Skip to main content
SpringerLink
Log in

Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8364))

Included in the following conference series:

Abstract

Code reuse attacks circumvent traditional program protection mechanisms such as \(W \bigoplus X\) by constructing exploits from code already present within a process. Existing techniques to defend against these attacks provide ad hoc solutions or lack in features necessary to provide comprehensive and adoptable solutions. We present a systematic approach based on first principles for the efficient, robust detection of these attacks; our work enforces expected program behavior instead of defending against anticipated attacks. We define conformant program execution (\({\mathcal{CPE}}\)) as a set of requirements on program states. We demonstrate that code reuse attacks violate these requirements and thus can be detected; further, new exploit variations will not circumvent \({\mathcal{CPE}}\). To provide an efficient and adoptable solution, we also define observed conformant program execution, which validates program state at system call invocations; we demonstrate that this relaxed model is sufficient to detect code reuse attacks. We implemented our algorithm in a tool, ROPStop, which operates on unmodified binaries, including running programs. In our testing, ROPStop accurately detected real exploits while imposing low overhead on a set of modern applications: 5.3% on SPEC CPU2006 and 6.3% on an Apache HTTP Server.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Info. & Systems Security (TISSEC) 13, 4:1–4:40 (2009)

    Google Scholar 

  2. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing Memory Error Exploits with WIT. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2008)

    Google Scholar 

  3. Aleph One: Smashing the stack for fun and profit. Phrack Magazine 7(49), 14–16 (1996)

    Google Scholar 

  4. Apache Software Foundation: ab - Apache HTTP server benchmarking tool (July 2013), http://httpd.apache.org/docs/2.2/programs/ab.html

  5. Apache Software Foundation: Apache HTTP Server Project (July 2013), http://www.apache.org

  6. Bletsch, T., Jiang, X., Freeh, V.: Mitigating Code-Reuse Attacks with Control-flow Locking. In: Annual Computer Security Applications Conference (ACSAC), Orlando, FL (December 2011)

    Google Scholar 

  7. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-Oriented Programming: A New Class of Code-Reuse Attack. In: ASIACCS, Hong Kong, China (March 2011)

    Google Scholar 

  8. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (October 2008)

    Google Scholar 

  9. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-Oriented Programming without Returns. In: ACM Conference on Computer and Communications Security (CCS), Chicago, IL (October 2010)

    Google Scholar 

  10. Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage. In: EVT/WOTE, Montreal, Canada (August 2009)

    Google Scholar 

  11. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting Return-Oriented Programming Malicious Code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. Chen, P., Xing, X., Han, H., Mao, B., Xie, L.: Efficient Detection of the Return-Oriented Programming Malicious Code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  13. Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., Yin, X.: Automatic construction of jump-oriented programming shellcode (on the x86). In: ASIACCS, Hong Kong, China (March 2011)

    Google Scholar 

  14. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium, Baltimore, MD (July 2005)

    Google Scholar 

  15. Cifuentes, C., Van Emmerik, M.: UQBT: Adaptable Binary Translation at Low Cost. Computer 33(3), 60–66 (2000)

    Article  Google Scholar 

  16. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: USENIX Security Symposium, San Antonio, TX (January 1998)

    Google Scholar 

  17. Davi, L., Dmitrienko, A., Nurnberger, S., Sadeghi, A.R.: Gadge Me If You Can: Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM. In: ASIACCS, Hangzhou, China (May 2013)

    Google Scholar 

  18. Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: ACM Workshop on Scalable Trusted Computing (STC), Chicago, IL (November 2009)

    Google Scholar 

  19. Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks. In: ASIACCS, Hong Kong, China (March 2011)

    Google Scholar 

  20. Demay, J.C., Majorczyk, F., Totel, E., Tronel, F.: Detecting illegal system calls using a data-oriented detection model. In: International Information Security Conference (SEC), Lucerne, Switzerland (June 2011)

    Google Scholar 

  21. Dullien, T., Kornau, T., Weinman, R.P.: A framework for automated architecture-independent gadget search. In: USENIX Workshop on Offensive Technologies (WOOT), Washington, D.C. (August 2010)

    Google Scholar 

  22. Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2003)

    Google Scholar 

  23. Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: ACM Workshop on Secure Execution of Untrusted Code (SecuCode), Chicago, IL (November 2009)

    Google Scholar 

  24. Fratric, I.: ropguard (2012), http://code.google.com/p/ropguard/

  25. Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: ACM Conference on Computer and Communications Security (CCS), Washington, D.C. (October 2004)

    Google Scholar 

  26. Giffin, J.T., Jha, S., Miller, B.P.: Automated Discovery of Mimicry Attacks. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 41–60. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  27. Harris, L.C., Miller, B.P.: Practical Analysis for Stripped Binary Code. ACM SIGARCH Computer Architecture News 33(5), 63–68 (2005)

    Article  Google Scholar 

  28. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d My Gadgets Go? In: IEEE Symposium on Security and Privacy, San Francisco, CA (May 2012)

