José E. Moreira
ABSTRACT
Return-oriented programming (ROP) is a technique for hijacking the control-flow of a program and forcing it to perform computations that were never originally intended. ROP is achieved by modifying the values of return addresses saved to memory, causing a failure of control-flow integrity. In the POWER10 processor, we have adopted a cryptographic mechanism for ROP protection. Return addresses are cryptographically hashed when control-flow enters a function and the hash is saved in memory. The hash is recomputed and compared to the saved value just before a return from the function. Any mismatch is flagged as a violation and generates an exception to the supervisor. POWER10 was augmented with instructions to generate and verify those hashes. We minimize performance impact on running programs by implementing the cryptographic hash with dedicated functional units.
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS '05). Association for Computing Machinery, New York, NY, USA, 340?353. Google Scholar
Digital Library
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-Flow Integrity Principles, Implementations, and Applications. ACM Trans. Inf. Syst. Secur. 13, 1, Article 4 (nov 2009), 40 pages. Google ScholarDigital Library
- Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. 2015. SIMON and SPECK: Block Ciphers for the Internet of Things. Cryptology ePrint Archive, Report 2015/585. (2015). https://ia.cr/2015/585.Google Scholar
- Erik Buchanan, Ryan Roemer, and Stefan Savage. 2008. Return-Oriented Programming: Exploits Without Code Injection. (2008). https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdfGoogle Scholar
- Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage. 2008. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). Association for Computing Machinery, New York, NY, USA, 27?38. Google ScholarDigital Library
- Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. 2017. Control-Flow Integrity: Precision, Security, and Performance. ACM Comput. Surv. 50, 1, Article 16 (apr 2017), 33 pages. Google ScholarDigital Library
- Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2015. The Performance Cost of Shadow Stacks and Stack Canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '15). Association for Computing Machinery, New York, NY, USA, 555?566. Google ScholarDigital Library
- IBM Corporation 2020. Power ISA Version 3.1. IBM Corporation.Google Scholar
- Hans Liljestrand, Thomas Nyman, Jan-Erik Ekberg, and N. Asokan. 2019. Authenticated Call Stack. In Proceedings of the 56th Annual Design Automation Conference 2019 (DAC '19). Association for Computing Machinery, New York, NY, USA, Article 223, 2 pages. Google ScholarDigital Library
- Hans Liljestrand, Thomas Nyman, Kui Wang, Carlos Chinea Perez, Jan-Erik Ekberg, and N. Asokan. 2019. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication. (2019). arXiv:cs.CR/1811.09189Google Scholar
- Vedvyas Shanbhogue, Deepak Gupta, and Ravi Sahita. 2019. Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity. In Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy (HASP '19). Association for Computing Machinery, New York, NY, USA, Article 8, 11 pages. Google ScholarDigital Library
- W. J. Starke, B. Thompto, J. Stuecheli, and J. E. Moreira. 2021. IBM's POWER10 Processor. IEEE Micro (2021), 1--1. Google ScholarCross Ref
- Changwei Zou and Jingling Xue. 2020. Burn after Reading: A Shadow Stack with Microsecond-Level Runtime Rerandomization for Protecting Return Addresses. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE '20). Association for Computing Machinery, New York, NY, USA, 258?270. Google ScholarDigital Library
Index Terms
- Return-oriented programming protection in the IBM POWER10
Recommendations
Survey of return-oriented programming defense mechanisms
A prominent software security violation-buffer overflow attack has taken various forms and poses serious threats until today. One such vulnerability is return-oriented programming attack. An return-oriented programming attack circumvents the dynamic ...
Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications SecurityWe introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
Return-Oriented Programming
Attackers able to compromise the memory of a target machine can change its behavior and usually gain complete control over it. Despite the ingenious prevention and protection mechanisms that have been implemented in modern operating systems, memory ...
Comments