Article

DROP: Detecting Return-Oriented Programming Malicious Code

Authors:

Li XieAuthors Info & Claims

ICISS '09: Proceedings of the 5th International Conference on Information Systems Security

Pages 163 - 177

https://doi.org/10.1007/978-3-642-10772-6_13

Published: 15 November 2009 Publication History

Abstract

Return-Oriented Programming (ROP) is a new technique that helps the attacker construct malicious code mounted on x86/SPARC executables without any function call at all. Such technique makes the ROP malicious code contain no instruction, which is different from existing attacks. Moreover, it hides the malicious code in benign code. Thus, it circumvents the approaches that prevent control flow diversion outside legitimate regions (such as <em>W</em> *** <em>X</em> ) and most malicious code scanning techniques (such as anti-virus scanners). However, ROP has its own intrinsic feature which is different from normal program design: (1) uses short instruction sequence ending in "ret", which is called gadget, and (2) executes the gadgets contiguously in specific memory space, such as standard GNU libc. Based on the features of the ROP malicious code, in this paper, we present a tool DROP, which is focused on dynamically detecting ROP malicious code. Preliminary experimental results show that DROP can efficiently detect ROP malicious code, and have no false positives and negatives.

References

[1]

The pax project (2004), http://pax.grsecurity.net/

[2]

linux/x86 execve("/bin/sh", {"/bin/sh", null}). milw0rm (2006), http://www.milw0rm.com/shellcode/1635

[3]

linux/x86 execve(rm -rf /) shellcode. milw0rm (2006), http://www.milw0rm.com/shellcode/2801

[4]

linux/x86 normal exit w/ random (so to speak) return value. milw0rm (2006), http://www.milw0rm.com/shellcode/1435

[5]

linux/x86 portbind (define your own port). milw0rm (2006), http://www.milw0rm.com/shellcode/1979

[6]

linux/x86 /sbin/iptables -f. milw0rm (2007), http://www.milw0rm.com/shellcode/3445

[7]

linux/x6 edit /etc/sudoers for full access. milw0rm (2008), http://www.milw0rm.com/shellcode/7161

[8]

linux/x86 chmod ("/etc/shadow",666) & exit(0). milw0rm (2009), http://www.milw0rm.com/shellcode/8081

[9]

linux/x86 killall5 shellcode. milw0rm (2009), http://www.milw0rm.com/shellcode/8972

[10]

linux/x86 push reboot(). milw0rm (2009), http://www.milw0rm.com/shellcode/7808

[11]

linux/x86 setreuid(geteuid(),geteuid()),execve("/bin/sh",0,0). milw0rm (2009), http://www.milw0rm.com/shellcode/8972

[12]

Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS), pp. 340-353. ACM Press, New York (2005).

Digital Library

[13]

Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, p. 21. USENIX Association, Berkeley (2000).

Digital Library

[14]

Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security(CCS), pp. 27-38. ACM, New York (2008).

Digital Library

[15]

Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: Lisabeth: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the 4th International Workshop on Software Engineering for Secure Systems(SESS), pp. 41-48. ACM, New York (2008).

Digital Library

[16]

Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worm epidemics. ACM Transactions on Computer Systems (TOCS) 26(4), 1-68 (2008).

Digital Library

[17]

Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium, p. 5. USENIX Association, Berkeley (1998).

Digital Library

[18]

Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: Formatguard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the 10th conference on USENIX Security Symposium, p. 2003 (2000).

Digital Library

[19]

Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th Conference on USENIX Security Symposium, p. 7. USENIX Association, Berkeley (2003).

Digital Library

[20]

Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zeroday polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS), pp. 235-248 (2005).

Digital Library

[21]

Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium (2009).

Digital Library

[22]

Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th Conference on USENIX Security Symposium, p. 19. USENIX Association, Berkeley (2004).

Digital Library

[23]

Krahmer, S.: X86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Phrack Magazine (2005), http://www.suse.de/krahmer/no-nx.pdf

[24]

Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review 34(1), 51-56 (2004).

Digital Library

[25]

Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 32-47 (2006).

Digital Library

[26]

Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 190-200. ACM, New York (2005).

Digital Library

[27]

McDonald, J.: Defeating solaris/sparc non-executable stack protection. Bugtraq (1999).

[28]

milw0rm: http://www.milw0rm.com/shellcode/linux/x86

[29]

Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine (2001), http://www.phrack.org/archives/58/p58-0x04

[30]

Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Proceedings of the 2007 PLDI Conference, vol. 42(6), pp. 89-100 (2007).

Digital Library

[31]

Newsome, J., Brumley, D., Song, D.: Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium, NDSS (2006).

[32]

Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226- 241 (2005).

Digital Library

[33]

Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software (2005).

[34]

Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th Conference on USENIX Security Symposium, Berkeley, CA, USA, p. 3 (1998).

Digital Library

[35]

Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54-73. Springer, Heidelberg (2006).

Digital Library

[36]

Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of nonself-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87-106. Springer, Heidelberg (2007).

Digital Library

[37]

Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications (2009) (in review).

[38]

Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229-238. USENIX Association, Berkeley (1999).

