Return-Oriented Programming on RISC-V

George-Axel Jaloyan; Konstantinos Markantonakis; Raja Naeem Akram; David Robin; Keith Mayes; David Naccache

doi:10.1145/3320269.3384738

Return-Oriented Programming on RISC-V

George-Axel Jaloyan, Konstantinos Markantonakis, Raja Naeem Akram, David Robin, Keith Mayes, David Naccache

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

16 Citations (Scopus)

Abstract

This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction setarchitecture targeting embedded systems. We show the existenceof a new class of gadgets, using several Linear Code Sequences AndJumps (LCSAJ), undetected by current Galileo-based ROP gadgetsearching tools.We argue that this class of gadgets is rich enough on RISC-Vto mount complex ROP attacks, bypassing traditional mitigationlike DEP, ASLR, stack canaries, G-Free and some compiler-basedbackward-edge CFI, by jumping over any guard inserted by a compilerto protect indirect jump instructions.We provide examples of such gadgets, as well as a proof-ofconceptROP chain, using C code injection to leverage a privilegeescalation attack on two standard Linux operating systems. Additionally,we discuss some of the required mitigations to preventsuch attacks and provide a new ROP gadget finder algorithm thathandles this new class of gadgets.

Original language	English
Title of host publication	Proceedings of the 15th ACM Asia Conference on Computer and Communications Security
Subtitle of host publication	ASIA CCS 2020
Pages	471-480
Number of pages	10
ISBN (Electronic)	9781450367509
DOIs	https://doi.org/10.1145/3320269.3384738
Publication status	Published - 1 Oct 2020
Event	The 15th ACM Asia Conference on Computer and Communications security - Taipei, TAIWAN Duration: 5 Oct 2020 → 9 Oct 2020 https://asiaccs2020.cs.nthu.edu.tw

Publication series

Name	Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

Conference

Conference	The 15th ACM Asia Conference on Computer and Communications security
Abbreviated title	Asia CCS2020
Country/Territory	TAIWAN
City	Taipei
Period	5/10/20 → 9/10/20
Internet address	https://asiaccs2020.cs.nthu.edu.tw

Keywords

Galileo algorithm
RISC-V
code overlap
return-oriented programming

Access to Document

10.1145/3320269.3384738Licence: Unspecified

Cite this

Jaloyan, G.-A., Markantonakis, K., Akram, R. N., Robin, D., Mayes, K., & Naccache, D. (2020). Return-Oriented Programming on RISC-V. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security: ASIA CCS 2020 (pp. 471-480). (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020). https://doi.org/10.1145/3320269.3384738

Return-Oriented Programming on RISC-V. / Jaloyan, George-Axel; Markantonakis, Konstantinos; Akram, Raja Naeem et al.
Proceedings of the 15th ACM Asia Conference on Computer and Communications Security: ASIA CCS 2020. 2020. p. 471-480 (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020).

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

Jaloyan, G-A, Markantonakis, K, Akram, RN, Robin, D, Mayes, K & Naccache, D 2020, Return-Oriented Programming on RISC-V. in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security: ASIA CCS 2020. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, pp. 471-480, The 15th ACM Asia Conference on Computer and Communications security, Taipei, TAIWAN, 5/10/20. https://doi.org/10.1145/3320269.3384738

@inproceedings{9a88efa28a174700a35adf9b261660d8,

title = "Return-Oriented Programming on RISC-V",

abstract = "This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction setarchitecture targeting embedded systems. We show the existenceof a new class of gadgets, using several Linear Code Sequences AndJumps (LCSAJ), undetected by current Galileo-based ROP gadgetsearching tools.We argue that this class of gadgets is rich enough on RISC-Vto mount complex ROP attacks, bypassing traditional mitigationlike DEP, ASLR, stack canaries, G-Free and some compiler-basedbackward-edge CFI, by jumping over any guard inserted by a compilerto protect indirect jump instructions.We provide examples of such gadgets, as well as a proof-ofconceptROP chain, using C code injection to leverage a privilegeescalation attack on two standard Linux operating systems. Additionally,we discuss some of the required mitigations to preventsuch attacks and provide a new ROP gadget finder algorithm thathandles this new class of gadgets.",

keywords = "Galileo algorithm, RISC-V, code overlap, return-oriented programming",

author = "George-Axel Jaloyan and Konstantinos Markantonakis and Akram, {Raja Naeem} and David Robin and Keith Mayes and David Naccache",

year = "2020",

month = oct,

day = "1",

doi = "10.1145/3320269.3384738",

language = "English",

series = "Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020",

pages = "471--480",

booktitle = "Proceedings of the 15th ACM Asia Conference on Computer and Communications Security",

note = "The 15th ACM Asia Conference on Computer and Communications security, Asia CCS2020 ; Conference date: 05-10-2020 Through 09-10-2020",

url = "https://asiaccs2020.cs.nthu.edu.tw",

}

TY - GEN

T1 - Return-Oriented Programming on RISC-V

AU - Jaloyan, George-Axel

AU - Markantonakis, Konstantinos

AU - Akram, Raja Naeem

AU - Robin, David

AU - Mayes, Keith

AU - Naccache, David

PY - 2020/10/1

Y1 - 2020/10/1

N2 - This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction setarchitecture targeting embedded systems. We show the existenceof a new class of gadgets, using several Linear Code Sequences AndJumps (LCSAJ), undetected by current Galileo-based ROP gadgetsearching tools.We argue that this class of gadgets is rich enough on RISC-Vto mount complex ROP attacks, bypassing traditional mitigationlike DEP, ASLR, stack canaries, G-Free and some compiler-basedbackward-edge CFI, by jumping over any guard inserted by a compilerto protect indirect jump instructions.We provide examples of such gadgets, as well as a proof-ofconceptROP chain, using C code injection to leverage a privilegeescalation attack on two standard Linux operating systems. Additionally,we discuss some of the required mitigations to preventsuch attacks and provide a new ROP gadget finder algorithm thathandles this new class of gadgets.

AB - This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction setarchitecture targeting embedded systems. We show the existenceof a new class of gadgets, using several Linear Code Sequences AndJumps (LCSAJ), undetected by current Galileo-based ROP gadgetsearching tools.We argue that this class of gadgets is rich enough on RISC-Vto mount complex ROP attacks, bypassing traditional mitigationlike DEP, ASLR, stack canaries, G-Free and some compiler-basedbackward-edge CFI, by jumping over any guard inserted by a compilerto protect indirect jump instructions.We provide examples of such gadgets, as well as a proof-ofconceptROP chain, using C code injection to leverage a privilegeescalation attack on two standard Linux operating systems. Additionally,we discuss some of the required mitigations to preventsuch attacks and provide a new ROP gadget finder algorithm thathandles this new class of gadgets.

KW - Galileo algorithm

KW - RISC-V

KW - code overlap

KW - return-oriented programming

UR - http://www.scopus.com/inward/record.url?scp=85095500343&partnerID=8YFLogxK

U2 - 10.1145/3320269.3384738

DO - 10.1145/3320269.3384738

M3 - Published conference contribution

T3 - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

SP - 471

EP - 480

BT - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

T2 - The 15th ACM Asia Conference on Computer and Communications security

Y2 - 5 October 2020 through 9 October 2020

ER -

Return-Oriented Programming on RISC-V

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Raja Akram

Cite this

Return-Oriented Programming on RISC-V

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Profiles

Raja Akram

Cite this