Abstract
Return-oriented Programming (ROP) is a new exploitation technique that can perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences. Although many defense mechanisms have been proposed, some new variants of ROP attack can easily circumvent them.
In this paper, we present a new tool, ROP-Hunt, that can defend against ROP attacks based on the differences between normal program and ROP malicious code. ROP-Hunt leverages instrumentation technique and detects ROP attack at runtime. In our experiment, ROP-Hunt can detect all types of ROP attack from real-world examples. We use several unmodified SPEC2006 benchmarks to test the performance and the result shows that it has a zero false positive rate and an acceptable overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Data execution prevention. http://support.microsoft.com/kb/875352/EN-US
Linux/\(\times \)86 - /bin/sh sysenter Opcode Array Payload. http://shell-storm.org/shellcode/files/shellcode-236.php
Linux/\(\times \)86 - sys exit(0). http://shell-storm.org/shellcode/files/shellcode-623.php
Setjmp - set jump point for a non-local goto. http://pubs.opengroup.org/onlinepubs/009695399/functions/setjmp.html
Shellcodes database for study cases. http://shell-storm.org/shellcode/
HT Editor 2.0.20 Buffer Overflow (ROP PoC). http://www.exploit-db.com/exploits/22683/
PHP 5.3.6 Buffer Overflow PoC. http://www.exploit-db.com/exploits/17486
ROPgadget - Gadgets finder and auto-roper. http://shell-storm.org/project/ROPgadget/
ROPPER - ROP GADGET FINDER AND BINARY INFORMATION TOOL. https://scoding.de/ropper/
Standard Performance Evaluation Corporation, SPEC CPU2006 Benchmarks. http://www.spec.org/osg/cpu2006/
Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 353–362. ACM (2011)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 30–40. ACM (2011)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27–38. ACM (2008)
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 385–399 (2014)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM (2010)
Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In: EVT/WOTE 2009 (2009)
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10772-6_13
Chen, P., Xing, X., Han, H., Mao, B., Xie, L.: Efficient detection of the return-oriented programming malicious code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17714-9_11
Chen, S., Li, Z., Huang, Y., Xing, J.: Sat-based technique to detect buffer overflows in c source codes. J. Tsinghua Univ. (Science and Technology), S2 (2009)
Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54. ACM (2009)
Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: adetection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACM (2011)
Dullien, T., Kornau, T., Weinmann, R.P.: A framework for automated architecture-independent gadget search. In: WOOT (2010)
Francillon, A., Castelluccia, C.: Code injection attacks on Harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 15–26. ACM (2008)
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium, pp. 383–398 (2009)
Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: SCRAP: architecture for signature-based protection from code reuse attacks. In: 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013), pp. 258–269. IEEE (2013)
Kornau, T.: Return oriented programming for the ARM architecture. Ph.D. thesis, Masters thesis, Ruhr-Universität Bochum (2010)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with return-less kernels. In: Proceedings of the 5th European Conference on Computer Systems, pp. 195–208. ACM (2010)
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan Notices, vol. 40, pp. 190–200. ACM (2005)
Nethercote, N.: Dynamic binary analysis and instrumentation (2004). http://valgrind.org/docs/phd2004.pdf
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: defeating return-oriented programming through gadget-less binaries. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 49–58. ACM (2010)
One, A.: Smashing the stack for fun and profit. Phrack Mag. 7(49), 14–16 (1996)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 2013), pp. 447–462 (2013)
Roemer, R.G.: Finding the bad in good code: automated return-oriented programming exploit discovery (2009)
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: USENIX Security Symposium, pp. 25–41 (2011)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the \(\times \)86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM (2007)
Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 121–141. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_7
Wojtczuk, R.: The advanced return-into-lib(c) exploits: PaX case study. Phrack Mag. 0x0b(0x3a), Phile# 0x04 of 0x0e (2001)
Yao, F., Chen, J., Venkataramani, G.: Jop-alarm: detecting jump-oriented programming-based anomalies in applications. In: 2013 IEEE 31st International Conference on Computer Design (ICCD), pp. 467–470. IEEE (2013)
Zhang, M., Luo, J.: Pointer analysis algorithm in static buffer overflow analysis. Comput. Eng. 31(18), 41–43 (2005)
Acknowledgments
We thank the anonymous reviewers for their constructive comments that guided the final version of this paper. We thank National University of Defense Technology for providing essential conditions to accomplish this paper. This work is supported by the NSFC under Grant 61103015, 61303191, 61402504 and 61303190.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Si, L., Yu, J., Luo, L., Ma, J., Wu, Q., Li, S. (2016). ROP-Hunt: Detecting Return-Oriented Programming Attacks in Applications. In: Wang, G., Ray, I., Alcaraz Calero, J., Thampi, S. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2016. Lecture Notes in Computer Science(), vol 10066. Springer, Cham. https://doi.org/10.1007/978-3-319-49148-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-49148-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49147-9
Online ISBN: 978-3-319-49148-6
eBook Packages: Computer ScienceComputer Science (R0)