ROPecker: A Generic and Practical Approach For Defending Against ROP Attack

Return-Oriented Programming (ROP) is a sophisticated exploitation technique that is able to drive target applications to perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences (gadgets). Existing defense mechanisms either only handle specific typ...

Full description

Saved in:
Bibliographic Details
Main Authors: CHENG, Yueqiang, ZHOU, Zongwei, MIAO, Yu, DING, Xuhua, DENG, Robert H.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2014
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/1973
https://ink.library.smu.edu.sg/context/sis_research/article/2972/viewcontent/ROPecker02_1_1.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-2972
record_format dspace
spelling sg-smu-ink.sis_research-29722018-04-18T02:20:51Z ROPecker: A Generic and Practical Approach For Defending Against ROP Attack CHENG, Yueqiang ZHOU, Zongwei MIAO, Yu DING, Xuhua DENG, Robert H. Return-Oriented Programming (ROP) is a sophisticated exploitation technique that is able to drive target applications to perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences (gadgets). Existing defense mechanisms either only handle specific types of gadgets, require access to source code and/or a customized compiler, break the integrity of application binary, or suffer from high performance overhead. In this paper, we present a novel system, ROPecker, to efficiently and effectively defend against ROP attacks without relying on any other side information (e.g., source code and compiler support) or binary rewriting. ROPecker detects an ROP attack at run-time by checking the presence of a sufficiently long chain of gadgets in past and future execution flow, with the assistance of the taken branches recorded in the Last Branch Record (LBR) registers and an efficient technique combining offline analysis with run-time emulation. We also design a sliding window mechanism to invoke the detection logic in proper timings, which achieves both high detection accuracy and efficiency. We build an ROPecker prototype on x86-based Linux computers and evaluate its security effectiveness, space cost and performance overhead. In our experiment, ROPecker can detect all ROP attacks from real-world examples and generated by the general purpose ROP compiler Q. It has small footprints on memory and disk storage, and only incurs acceptable performance overhead on CPU computation, disk I/O and network I/O. 2014-02-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/1973 info:doi/10.14722/ndss.2014.23156 https://ink.library.smu.edu.sg/context/sis_research/article/2972/viewcontent/ROPecker02_1_1.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Information Security
spellingShingle Information Security
CHENG, Yueqiang
ZHOU, Zongwei
MIAO, Yu
DING, Xuhua
DENG, Robert H.
ROPecker: A Generic and Practical Approach For Defending Against ROP Attack
description Return-Oriented Programming (ROP) is a sophisticated exploitation technique that is able to drive target applications to perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences (gadgets). Existing defense mechanisms either only handle specific types of gadgets, require access to source code and/or a customized compiler, break the integrity of application binary, or suffer from high performance overhead. In this paper, we present a novel system, ROPecker, to efficiently and effectively defend against ROP attacks without relying on any other side information (e.g., source code and compiler support) or binary rewriting. ROPecker detects an ROP attack at run-time by checking the presence of a sufficiently long chain of gadgets in past and future execution flow, with the assistance of the taken branches recorded in the Last Branch Record (LBR) registers and an efficient technique combining offline analysis with run-time emulation. We also design a sliding window mechanism to invoke the detection logic in proper timings, which achieves both high detection accuracy and efficiency. We build an ROPecker prototype on x86-based Linux computers and evaluate its security effectiveness, space cost and performance overhead. In our experiment, ROPecker can detect all ROP attacks from real-world examples and generated by the general purpose ROP compiler Q. It has small footprints on memory and disk storage, and only incurs acceptable performance overhead on CPU computation, disk I/O and network I/O.
format text
author CHENG, Yueqiang
ZHOU, Zongwei
MIAO, Yu
DING, Xuhua
DENG, Robert H.
author_facet CHENG, Yueqiang
ZHOU, Zongwei
MIAO, Yu
DING, Xuhua
DENG, Robert H.
author_sort CHENG, Yueqiang
title ROPecker: A Generic and Practical Approach For Defending Against ROP Attack
title_short ROPecker: A Generic and Practical Approach For Defending Against ROP Attack
title_full ROPecker: A Generic and Practical Approach For Defending Against ROP Attack
title_fullStr ROPecker: A Generic and Practical Approach For Defending Against ROP Attack
title_full_unstemmed ROPecker: A Generic and Practical Approach For Defending Against ROP Attack
title_sort ropecker: a generic and practical approach for defending against rop attack
publisher Institutional Knowledge at Singapore Management University
publishDate 2014
url https://ink.library.smu.edu.sg/sis_research/1973
https://ink.library.smu.edu.sg/context/sis_research/article/2972/viewcontent/ROPecker02_1_1.pdf
_version_ 1770571739107950592