    Google Scholar 

  29. Huang, Z., Zheng, T., Liu, J.: A Dynamic Detective Method against ROP Attack on ARM Platform. In: International Workshop on Software Engineering for Embedded Systems (SEES), Zurich, Switzerland (June 2012)

    Google Scholar 

  30. Huang, Z., Zheng, T., Shi, Y., Li, A.: A Dynamic Detection Method against ROP and JOP. In: International Conference on Systems and Informatics, Yantai, China (May 2012)

    Google Scholar 

  31. Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch Regulation: Low-Overhead Protection from Code Reuse Attacks. In: International Symposium on Computer Architecture (ISCA), Portland, OR (June 2012)

    Google Scholar 

  32. Kemerlis, V.P., Portokalidis, G., Keromytis, A.: KGuard: Lighweight Kernel Protection against Return-to-user Attacks. In: USENIX Security Symposium, Bellevue, WA (August 2012)

    Google Scholar 

  33. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: USENIX Security Symposium, Baltimore, MD (July 2005)

    Google Scholar 

  34. Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating Return-Oriented Rootkits with “Return-Less” Kernels. In: European Conference on Computer Systems (EuroSys), Paris, France (April 2010)

    Google Scholar 

  35. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: Defeating Return-Oriented Programming Through Gadget-less Binaries. In: Annual Computer Security Applications Conference (ACSAC), Austin, TX (December 2010)

    Google Scholar 

  36. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In: IEEE Symposium on Security and Privacy, San Francisco, CA (May 2012)

    Google Scholar 

  37. Paradyn Project: Dyninst (2013), http://www.dyninst.org

  38. Paradyn Project: InstructionAPI (2013), http://www.dyninst.org

  39. Paradyn Project: ParseAPI (2013), http://www.dyninst.org

  40. Paradyn Project: ProcControlAPI (2013), http://www.dyninst.org

  41. Paradyn Project: StackwalkerAPI (2013), http://www.dyninst.org

  42. Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: ASIACCS, Tokyo, Japan (March 2008)

    Google Scholar 

  43. Polychronakis, M., Keromytis, A.: ROP Payload Detection Using Speculative Code Execution. In: International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, Puerto Rico (October 2011)

    Google Scholar 

  44. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-Oriented Programming: Systems, Languages, and Applications. ACM Trans. Info. & Systems Security (TISSEC) 15(1), 2:1–2:34 (2012)

    Google Scholar 

  45. Rosenblum, N., Zhu, X., Miller, B., Hunt, K.: Learning to Analyze Binary Computer Code. In: AAAI, Chicago, IL (2008)

    Google Scholar 

  46. Roundy, K.A., Miller, B.P.: Hybrid Analysis and Control of Malware Binaries. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 317–338. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  47. Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit Hardening Made Easy. In: USENIX Security Symposium. San Francisco, CA (August 2011)

    Google Scholar 

  48. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)

    Google Scholar 

  49. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (October 2007)

    Google Scholar 

  50. sickness: Linux exploit development part 4 - ASCII armor bypass + return-to-plt (2011), http://sickness.tor.hu/?p=378

  51. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: Eternal War in Memory. In: IEEE Symposium on Security and Privacy (May 2013)

    Google Scholar 

  52. Theiling, H.: Extracting safe and precise control flow from binaries. In: Conference on Real-Time Computing Systems and Applications, Washington, D.C. (December 2000)

    Google Scholar 

  53. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In: ACM Conference on Computer and Communications Security (CCS), Raleigh, NC (October 2012)

    Google Scholar 

  54. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical Control Flow Integrity & Randomization for Binary Executables. In: IEEE Symposium on Security and Privacy, San Francisco, CA (May 2013)

    Google Scholar 

  55. Zhang, M., Sekar, R.: Control Flow Integrity for COTS Binaries. In: USENIX Security Symposium, Washington, D.C. (August 2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, USA

    Emily R. Jacobson, Andrew R. Bernat, William R. Williams & Barton P. Miller

Authors
  1. Emily R. Jacobson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew R. Bernat
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. William R. Williams
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Barton P. Miller
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Technical University Dortmund, Otto-Hahn-Strasse 14, 44221, Dortmund, Germany

    Jan Jürjens

  2. Department of Computer Science, KU Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Frank Piessens

  3. Inria Sophia Antipolis – Mediterranee, 2004 route des Lucioles, B.P. 93, 06902, Sophia Antipolis Cedex, France

    Nataliia Bielova

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Jacobson, E.R., Bernat, A.R., Williams, W.R., Miller, B.P. (2014). Detecting Code Reuse Attacks with a Model of Conformant Program Execution. In: Jürjens, J., Piessens, F., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2014. Lecture Notes in Computer Science, vol 8364. Springer, Cham. https://doi.org/10.1007/978-3-319-04897-0_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-04897-0_1

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04896-3

  • Online ISBN: 978-3-319-04897-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation