ROPSentry : runtime defense against ROP attacks using hardware performance counters
Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attac...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2020
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/142012 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-142012 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1420122020-06-15T02:31:43Z ROPSentry : runtime defense against ROP attacks using hardware performance counters Das, Sanjeev Chen, Bihuan Chandramohan, Mahintham Liu, Yang Zhang, Wei School of Electrical and Electronic Engineering Engineering::Electrical and electronic engineering ROP Attacks Hardware Performance Counter Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attacks at runtime. It is built on the observation that ROP exploits usually trigger different hardware events than normal programs generated by compilers. Hence, we leverage hardware performance counters to track such hardware events and analyze behavioral patterns of ROP attacks. ROPSentry has two approaches. The ROP-only defense approach detects ROP attacks via capturing the patterns of ROP exploits, where we propose to sample the hardware performance counters at mispredicted return events instead of at every microinstruction for a low performance overhead. To further reduce performance overhead, we propose a self-adaptive defense approach to dynamically switch between low and high sampling rates. It detects the patterns of spraying attacks (i.e., one common ROP payload delivery technique) at a low sampling rate, and then switches to a high sampling rate for detecting the patterns of ROP exploits. Our evaluation on 11 real-world ROP exploits, 50 synthetically generated ROP exploits and 1000 benign websites has shown that, the ROP-only and self-adaptive approaches are effective in detecting ROP attacks with low performance overhead (11% and 1% respectively) as well as low false positive; and they significantly outperform the state-of-the-art techniques in terms of performance overhead without losing the detection accuracy. NRF (Natl Research Foundation, S’pore) 2020-06-15T02:31:43Z 2020-06-15T02:31:43Z 2018 Journal Article Das, S., Chen, B., Chandramohan, M., Liu, Y., & Zhang, W. (2018). ROPSentry : runtime defense against ROP attacks using hardware performance counters. Computers and Security, 73, 374-388. doi:10.1016/j.cose.2017.11.011 0167-4048 https://hdl.handle.net/10356/142012 10.1016/j.cose.2017.11.011 2-s2.0-85038002438 73 374 388 en Computers and Security © 2017 Elsevier Ltd. All rights reserved. |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| country |
Singapore |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Electrical and electronic engineering ROP Attacks Hardware Performance Counter |
| spellingShingle |
Engineering::Electrical and electronic engineering ROP Attacks Hardware Performance Counter Das, Sanjeev Chen, Bihuan Chandramohan, Mahintham Liu, Yang Zhang, Wei ROPSentry : runtime defense against ROP attacks using hardware performance counters |
| description |
Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attacks at runtime. It is built on the observation that ROP exploits usually trigger different hardware events than normal programs generated by compilers. Hence, we leverage hardware performance counters to track such hardware events and analyze behavioral patterns of ROP attacks. ROPSentry has two approaches. The ROP-only defense approach detects ROP attacks via capturing the patterns of ROP exploits, where we propose to sample the hardware performance counters at mispredicted return events instead of at every microinstruction for a low performance overhead. To further reduce performance overhead, we propose a self-adaptive defense approach to dynamically switch between low and high sampling rates. It detects the patterns of spraying attacks (i.e., one common ROP payload delivery technique) at a low sampling rate, and then switches to a high sampling rate for detecting the patterns of ROP exploits. Our evaluation on 11 real-world ROP exploits, 50 synthetically generated ROP exploits and 1000 benign websites has shown that, the ROP-only and self-adaptive approaches are effective in detecting ROP attacks with low performance overhead (11% and 1% respectively) as well as low false positive; and they significantly outperform the state-of-the-art techniques in terms of performance overhead without losing the detection accuracy. |
| author2 |
School of Electrical and Electronic Engineering |
| author_facet |
School of Electrical and Electronic Engineering Das, Sanjeev Chen, Bihuan Chandramohan, Mahintham Liu, Yang Zhang, Wei |
| format |
Article |
| author |
Das, Sanjeev Chen, Bihuan Chandramohan, Mahintham Liu, Yang Zhang, Wei |
| author_sort |
Das, Sanjeev |
| title |
ROPSentry : runtime defense against ROP attacks using hardware performance counters |
| title_short |
ROPSentry : runtime defense against ROP attacks using hardware performance counters |
| title_full |
ROPSentry : runtime defense against ROP attacks using hardware performance counters |
| title_fullStr |
ROPSentry : runtime defense against ROP attacks using hardware performance counters |
| title_full_unstemmed |
ROPSentry : runtime defense against ROP attacks using hardware performance counters |
| title_sort |
ropsentry : runtime defense against rop attacks using hardware performance counters |
| publishDate |
2020 |
| url |
https://hdl.handle.net/10356/142012 |
| _version_ |
1681058068413022208 |