An aspect of computer security involves preventing the introduction of malicious code or the execution of malicious computation.
In a computer programming language with free pointers or non-checked array writes such as the C programming language, the mixing of control flow data which affects the execution of code (e.g., the return addresses or the saved frame pointers) and simple program data (e.g., parameters or return values) in a call stack is a security risk, possibly exploitable through stack buffer overflows as a common type of buffer overflow. One such attack involves filling one buffer with arbitrary executable code, and then overflowing the same or some other buffer to overwrite a return address with a value that points to the executable code. As a result, when the function returns, the computer executes that code.
Several solutions have been proposed to defend against memory corruption attacks and to increase the complexity of such two-step attacks. For example, this kind of an attack can be blocked with an executable space protection, such as a write-XOR-execute security feature or security features available under the trade designation Data Execution Prevention (DEP) from Microsoft Corp. of Redmond, Wash., U.S.A., included in operating systems, virtual machines and processors. For example, write-XOR-execute and DEP are memory protection policies in which every page in an address space of a process or kernel address may be either writable or executable, but not both. With such protection, an attacker cannot write processor instructions in an area of memory intended for data and then divert control flow to run those instructions.
One technique used to bypass executable space protections without injecting code includes reusing the functionality provided with the exploited application. For example, a “return-to-libc” attack usually begins with a buffer overflow in which a function return address on the call stack is replaced with an address of a function that is already present in the executable memory. An attacker can provide a frame on the stack and then transfer the program execution to the beginning of a library function. Because popular libraries (such as the standard library for the C programming language, or libc) include a wide range of functionality, this technique is sufficient to take control of a program.
An evolution and generalization of the return-to-libc attack includes return-oriented programming. Instead of necessarily jumping to the beginning of a library function, an attacker can chain together existing sequences of instructions called gadgets that have been identified in the existing program such as in function epilogues. Gadgets can end in a return instruction. Using return-oriented programming, an attacker can execute arbitrary algorithms (including loops and conditional branches) and achieve a Turing complete malicious computation. The large availability of gadgets allows an attacker to implement a functionality in several different ways, and is a way to evade security defenses such as executable space protection and code signing.
Return-oriented programming attacks can occur on many different architectures and have been demonstrated on complex instruction set computing (CISC) architectures, such as on systems running x86-based operating systems, and on reduced instruction set computing (RISC) architectures with strictly aligned instruction sets. Example RISC architectures include processor architectures available under the trade designation SPARC originally from Sun Microsystems and ARM from ARM Holdings of Cambridge, England, UK. Further, return-oriented programming is not limited to computer programs written in a particular programming language. Attackers can analyze the binary code of a programs or libraries of an operating system to determine whether the code can construct gadgets for return-oriented programming. Accordingly, servers, laptops, mobile device, and even architectures with immutable memory protections such as voting machines can be at risk from return-oriented programming attacks.