New attack to leverage good code for evil

Posted by Ken Y-N on November 20th, 2008 at 01:01pm

As recently reported in a few online sources, two UC San Diego students have demonstrated how to abuse code that to the operating system (and to trusted computing components) is known to be good.

The reports are a bit vague on what exactly “return-oriented programming” is, and I haven’t read the paper on it, but it basically seems to be finding individual routines within the good program that when called on their own and strung together in an unexpected way do something nasty. The original code remains completely unmodified, so code signatures do not change, any watchdog processes do not see any changes and execute-only flags still protect the code.

On the bright side, the attack is difficult to perform, and I think that if the secure code is executing in a completely different process space, like a separate virtual machine or within a trusted area like ARM’s TrustZone, the code is immune.

Detailed reports can be found at Information Week, Innovations Report, and DarkReading.

Tags: dark reading, informationweek, return-oriented programming

Under General Tags: dark reading, informationweek, return-oriented programming