Sciweavers

EUROSYS
2010
ACM

Defeating return-oriented rootkits with "Return-Less" kernels

14 years 5 months ago
Defeating return-oriented rootkits with "Return-Less" kernels
Targeting the operating system (OS) kernels, kernel rootkits pose a formidable threat to computer systems and their users. Recent efforts have made significant progress in blocking them from injecting malicious code into the OS kernel for execution. Unfortunately, they cannot block the emerging so-called return-oriented rootkits (RORs). Without the need of injecting their own malicious code, these rootkits can discover and chain together “return-oriented gadgets” (that consist of only legitimate kernel code) for rootkit computation. In this paper, we propose a compiler-based approach to defeat these return-oriented rootkits. Our approach recognizes the hallmark of return-oriented rootkits, i.e., the ret instruction, and accordingly aims to completely remove them in a running OS kernel. Specifically, one key technique named return indirection is to replace the return address in a stack frame into a return index and disallow a ROR from using their own return addresses to locate an...
Jinku Li, Zhi Wang, Xuxian Jiang, Michael C. Grace
Added 10 Jul 2010
Updated 10 Jul 2010
Type Conference
Year 2010
Where EUROSYS
Authors Jinku Li, Zhi Wang, Xuxian Jiang, Michael C. Grace, Sina Bahram
Comments (0)