Return Oriented Rootkits

March 10, 2010 (at 11:30 a.m.) in Attack & Research

Ever since the large-scale exploitation of software vulnerabilities became a massive nuisance in this decade, researches from the academic and private sector invented technical countermeasures for mitigating this threat. To outsmart increasingly sophisticated defensive systems, more intelligent attack techniques were developed. In the field of kernel protection, some new solutions which rely on the concept of lifetime code integrity were introduced in the near past. Thereby, attackers are prevented from executing own code with elevated privileges. The talk shows how to evade such protections by using return-oriented programming and discusses the inherent difficulties and limitations attackers face. Our work culminates in the development of a real return-oriented rootkit for Windows.

Ralf Hund

After having studied mathematics and computer science at the University of Mannheim in Germany, Ralf Hund joined the there resident Laboratory for Dependable Distributed Systems as a Ph.D. student. His research interests tend towards the practical aspects of computer security; more specifically, this particularly includes software reverse engineering, static and dynamic malware analysis, mobile malware, and P2P-botnets.