{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,26]],"date-time":"2025-03-26T17:06:34Z","timestamp":1743008794603,"version":"3.40.3"},"publisher-location":"Berlin, Heidelberg","reference-count":36,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783642176494"},{"type":"electronic","value":"9783642176500"}],"license":[{"start":{"date-parts":[[2010,1,1]],"date-time":"2010-01-01T00:00:00Z","timestamp":1262304000000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010]]},"DOI":"10.1007\/978-3-642-17650-0_24","type":"book-chapter","created":{"date-parts":[[2010,12,6]],"date-time":"2010-12-06T15:22:11Z","timestamp":1291648931000},"page":"340-354","source":"Crossref","is-referenced-by-count":6,"title":["Return-Oriented Rootkit without Returns (on the x86)"],"prefix":"10.1007","author":[{"given":"Ping","family":"Chen","sequence":"first","affiliation":[]},{"given":"Xiao","family":"Xing","sequence":"additional","affiliation":[]},{"given":"Bing","family":"Mao","sequence":"additional","affiliation":[]},{"given":"Li","family":"Xie","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"24_CR1","unstructured":"Felix \u201cfx\u201d lidner. Developments in cisco ios forensics. CONFidence 2.0, http:\/\/www.recurity-labs.com\/content\/pub\/FX_Router_Exploitation.pdf"},{"key":"24_CR2","unstructured":"The x86 instruction set architecture, http:\/\/www.ugrad.cs.ubc.ca\/~cs411\/2009W2\/downloads\/x86.pdf"},{"key":"24_CR3","first-page":"340","volume-title":"Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS)","author":"M. Abadi","year":"2005","unstructured":"Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 340\u2013353. ACM, New York (2005)"},{"key":"24_CR4","first-page":"85","volume-title":"Understanding the linux kernel","author":"D.P. Bovet","year":"2006","unstructured":"Bovet, D.P., Cesati, M.: Understanding the linux kernel, 3rd edn., p. 85. O\u2019Reilly Media, Inc., Sebastopol (2006)","edition":"3"},{"key":"24_CR5","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1145\/1455770.1455776","volume-title":"Proceedings of the 15th ACM Conference on Computer and Communications Security","author":"E. Buchanan","year":"2008","unstructured":"Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27\u201338. ACM, New York (2008)"},{"key":"24_CR6","doi-asserted-by":"crossref","unstructured":"Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: 17th ACM Conference on Computer and Communications Security (2010)","DOI":"10.1145\/1866307.1866370"},{"key":"24_CR7","doi-asserted-by":"crossref","unstructured":"Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the avc advantage. In: Proceedings of EVT\/WOTE 2009. USENIX\/ACCURATE\/IAVoSS (2009)","DOI":"10.1145\/1866307.1866370"},{"key":"24_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/978-3-642-10772-6_13","volume-title":"Information Systems Security","author":"P. Chen","year":"2009","unstructured":"Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol.\u00a05905, pp. 163\u2013177. Springer, Heidelberg (2009)"},{"key":"24_CR9","unstructured":"Corporation, I.: Ia-32 intel architecture software developers manual. Instruction set reference, vol. 2 (2006)"},{"key":"24_CR10","first-page":"395","volume-title":"Proceedings of the 17th Conference on Security Symposium, SS 2008","author":"M. Dalton","year":"2008","unstructured":"Dalton, M., Kannan, H., Kozyrakis, C.: Real-world buffer overflow protection for userspace & kernelspace. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 395\u2013410. USENIX Association, Berkeley (2008)"},{"key":"24_CR11","doi-asserted-by":"crossref","unstructured":"Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49\u201354 (2009)","DOI":"10.1145\/1655108.1655117"},{"key":"24_CR12","doi-asserted-by":"crossref","unstructured":"Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: A detection tool to defend against return-oriented programming attacks. Technical Report HGI-TR-2010-001 (2010), http:\/\/www.trust.rub.de\/home\/_publications\/LuSaWi10\/","DOI":"10.1145\/1966913.1966920"},{"key":"24_CR13","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1145\/1655077.1655083","volume-title":"Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009","author":"A. Francillon","year":"2009","unstructured":"Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 19\u201326. ACM, New York (2009)"},{"key":"24_CR14","doi-asserted-by":"crossref","unstructured":"Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Syverson, P., Jha, S. (eds.) Proceedings of CCS 2008, pp. 15\u201326 (2008)","DOI":"10.1145\/1455770.1455775"},{"key":"24_CR15","unstructured":"Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: Proceedings of USENIX