Abstract
Code reuse attacks circumvent traditional program protection mechanisms such as \(W \bigoplus X\) by constructing exploits from code already present within a process. Existing techniques to defend against these attacks provide ad hoc solutions or lack in features necessary to provide comprehensive and adoptable solutions. We present a systematic approach based on first principles for the efficient, robust detection of these attacks; our work enforces expected program behavior instead of defending against anticipated attacks. We define conformant program execution (\({\mathcal{CPE}}\)) as a set of requirements on program states. We demonstrate that code reuse attacks violate these requirements and thus can be detected; further, new exploit variations will not circumvent \({\mathcal{CPE}}\). To provide an efficient and adoptable solution, we also define observed conformant program execution, which validates program state at system call invocations; we demonstrate that this relaxed model is sufficient to detect code reuse attacks. We implemented our algorithm in a tool, ROPStop, which operates on unmodified binaries, including running programs. In our testing, ROPStop accurately detected real exploits while imposing low overhead on a set of modern applications: 5.3% on SPEC CPU2006 and 6.3% on an Apache HTTP Server.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Info. & Systems Security (TISSEC) 13, 4:1–4:40 (2009)
Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing Memory Error Exploits with WIT. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2008)
Aleph One: Smashing the stack for fun and profit. Phrack Magazine 7(49), 14–16 (1996)
Apache Software Foundation: ab - Apache HTTP server benchmarking tool (July 2013), http://httpd.apache.org/docs/2.2/programs/ab.html
Apache Software Foundation: Apache HTTP Server Project (July 2013), http://www.apache.org
Bletsch, T., Jiang, X., Freeh, V.: Mitigating Code-Reuse Attacks with Control-flow Locking. In: Annual Computer Security Applications Conference (ACSAC), Orlando, FL (December 2011)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-Oriented Programming: A New Class of Code-Reuse Attack. In: ASIACCS, Hong Kong, China (March 2011)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (October 2008)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-Oriented Programming without Returns. In: ACM Conference on Computer and Communications Security (CCS), Chicago, IL (October 2010)
Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage. In: EVT/WOTE, Montreal, Canada (August 2009)
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting Return-Oriented Programming Malicious Code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)
Chen, P., Xing, X., Han, H., Mao, B., Xie, L.: Efficient Detection of the Return-Oriented Programming Malicious Code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010)
Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., Yin, X.: Automatic construction of jump-oriented programming shellcode (on the x86). In: ASIACCS, Hong Kong, China (March 2011)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium, Baltimore, MD (July 2005)
Cifuentes, C., Van Emmerik, M.: UQBT: Adaptable Binary Translation at Low Cost. Computer 33(3), 60–66 (2000)
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: USENIX Security Symposium, San Antonio, TX (January 1998)
Davi, L., Dmitrienko, A., Nurnberger, S., Sadeghi, A.R.: Gadge Me If You Can: Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM. In: ASIACCS, Hangzhou, China (May 2013)
Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: ACM Workshop on Scalable Trusted Computing (STC), Chicago, IL (November 2009)
Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks. In: ASIACCS, Hong Kong, China (March 2011)
Demay, J.C., Majorczyk, F., Totel, E., Tronel, F.: Detecting illegal system calls using a data-oriented detection model. In: International Information Security Conference (SEC), Lucerne, Switzerland (June 2011)
Dullien, T., Kornau, T., Weinman, R.P.: A framework for automated architecture-independent gadget search. In: USENIX Workshop on Offensive Technologies (WOOT), Washington, D.C. (August 2010)
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2003)
Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: ACM Workshop on Secure Execution of Untrusted Code (SecuCode), Chicago, IL (November 2009)
Fratric, I.: ropguard (2012), http://code.google.com/p/ropguard/
Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: ACM Conference on Computer and Communications Security (CCS), Washington, D.C. (October 2004)
