New Malware Technique Bypasses Traditional Defenses

Two UC San Diego students have demonstrated a way to turn good computer code into malicious instructions using a technique called "return-oriented programming."
A new way to subvert computers threatens to make traditional malware defenses obsolete.

Two University of California, San Diego computer science graduate students -- Erik Buchanan and Ryan Roemer -- have demonstrated a way to turn good computer code into malicious instructions using a technique called "return-oriented programming."

This differs from traditional malware, which typically relies on the injection of malicious code.

In a newly published research paper, "When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC," Buchanan and Roemer, along with U.C. San Diego computer science professors Stefan Savage and Hovav Shacham, describe how return-oriented programming resists current malware detection methods.

"[S]ince a return-oriented exploit relies on existing code and not injected instructions, it is resilient against code integrity defenses," the paper says. "It is thus undetectable to code signing techniques such as Tripwire, Authenticode, Intel's Trusted Execution Technology, or any 'Trusted Computing' technology using cryptographic attestation. It will similarly circumvent approaches that prevent control flow diversion outside legitimate regions (such as W^X) and most malicious code scanning techniques (such as anti-virus scanners)."

Shacham last year showed that return-oriented programming could be used to make x86 processors function maliciously without the injection of malicious code. But his attack required painstaking manual coding and seemed to rely on x86 processor design.

Buchanan and Roemer have developed way to automate the attack and generalize it to RISC processors.

Like many traditional attacks, return-oriented programming relies on a programming error to overwrite the runtime stack to take control of program execution. But rather than depending upon the injection of malicious code from a local or remote source, return-oriented programming assembles its malicious code from internal application instructions.

"The return-oriented computing approach amplifies the abilities of an attacker, so that merely subverting control flow on the stack is sufficient to construct arbitrary computations," the paper explains. "Moreover, since these computations are constructed from 'known good' instructions, they bypass existing defenses predicated on the assumption that the attacker introduces new code."

A U.C. San Diego news release likens the process to taking a lengthy book and writing a new story using only words culled from the book. In this analogy, the book represents the computer program and the new story represents the malicious instructions built using return-oriented programming.

As an example, Shacham suggests that the technique could be used to subvert a Web browser to record the user's password or send spam, using only the code that represents the Web browser.

The paper suggests there are possible defenses against return-oriented computing, but it cautions that if these approaches fail, "we may be forced to abandon the convenient model that code is statically either good or bad, and instead focus on dynamically distinguishing whether a particular execution stream exhibits good or bad behavior."