Article

Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets

Authors:

Blaine Stancill,

Nathan Otterness,

Fabian Monrose,

Ahmad-Reza SadeghiAuthors Info & Claims

RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145

Pages 62 - 81

https://doi.org/10.1007/978-3-642-41284-4_4

Published: 23 October 2013 Publication History

Abstract

Return-oriented programming ROP offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that do not require any modification to end-user platforms. Specifically, we propose a novel framework that efficiently analyzes documents PDF, Office, or HTML files and detects whether they contain a returnoriented programming payload. To do so, we provide advanced techniques for taking memory snapshots of a target application, efficiently transferring the snapshots to a host system, as well as novel static analysis and filtering techniques to identify and profile chains of code pointers referencing ROP gadgets that may even reside in randomized libraries. Our evaluation of over 7,662 benign and 57 malicious documents demonstrate that we can perform such analysis accurately and expeditiously -- with the vast majority of documents analyzed in about 3 seconds.

References

[1]

Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: Principles, implementations, and applications. ACM Transactions on Information and Systems Security, 131 October 2009

Digital Library

[2]

Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with wit. In: IEEE Symposium on Security and Privacy 2008

Digital Library

[3]

One, A.: Smashing the stack for fun and profit. Phrack Magazine 4914 1996

[4]

Bletsch, T.K., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security 2011

Digital Library

[5]

Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: Generalizing return-oriented programming to RISC. In: ACM Conference on Computer and Communications Security 2008

Digital Library

[6]

Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX Symposium on Operating Systems Design and Implementation 2006

Digital Library

[7]

Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security 2010

Digital Library

[8]

Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. eds. ICISS 2009. LNCS, vol. 5905, pp. 163---177. Springer, Heidelberg 2009

Digital Library

[9]

Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium 2005

Digital Library

[10]

Cova, M., Kruegel, C., Giovanni, V.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: International Conference on World Wide Web 2010

Digital Library

[11]

Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security Symposium 1998

Digital Library

[12]

Davi, L., Sadeghi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: ACM Workshop on Scalable Trusted Computing 2009

Digital Library

[13]

Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks. In: ACM Symposium on Information, Computer and Communications Security 2011

Digital Library

[14]

Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. eds. DIMVA 2009. LNCS, vol. 5587, pp. 88---106. Springer, Heidelberg 2009

Digital Library

[15]

Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: ACM Conference on Computer and Communications Security 2008

Digital Library

[16]

Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: USENIX Security Symposium 2001

Digital Library

[17]

Gadgets DNA. How PDF exploit being used by JailbreakMe to Jailbreak iPhone iOS, http://www.gadgetsdna.com/iphone-ios-4-0-1-jailbreak-execution-flow-using-pdf-exploit/5456/

[18]

Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digital Investigation 6, 2---11 2009

Digital Library

[19]

Hiser, J.D., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where'd my gadgets go. In: IEEE Symposium on Security and Privacy 2012

Digital Library

[20]

jduck. The latest adobe exploit and session upgrading 2010, https://community.rapid7.com/community/metasploit/blog/2010/03/18/the-latest-adobe-exploit-and-session-upgrading

[21]

Kayaalp, M., Ozsoy, M., Ghazaleh, N.A., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Transactions on Computers 99PrePrints 2012

Digital Library

[22]

Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation ASLP: Towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference 2006

Digital Library

[23]

Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security Symposium 2002

Digital Library

[24]

Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet Malware. In: IEEE Symposium on Security and Privacy, pp. 443---457 2012

Digital Library

[25]

Kornau, T.: Return oriented programming for the ARM architecture. Master's thesis, Ruhr-University 2009

[26]

Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with "return-less" kernels. In: European Conf. on Computer Systems 2010

Digital Library

[27]

Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. eds. RAID 2011. LNCS, vol. 6961, pp. 338---357. Springer, Heidelberg 2011

Digital Library

[28]

Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Sommer, R., Balzarotti, D., Maier, G. eds. RAID 2011. LNCS, vol. 6961, pp. 101---120. Springer, Heidelberg 2011

Digital Library

[29]

Microsoft. Data Execution Prevention, DEP 2006, http://support.microsoft.com/kb/875352/EN-US/

[30]

Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Annual Computer Security Applications Conference, pp. 421---430 2007

[31]

Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: Ccured: type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems 2005

Digital Library

[32]

Nergal: The advanced return-into-libc exploits: PaX case study. Phrack Magazine 584 2001

[33]

Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: defeating return-oriented programming through gadget-less binaries. In: Annual Computer Security Applications Conference 2010

Digital Library

[34]

Van Overveldt, T., Kruegel, C., Vigna, G.: FlashDetect: ActionScript 3 Malware Detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. eds. RAID 2012. LNCS, vol. 7462, pp. 274---293. Springer, Heidelberg 2012

Digital Library

[35]

Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy 2012

Digital Library

[36]

Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: MALWARE 2011

Digital Library

[37]

Serna, F.J.: The info leak era on software exploitation. In: Black Hat USA 2012

[38]

Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls on the x86. In: ACM Conference on Computer and Communications Security 2007

Digital Library

[39]

Shacham, H., Jin Goh, E., Modadugu, N., Pfaff, B., Boneh, D.: On the effectiveness of address-space randomization. In: ACM Conference on Computer and Communications Security 2004

Digital Library

[40]

Snow, K.Z., Krishnan, S., Monrose, F., Provos, N.: Shellos: enabling fast detection and forensic analysis of code injection attacks. In: USENIX Security Symposium 2011

Digital Library

[41]

Snow, K.Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy 2013

Digital Library

[42]

Spafford, E.H.: The Internet worm: Crisis and aftermath. Communications of the ACM 326, 678---687 1989

Digital Library

[43]

Szekeres, L., Payer, M., Wei, T., Song, D.: SOK: Eternal War in Memory. In: IEEE Symposium on Security and Privacy 2013

Digital Library

[44]

Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: European Workshop on System Security 2011

Digital Library

[45]

Vreugdenhil, P.: Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit 2010

[46]

Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security 2012

Digital Library

[47]

Xia, Y., Liu, Y., Chen, H., Zang, B.: Cfimon: Detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks 2012

Digital Library

[48]

Zovi, D.D.: Practical return-oriented programming. RSA Conference 2010

Cited By

Toffalini FGraziano MConti MZhou J(2021)SnakeGX: A Sneaky Attack Against SGX EnclavesApplied Cryptography and Network Security10.1007/978-3-030-78372-3_13(333-362)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1007/978-3-030-78372-3_13
Borrello PCoppa ED'Elia DDemetrescu CHung CPapadopoulos G(2019)The ROP needleProceedings of the 34th ACM/SIGAPP Symposium on Applied Computing10.1145/3297280.3297472(1962-1970)Online publication date: 8-Apr-2019
https://dl.acm.org/doi/10.1145/3297280.3297472
Usui TIkuse TIwamura MYada TWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)POSTERProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2989040(1808-1810)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2989040
Show More Cited By

Recommendations

deRop: removing return-oriented programming from malware
ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, ...
n-ROPdetector: Proposal of a Method to Detect the ROP Attack Code on the Network
SafeConfig '14: Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation

Targeted attacks exploiting a zero-day vulnerability are serious threats for many organizations. One reason is that generally available attack tools are very powerful and easy-to-use for attackers. In this paper, we propose n-ROPdetector that detects ...
Packed, printable, and polymorphic return-oriented programming
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W⊕X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145

October 2013

451 pages

ISBN:9783642412837

Editors:
Salvatore Stolfo
Department of Computer Science, Columbia University, USA
,
Angelos Stavrou
Department of Computer Science, George Mason University, Fairfax, USA
,
Charles Wright
Department of Computer Science, Portland State University, Portland, USA

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 23 October 2013

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Toffalini FGraziano MConti MZhou J(2021)SnakeGX: A Sneaky Attack Against SGX EnclavesApplied Cryptography and Network Security10.1007/978-3-030-78372-3_13(333-362)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1007/978-3-030-78372-3_13
Borrello PCoppa ED'Elia DDemetrescu CHung CPapadopoulos G(2019)The ROP needleProceedings of the 34th ACM/SIGAPP Symposium on Applied Computing10.1145/3297280.3297472(1962-1970)Online publication date: 8-Apr-2019
https://dl.acm.org/doi/10.1145/3297280.3297472
Usui TIkuse TIwamura MYada TWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)POSTERProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2989040(1808-1810)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2989040
Graziano MBalzarotti DZidouemba AChen XWang XHuang X(2016)ROPMEMUProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897894(47-58)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897894
Kittel TVogl SKirsch JEckert C(2015)Counteracting Data-Only Malware with Code Pointer ExaminationProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_9(177-197)Online publication date: 2-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-319-26362-5_9

View Options

View options

Figures

Tables

Media

View Table of Conten