Digital Library

[39]

Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pp. 159-169 (2004).

[40]

Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552-561. ACM, New York (2007).

Digital Library

[41]

Shimamura, M., Kono, K.: Yataglass: Network-level code emulation for analyzing memoryscanning attacks. In: Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 68-87 (2009).

Digital Library

[42]

Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation (OSDI), p. 4. USENIX Association, Berkeley (2004).

Digital Library

[43]

Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: A signature-free buffer overflow attack blocker. IEEE Transactions on Dependable and Secure Computing 99(2) (2006).

[44]

Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium (USENIX-SS 2006). USENIX Association, Berkeley (2006).

Digital Library

[45]

Zhang, Q., Reeves, D.S., Ning, P., Iyer, S.P.: Analyzing network traffic to detect selfdecrypting exploit code. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communcations Security, pp. 4-12. ACM, New York (2007).

Digital Library

Cited By

Brown MPruett MBigelow RMururu GPande S(2021)Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget setsProceedings of the ACM on Programming Languages10.1145/34855315:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485531
Kosolapov Y(2020)On Detecting Code Reuse AttacksAutomatic Control and Computer Sciences10.3103/S014641162007011154:7(573-583)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.3103/S0146411620070111
Ahmed SXiao YSnow KTan GMonrose FYao DLigatti JOu XKatz JVigna G(2020)Methodologies for Quantifying (Re-)randomization Security and Timing under JIT-ROPProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417248(1803-1820)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417248
Show More Cited By

DROP: Detecting Return-Oriented Programming Malicious Code
1. Security and privacy
  1. Systems security

Recommendations

A Probabilistic Drop Scheme for Mitigating SYN Flooding Attacks
NSWCTC '09: Proceedings of the 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing - Volume 01

SYN flooding has been a serious security threat to Internet. For a host server, it is necessary to take some kind of admission control in defense against SYN flooding attacks. In this paper, a probabilistic drop scheme is presented for implementation in ...
Stop, DROP, and ROA: effectiveness of defenses through the lens of DROP
IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

We analyze the properties of 712 prefixes that appeared in Spamhaus' Don't Route Or Peer (DROP) list over a nearly three-year period from June 2019 to March 2022. We show that attackers are subverting multiple defenses against malicious use of address ...
Drop-In Control Flow Hijacking Prevention through Dynamic Library Interception
ITNG '13: Proceedings of the 2013 10th International Conference on Information Technology: New Generations

A longstanding issue in computer security is preventing an attacker from gaining arbitrary execution rights from the exploitation of common programming mistakes, which result in opening unintentional breaches in the behavior of executable code. In ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ICISS '09: Proceedings of the 5th International Conference on Information Systems Security

November 2009

325 pages

ISBN:9783642107719

Editors:
Atul Prakash
Electrical Engineering and Computer Science Department, University of Michigan, Ann Arbor, USA 48109
,
Indranil Sen Gupta
Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, India

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 15 November 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Brown MPruett MBigelow RMururu GPande S(2021)Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget setsProceedings of the ACM on Programming Languages10.1145/34855315:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485531
Kosolapov Y(2020)On Detecting Code Reuse AttacksAutomatic Control and Computer Sciences10.3103/S014641162007011154:7(573-583)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.3103/S0146411620070111
Ahmed SXiao YSnow KTan GMonrose FYao DLigatti JOu XKatz JVigna G(2020)Methodologies for Quantifying (Re-)randomization Security and Timing under JIT-ROPProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417248(1803-1820)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417248
Schwartz ECohen CGennari JSchwartz SLigatti JOu XKatz JVigna G(2020)A Generic Technique for Automatically Finding Defense-Aware Code Reuse AttacksProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417234(1789-1801)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417234
Jaloyan GMarkantonakis KAkram RRobin DMayes KNaccache DSun HShieh SGu GAteniese G(2020)Return-Oriented Programming on RISC-VProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384738(471-480)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384738
Mishra SPolychronakis M(2018)ShredderProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274703(1-16)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274703
Botacin MGeus PGrégio A(2018)Enhancing Branch Monitoring for Security PurposesACM Transactions on Privacy and Security10.1145/315216221:1(1-30)Online publication date: 2-Jan-2018
https://dl.acm.org/doi/10.1145/3152162
Lee YLee JHeo IHwang DPaek Y(2017)Using CoreSight PTM to Integrate CRA Monitoring IPs in an ARM-Based SoCACM Transactions on Design Automation of Electronic Systems10.1145/303596522:3(1-25)Online publication date: 21-Apr-2017
https://dl.acm.org/doi/10.1145/3035965
Gu YZhao QZhang YLin ZAhn GPretschner AGhinita G(2017)PT-CFIProceedings of the Seventh ACM on Conference on Data and Application Security and Privacy10.1145/3029806.3029830(173-184)Online publication date: 22-Mar-2017
https://dl.acm.org/doi/10.1145/3029806.3029830
Homescu AJackson TCrane SBrunthaler SLarsen PFranz M(2017)Large-Scale Automated Software Diversity—Program Evolution ReduxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2015.243325214:2(158-171)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1109/TDSC.2015.2433252
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten