deRop: Removing Return-Oriented Programming from Malware
Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malwar...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2011
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/1425 http://flyer.sis.smu.edu.sg/acsac11.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-2424 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-24242012-01-03T07:05:05Z deRop: Removing Return-Oriented Programming from Malware LU, Kangjie ZOU, Dabi Weng, Weiping GAO, Debin Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shell code that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop. 2011-12-05T08:00:00Z text https://ink.library.smu.edu.sg/sis_research/1425 info:doi/10.1145/2076732.2076784 http://flyer.sis.smu.edu.sg/acsac11.pdf Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University return-oriented programming malware analysis Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
return-oriented programming malware analysis Information Security |
| spellingShingle |
return-oriented programming malware analysis Information Security LU, Kangjie ZOU, Dabi Weng, Weiping GAO, Debin deRop: Removing Return-Oriented Programming from Malware |
| description |
Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shell code that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop. |
| format |
text |
| author |
LU, Kangjie ZOU, Dabi Weng, Weiping GAO, Debin |
| author_facet |
LU, Kangjie ZOU, Dabi Weng, Weiping GAO, Debin |
| author_sort |
LU, Kangjie |
| title |
deRop: Removing Return-Oriented Programming from Malware |
| title_short |
deRop: Removing Return-Oriented Programming from Malware |
| title_full |
deRop: Removing Return-Oriented Programming from Malware |
| title_fullStr |
deRop: Removing Return-Oriented Programming from Malware |
| title_full_unstemmed |
deRop: Removing Return-Oriented Programming from Malware |
| title_sort |
derop: removing return-oriented programming from malware |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2011 |
| url |
https://ink.library.smu.edu.sg/sis_research/1425 http://flyer.sis.smu.edu.sg/acsac11.pdf |
| _version_ |
1770571117413531648 |