Return-oriented vulnerabilities in ARM executables

Return-oriented programming is a method of computer exploit technique which is growing in popularity among attackers because it enables the remote execution of arbitrary code without the need for code injection. Return-to-LibC (Ret2LibC) is the most common return-oriented attack in use today, allowing an attacker to leverage control of the stack to execute common library functions which are already present on the target system, such as LibC. ARM-based processors, commonly used in embedded systems, are not directly vulnerable to Ret2LibC attacks because function arguments in the ARM are passed through registers rather than the stack. In 2011 Itzhak Avraham presented a new Return-to-Zero-Protection (Ret2ZP) attack against ARM processors which enables the same control as a Ret2LibC attack. Our research contribution is to provide a formal definition of the Ret2ZP attack and to define an algorithm to detect vulnerabilities to Ret2ZP in ARM executables. Our algorithm for detecting vulnerabilities can be used to screen executables for vulnerabilities before they are deployed.

[1]  Srivaths Ravi,et al.  Secure embedded processing through hardware-assisted run-time monitoring , 2005, Design, Automation and Test in Europe.

[2]  Koji Inoue Energy-security tradeoff in a secure cache architecture against buffer overflow attacks , 2005, CARN.

[3]  Aleksandar Milenkovic,et al.  Hardware support for code integrity in embedded processors , 2005, CASES '05.

[4]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[5]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[6]  Emery D. Berger,et al.  Exterminator: automatically correcting memory errors with high probability , 2007, PLDI '07.

[7]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[8]  Amir Roth,et al.  Using DISE to protect return addresses from attack , 2005, CARN.

[9]  Richard Earnshaw Procedure Call Standard for the ARM ® Architecture , 2006 .

[10]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[11]  E. Gilder,et al.  The Authors , 1977 .

[12]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[13]  Saugata Ghose,et al.  Architectural support for low overhead detection of memory violations , 2009, 2009 Design, Automation & Test in Europe Conference & Exhibition.

[14]  Tao Zhang,et al.  Anomalous path detection with hardware support , 2005, CASES '05.

[15]  Sayed Mohammad Kia,et al.  Micro embedded monitoring for security in application specific instruction-set processors , 2005, CASES '05.

[16]  Claude Castelluccia,et al.  Defending embedded systems against control flow attacks , 2009, SecuCode '09.