Good code, bad computations: A computer security vulnerability

Published 4 November 2008

Beware of return-oriented programming — that is, if you want to make sure your computer or server is not tricked into undertaking malicious or undesirable behavior

Two graduate students from UC San Diego’s computer science department — Erik Buchanan and Ryan Roemer — have published work showing that the process of building bad programs from good code using “return-oriented programming” can be automated and that this vulnerability applies to RISC computer architectures and not just the x86 architecture (which includes the vast majority of personal computers).

Last year UC San Diego computer science professor Hovav Shacham formally described how return-oriented programming could be used to force computers with the x86 architecture to behave maliciously without introducing any bad code into the system. The attack, however, required painstaking construction by hand and appeared to rely a unique quirk of the x86 design. The new automation and generalization work by the graduate students and professors from UC San Diego’s Jacobs School of Engineering was presented on 28 October at ACM’s Conference on Communications and Computer Security (CCS) 2008, one of the premier academic computer security conferences.

Most computer security defenses are based on the notion that preventing the introduction of malicious code is sufficient to protect a computer. This assumption is at the core of trusted computing, anti-virus software, and various defenses like Intel and AMD’s no execute protections. There is a subtle fallacy in the logic, however: simply keeping out bad code is not sufficient to keep out bad computation,” said UC San Diego computer science professor Stefan Savage, an author on the CCS 2008 paper.

Daniel Kane writes that return-oriented programming exploits start out like more familiar attacks on computers. The attacker takes advantage of a programming error in the target system to overwrite the runtime stack and divert program execution away from the path intended by the system’s designers. Instead of injecting outside code, however, which is the approach used in traditional malicious exploits, return-oriented programming enables attackers to create any kind of nasty computation or program by using just the existing code. “You can create any kind of malicious program you can imagine-Turing complete functionality,” said Shacham.

For example, a user’s Web browser could be subverted to record passwords typed by the user or to send spam e-mail to all address book contacts, using only the code that makes up the browser itself. “There is value in showing just how big of a potential problem return-oriented programming may turn out to be,” said computer science graduate student Erik Buchanan.

The term “return-oriented programming” describes the fact that the “good” instructions that can be