Return-oriented programmingとは？ わかりやすく解説

ウィキペディア

Return-oriented programming

出典: フリー百科事典『ウィキペディア（Wikipedia）』 (2023/06/24 14:37 UTC 版)

Return-oriented programming（ROP）は、実行保護やコード署名（英語版）などのセキュリティ防御の機構が存在するマシンで任意コードの実行を可能にするセキュリティエクスプロイトである^[1][2][3]。

参考文献

1. ^ “Check Point Secure Platform Hack” (英語). Pentest. Barcelona, Spain: Pentest Consultores. pp. 219 (2007年10月1日). 2023年1月6日閲覧。
2. ^ “Thread: CheckPoint Secure Platform Multiple Buffer Overflows”. The Check Point User Group. 2021年4月17日時点のオリジナルよりアーカイブ。2023年1月6日閲覧。
3. ^ “Return-Oriented Programming: Exploits Without Code Injection”. 2009年8月12日閲覧。
4. ^ “When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC”. Proceedings of the 15th ACM conference on Computer and communications security - CCS '08. (October 2008). pp. 27–38. doi:10.1145/1455770.1455776. ISBN 978-1-59593-810-7. http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf 
5. ^ Microsoft Windows XP SP2 Data Execution Prevention
6. ^ Solar Designer, Return-into-lib(c) exploits, Bugtraq
7. ^ Nergal, Phrack 58 Article 4, return-into-lib(c) exploits
8. ^ Sebastian Krahmer, x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, September 28, 2005
9. ^ Abadi, M. N.; Budiu, M.; Erlingsson, Ú.; Ligatti, J. (November 2005). “Control-Flow Integrity: Principles, Implementations, and Applications”. Proceedings of the 12th ACM conference on Computer and communications security - CCS '05. pp. 340–353. doi:10.1145/1102120.1102165. ISBN 1-59593-226-7 
10. ^ Abadi, M. N.; Budiu, M.; Erlingsson, Ú.; Ligatti, J. (October 2009). “Control-flow integrity principles, implementations, and applications”. ACM Transactions on Information and System Security 13: 1–40. doi:10.1145/1609956.1609960. 
11. ^ ^{a b c} Shacham, H. (October 2007). “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)”. Proceedings of the 14th ACM conference on Computer and communications security - CCS '07. pp. 552–561. doi:10.1145/1315245.1315313. ISBN 978-1-59593-703-2 
12. ^ Jonathan Salwan and Allan Wirth, ROPgadget - Gadgets finder and auto-roper
13. ^ [Shacham et al., 2004] Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and Communications Security (CCS), 2004.
14. ^ [Bennett et al., 2013] James Bennett, Yichong Lin, and Thoufique Haq. The Number of the Beast, 2013. https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html
15. ^ CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., SHACHAM, H., AND WINANDY, M. 2010. Return-oriented programming without returns. In Proceedings of CCS 2010, A. Keromytis and V. Shmatikov, Eds. ACM Press, 559–72
16. ^ ONARLIOGLU, K., BILGE, L., LANZI, A., BALZAROTTI, D., AND KIRDA, E. 2010. G-Free: Defeating return-oriented programming through gadget-less binaries. In Proceedings of ACSAC 2010, M. Franz and J. McDermott, Eds. ACM Press, 49–58.
17. ^ Skowyra, R.; Casteel, K.; Okhravi, H.; Zeldovich, N.; Streilein, W. (October 2013). “Systematic Analysis of Defenses against Return-Oriented Programming”. Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science. 8145. pp. 82–102. doi:10.1007/978-3-642-41284-4_5. ISBN 978-3-642-41283-7. オリジナルの2014-02-22時点におけるアーカイブ。. http://web.mit.edu/ha22286/www/papers/conference/Systematic_Analysis_of_Defenses_Against_Return_Oriented_Programming.pdf 
18. ^ Venkat, Ashish; Shamasunder, Sriskanda; Shacham, Hovav; Tullsen, Dean M. (2016-01-01). “HIPStR: Heterogeneous-ISA Program State Relocation”. Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems. ASPLOS '16 (New York, NY, USA: ACM): 727–741. doi:10.1145/2872362.2872408. ISBN 9781450340915. 
19. ^ Hiser, J.; Nguyen-Tuong, A.; Co, M.; Hall, M.; Davidson, J. W. (May 2012). “ILR: Where'd My Gadgets Go?”. 2012 IEEE Symposium on Security and Privacy. pp. 571–585. doi:10.1109/SP.2012.39. ISBN 978-1-4673-1244-8 
20. ^ US 9135435, Venkat, Ashish; Arvind Krishnaswamy & Koichi Yamada et al., "Binary translator driven program state relocation", published 2015-09-15, assigned to Intel Corp. 
21. ^ Vasilis Pappas. kBouncer: Efficient and Transparent ROP Mitigation. April 2012.