Giffin, J.T., Jha, S., Miller, B.P.: Automated Discovery of Mimicry Attacks. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 41–60. Springer, Heidelberg (2006)
Harris, L.C., Miller, B.P.: Practical Analysis for Stripped Binary Code. ACM SIGARCH Computer Architecture News 33(5), 63–68 (2005)
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d My Gadgets Go? In: IEEE Symposium on Security and Privacy, San Francisco, CA (May 2012)
Huang, Z., Zheng, T., Liu, J.: A Dynamic Detective Method against ROP Attack on ARM Platform. In: International Workshop on Software Engineering for Embedded Systems (SEES), Zurich, Switzerland (June 2012)
Huang, Z., Zheng, T., Shi, Y., Li, A.: A Dynamic Detection Method against ROP and JOP. In: International Conference on Systems and Informatics, Yantai, China (May 2012)
Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch Regulation: Low-Overhead Protection from Code Reuse Attacks. In: International Symposium on Computer Architecture (ISCA), Portland, OR (June 2012)
Kemerlis, V.P., Portokalidis, G., Keromytis, A.: KGuard: Lighweight Kernel Protection against Return-to-user Attacks. In: USENIX Security Symposium, Bellevue, WA (August 2012)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: USENIX Security Symposium, Baltimore, MD (July 2005)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating Return-Oriented Rootkits with “Return-Less” Kernels. In: European Conference on Computer Systems (EuroSys), Paris, France (April 2010)
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: Defeating Return-Oriented Programming Through Gadget-less Binaries. In: Annual Computer Security Applications Conference (ACSAC), Austin, TX (December 2010)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In: IEEE Symposium on Security and Privacy, San Francisco, CA (May 2012)
Paradyn Project: Dyninst (2013), http://www.dyninst.org
Paradyn Project: InstructionAPI (2013), http://www.dyninst.org
Paradyn Project: ParseAPI (2013), http://www.dyninst.org
Paradyn Project: ProcControlAPI (2013), http://www.dyninst.org
Paradyn Project: StackwalkerAPI (2013), http://www.dyninst.org
Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: ASIACCS, Tokyo, Japan (March 2008)
Polychronakis, M., Keromytis, A.: ROP Payload Detection Using Speculative Code Execution. In: International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, Puerto Rico (October 2011)
Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-Oriented Programming: Systems, Languages, and Applications. ACM Trans. Info. & Systems Security (TISSEC) 15(1), 2:1–2:34 (2012)
Rosenblum, N., Zhu, X., Miller, B., Hunt, K.: Learning to Analyze Binary Computer Code. In: AAAI, Chicago, IL (2008)
Roundy, K.A., Miller, B.P.: Hybrid Analysis and Control of Malware Binaries. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 317–338. Springer, Heidelberg (2010)
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit Hardening Made Easy. In: USENIX Security Symposium. San Francisco, CA (August 2011)
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (October 2007)
sickness: Linux exploit development part 4 - ASCII armor bypass + return-to-plt (2011), http://sickness.tor.hu/?p=378
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: Eternal War in Memory. In: IEEE Symposium on Security and Privacy (May 2013)
Theiling, H.: Extracting safe and precise control flow from binaries. In: Conference on Real-Time Computing Systems and Applications, Washington, D.C. (December 2000)
Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In: ACM Conference on Computer and Communications Security (CCS), Raleigh, NC (October 2012)
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical Control Flow Integrity & Randomization for Binary Executables. In: IEEE Symposium on Security and Privacy, San Francisco, CA (May 2013)
Zhang, M., Sekar, R.: Control Flow Integrity for COTS Binaries. In: USENIX Security Symposium, Washington, D.C. (August 2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Jacobson, E.R., Bernat, A.R., Williams, W.R., Miller, B.P. (2014). Detecting Code Reuse Attacks with a Model of Conformant Program Execution. In: Jürjens, J., Piessens, F., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2014. Lecture Notes in Computer Science, vol 8364. Springer, Cham. https://doi.org/10.1007/978-3-319-04897-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-04897-0_1
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04896-3
Online ISBN: 978-3-319-04897-0
eBook Packages: Computer ScienceComputer Science (R0)