogle Scholar
  31. 31.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552–561. ACM, New York (2007)Google Scholar
  32. 32.
    Team, P.: Documentation for the pax project overall description (2008), http://pax.grsecurity.net/docs/pax.txt
  33. 33.
    Turing, A.M.: On computable numbers, with an application to the entscheidungsproblem. Proc. London Math. Soc., 230–265 (1936)Google Scholar
  34. 34.
    Bletsch, T., Jiang, X., Freeh, V.: Jump-oriented programming: A new class of code-reuse attack. Technical Report TR-2010-8 (2010)Google Scholar
  35. 35.
    Viro, A.: Linux kernel sendmsg() local buffer overflow vulnerability (2005), http://www.securityfocus.com/bid/14785
  36. 36.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Ping Chen
    • 1
  • Xiao Xing
    • 1
  • Bing Mao
    • 1
  • Li Xie
    • 1
  1. 1.State Key Laboratory for Novel Software Technology, Department of Computer Science and TechnologyNanjing UniversityNanjingChina

Personalised recommendations

Cite paper