Abstract
This paper provides the first analysis on the feasibility of Return-
Oriented programming (ROP) on RISC-V, a new instruction set
architecture targeting embedded systems. We show the existence
of a new class of gadgets, using several Linear Code Sequences And
Jumps (LCSAJ), undetected by current Galileo-based ROP gadget
searching tools.
We argue that this class of gadgets is rich enough on RISC-V
to mount complex ROP attacks, bypassing traditional mitigation
like DEP, ASLR, stack canaries, G-Free and some compiler-based
backward-edge CFI, by jumping over any guard inserted by a compiler
to protect indirect jump instructions.
We provide examples of such gadgets, as well as a proof-ofconcept
ROP chain, using C code injection to leverage a privilege
escalation attack on two standard Linux operating systems. Additionally,
we discuss some of the required mitigations to prevent
such attacks and provide a new ROP gadget finder algorithm that
handles this new class of gadgets.
Oriented programming (ROP) on RISC-V, a new instruction set
architecture targeting embedded systems. We show the existence
of a new class of gadgets, using several Linear Code Sequences And
Jumps (LCSAJ), undetected by current Galileo-based ROP gadget
searching tools.
We argue that this class of gadgets is rich enough on RISC-V
to mount complex ROP attacks, bypassing traditional mitigation
like DEP, ASLR, stack canaries, G-Free and some compiler-based
backward-edge CFI, by jumping over any guard inserted by a compiler
to protect indirect jump instructions.
We provide examples of such gadgets, as well as a proof-ofconcept
ROP chain, using C code injection to leverage a privilege
escalation attack on two standard Linux operating systems. Additionally,
we discuss some of the required mitigations to prevent
such attacks and provide a new ROP gadget finder algorithm that
handles this new class of gadgets.
Original language | English |
---|---|
Pages | 471-480 |
Number of pages | 10 |
DOIs | |
Publication status | Published - Oct 2020 |
Event | ACM ASIACCS 2020 - Taiwan, Taipei, Taiwan, Province of China Duration: 5 Oct 2020 → 9 Oct 2020 https://asiaccs2020.cs.nthu.edu.tw/ |
Conference
Conference | ACM ASIACCS 2020 |
---|---|
Abbreviated title | ASIACCS |
Country/Territory | Taiwan, Province of China |
City | Taipei |
Period | 5/10/20 → 9/10/20 |
Internet address |