research-article

n-ROPdetector: Proposal of a Method to Detect the ROP Attack Code on the Network

Authors:

Yasuyuki Tanaka,

Atsuhiro GotoAuthors Info & Claims

SafeConfig '14: Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation

Pages 33 - 36

https://doi.org/10.1145/2665936.2665937

Published: 03 November 2014 Publication History

Get Access

Abstract

Targeted attacks exploiting a zero-day vulnerability are serious threats for many organizations. One reason is that generally available attack tools are very powerful and easy-to-use for attackers. In this paper, we propose n-ROPdetector that detects ROP (Return-Oriented Programming) attack code on the network side. ROP is a core technique used in zero-day attacks. The n-ROPdetector is noticeable method to detect ROP code efficiently on the network side rather than on the host machines side. To evaluate the n-ROPdetector and to show its effectiveness, we used the attack code samples from the attack tool Metasploit and the n-ROPdetector detected 84% of ROP codes in Metasploit.

References

[1]

Hovav Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), 2007.

Digital Library

Google Scholar

[2]

Symantec: 2014 Internet Security Threat Report, Volume 19, http://www.symantec.com/security_response/publications/threatreport.jsp.

Google Scholar

[3]

Thomas Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th Symposium on Recent Advances in Intrusion Detection (RAID), 2002.

Digital Library

Google Scholar

[4]

Ramkumar Chinchani and E. van den Berg. A Fast Static Analysis Approach To Detect Exploit Code Inside Network Flows. In Proceedings of the 8th Symposium on Recent Advances in Intrusion Detection (RAID), 2005.

Digital Library

Google Scholar

[5]

Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Comprehensive Shellcode Detection using Runtime Heuristics. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010.

Digital Library

Google Scholar

[6]

Javad Khodaverdi. Enhancing the Effectiveness of Shellcode Detection by New Runtime Heuristics. In International Journal of Computer Science Research and Application (2013), Vol. 03, Issue. 02, pp. 02--11.

Google Scholar

[7]

Skape: Safely searching process virtual address space, http://www.hick.org/code/skape/papers/

Google Scholar

[8]

Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. ROPdefender: A practical protection tool to protect against return-oriented programming. In Proceedings of the 6th Symposium on Information, Computer and Communications Security (ASIACCS), 2011.

Digital Library

Google Scholar

[9]

Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Proceedings of 22nd USENIX Security Conference on Security, 2013.

Digital Library

Google Scholar

[10]

Ruowen Wang, Peng Ning, Tao Xie, and Quan Chen. MetaSymploit: Day-One Defense against Script-based Attacks with Security-Enhanced Symbolic Analysis. In Proceedings of 22nd USENIX Security Conference on Security, 2013.

Digital Library

Google Scholar

[11]

Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/bb430720.aspx

Google Scholar

[12]

Metasploit. http://www.metasploit.com/

Google Scholar

[13]

Enes Goktas, Elias Athanasopoulos, Michalis Polychronakis, Herbert Bos, Georgios Portokalidis. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attack is Hard. In Proceedings of 23nd USENIX Security Conference on Security, 2014.

Digital Library

Google Scholar

Cited By

View all

Wang HSinghal ALiu P(2023)Tackling imbalanced data in cybersecurity with transfer learning: a case with ROP payload detectionCybersecurity10.1186/s42400-022-00135-86:1Online publication date: 5-Jan-2023
https://doi.org/10.1186/s42400-022-00135-8
Yang GLiu XTang C(2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
https://doi.org/10.3390/electronics11203363
Li XHu ZWang HFu YChen PZhu MLiu P(2020)DeepReturn: A deep neural network can learn how to detect previously-unseen ROP payloads without using any heuristicsJournal of Computer Security10.3233/JCS-191368(1-25)Online publication date: 10-Sep-2020
https://doi.org/10.3233/JCS-191368
Show More Cited By

Index Terms

n-ROPdetector: Proposal of a Method to Detect the ROP Attack Code on the Network
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

G-Free: defeating return-oriented programming through gadget-less binaries
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. ...
Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks
TrustED '14: Proceedings of the 4th International Workshop on Trustworthy Embedded Devices

Code reuse attacks such as return-oriented programming (ROP) are predominant attack techniques that are extensively used to exploit vulnerabilities in modern software programs. ROP maliciously combines short instruction sequences (gadgets) residing in ...
Survey of return-oriented programming defense mechanisms

A prominent software security violation-buffer overflow attack has taken various forms and poses serious threats until today. One such vulnerability is return-oriented programming attack. An return-oriented programming attack circumvents the dynamic ...

Comments

Information & Contributors

Information

Published In

SafeConfig '14: Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation

November 2014

48 pages

ISBN:9781450331470

DOI:10.1145/2665936

Program Chairs:
Ehab Al-Shaer
UNC Charlotte, USA
,
Krishna Kant
Temple University, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3, 2014

Arizona, Scottsdale, USA

Acceptance Rates

SafeConfig '14 Paper Acceptance Rate 3 of 11 submissions, 27%;

Overall Acceptance Rate 22 of 61 submissions, 36%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
195
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Wang HSinghal ALiu P(2023)Tackling imbalanced data in cybersecurity with transfer learning: a case with ROP payload detectionCybersecurity10.1186/s42400-022-00135-86:1Online publication date: 5-Jan-2023
https://doi.org/10.1186/s42400-022-00135-8
Yang GLiu XTang C(2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
https://doi.org/10.3390/electronics11203363
Li XHu ZWang HFu YChen PZhu MLiu P(2020)DeepReturn: A deep neural network can learn how to detect previously-unseen ROP payloads without using any heuristicsJournal of Computer Security10.3233/JCS-191368(1-25)Online publication date: 10-Sep-2020
https://doi.org/10.3233/JCS-191368
USUI TIKUSE TOTSUKI YKAWAKOYA YIWAMURA MMIYOSHI JMATSUURA K(2020)ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP GadgetsIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0016E103.D:7(1476-1492)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0016
Usui TIkuse TIwamura MYada TWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)POSTERProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2989040(1808-1810)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2989040
Al-Shaer EKant KAhn GYung MLi N(2014)Summary Abstract for the 7th ACM International Workshop on Cyber Security Analytics, Intelligence and AutomationProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660382(1544-1545)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660382

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

G-Free: defeating return-oriented programming through gadget-less binaries

Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks

Survey of return-oriented programming defense mechanisms

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations