Targeting the operating system (OS) kernel, kernel rootkits pose a formidable threat to computer systems and their users. Recent efforts have made significant progress in blocking them from injecting malicious code into the OS kernel for execution. Unfortunately, they cannot block the emerging so-called return-oriented rootkits (RORs). Without the need of injecting their own malicious code, these rootkits can discover and chain together "return-oriented gadgets" (that consist of only legitimate kernel code) for rootkit computation.
In this paper, we propose a compiler-based approach to defeat these return-oriented rootkits. Our approach recognizes the hallmark of return-oriented rootkits, i.e., the ret instruction, and accordingly aims to completely remove them in a running OS kernel. Specifically, one key technique named return indirection is to replace the return address in a stack frame into a return index and disallow a ROR from using their own return addresses to locate and assemble return-oriented gadgets. Further, to prevent legitimate instructions that happen to contain return opcodes from being misused,we also propose two other techniques, register allocation and peephole optimization, to avoid introducing them in the first place. We have developed a LLVM-based prototype and used it to generate a return-less FreeBSD kernel. Our evaluation results indicate that the proposed approach is generic, effective, and can be implemented on commodity hardware with a low performance overhead.
"Defeating Return-Oriented Rootkits with "Return-Less" Kernels"
Jinku Li, Zhi Wang, Xuxian Jiang, Michael Grace, and Sina Bahram
Proc. of the 5th ACM European Conference on Computer Systems , Paris, France, April 2010.