Security 2001, pp. 55\u201365 (2001)"},{"key":"24_CR16","unstructured":"Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium (February 2003)"},{"key":"24_CR17","unstructured":"Grizzard, J.: Towards self-healing systems:re-establishing trust in compromised systems. In: PhD thesis. Georgia Institute of Technology (2006)"},{"key":"24_CR18","unstructured":"Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium, San Jose, CA, USA (2009)"},{"key":"24_CR19","unstructured":"Kornau, T.: Return oriented programming for the arm architecture. Master\u2019s thesis, Ruhr-Universitat Bochum (2010), http:\/\/zynamics.com\/downloads\/kornau-tim\u2013diplomarbeit\u2013rop.pdf"},{"key":"24_CR20","unstructured":"Krahmer, S.: X86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Phrack Magazine (2005), http:\/\/www.suse.de\/krahmer\/no-nx.pdf"},{"key":"24_CR21","doi-asserted-by":"crossref","unstructured":"Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with \u2018return-less\u2019 kernels. In: Proceedings of the 5th ACM SIGOPS EuroSys Conference, EuroSys 2010 (2010)","DOI":"10.1145\/1755913.1755934"},{"key":"24_CR22","unstructured":"McDonald, J.: Defeating solaris\/sparc non-executable stack protection. Bugtraq (1999)"},{"key":"24_CR23","unstructured":"Microsoft: Digital signatures for kernel modules on systems running windows vista (2007), http:\/\/download.microsoft.com\/download\/9\/c\/5\/9c5b2167-8017-4bae-9fde-d599bac8184a\/kmsigning.doc"},{"key":"24_CR24","unstructured":"Microsoft: A detailed description of the data execution prevention (dep) feature in windows xp service pack 2 (2008), http:\/\/support.microsoft.com\/kb\/875352"},{"key":"24_CR25","unstructured":"Mueller, U.: Brainfuck: An eight-instruction turing-complete programming language, http:\/\/www.muppetlabs.com\/~breadbox\/bf\/"},{"key":"24_CR26","unstructured":"Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine (2001), http:\/\/www.phrack.org\/archives\/58\/p58-0x04"},{"key":"24_CR27","unstructured":"noir: Smashing the kernel stack for fun and profit. Phrack Magazine (2006), http:\/\/www.phrack.com\/issues.html?issue=60&id=6"},{"key":"24_CR28","first-page":"103","volume-title":"Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS)","author":"N. Petroni","year":"2007","unstructured":"Petroni, N., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 103\u2013115. ACM, New York (2007)"},{"key":"24_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-87403-4_1","volume-title":"Recent Advances in Intrusion Detection","author":"R. Riley","year":"2008","unstructured":"Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol.\u00a05230, pp. 1\u201320. Springer, Heidelberg (2008)"},{"key":"24_CR30","doi-asserted-by":"publisher","first-page":"335","DOI":"10.1145\/1294261.1294294","volume-title":"Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles","author":"A. Seshadri","year":"2007","unstructured":"Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 335\u2013350. ACM, New York (2007)"},{"key":"24_CR31","first-page":"552","volume-title":"Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS)","author":"H. Shacham","year":"2007","unstructured":"Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552\u2013561. ACM, New York (2007)"},{"key":"24_CR32","unstructured":"Team, P.: Documentation for the pax project overall description (2008), http:\/\/pax.grsecurity.net\/docs\/pax.txt"},{"key":"24_CR33","doi-asserted-by":"crossref","unstructured":"Turing, A.M.: On computable numbers, with an application to the entscheidungsproblem. Proc. London Math. Soc., 230\u2013265 (1936)","DOI":"10.1112\/plms\/s2-42.1.230"},{"key":"24_CR34","doi-asserted-by":"crossref","unstructured":"Bletsch, T., Jiang, X., Freeh, V.: Jump-oriented programming: A new class of code-reuse attack. Technical Report TR-2010-8 (2010)","DOI":"10.1145\/1966913.1966919"},{"key":"24_CR35","unstructured":"Viro, A.: Linux kernel sendmsg() local buffer overflow vulnerability (2005), http:\/\/www.securityfocus.com\/bid\/14785"},{"key":"24_CR36","unstructured":"Wikipedia: Exec shield, http:\/\/en.wikipedia.org\/wiki\/Exec_Shield"}],"container-title":["Lecture Notes in Computer Science","Information and Communications Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-17650-0_24","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,6,4]],"date-time":"2023-06-04T11:24:49Z","timestamp":1685877889000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-17650-0_24"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2010]]},"ISBN":["9783642176494","9783642176500"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-17650-0_24","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2010]]}}}