poster

POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity

Authors:

Toshinori Usui,

Tomonori Ikuse,

Makoto Iwamura,

Takeshi YadaAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1808 - 1810

https://doi.org/10.1145/2976749.2989040

Published: 24 October 2016 Publication History

Get Access

Abstract

Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of operating systems. It is currently used in malicious documents that exploit viewer applications and cause malware infection. For inspecting a large number of commonly handled documents, high-performance and flexible-detection methods are required. However, current solutions are either time-consuming or less precise. In this paper, we propose a novel method for statically detecting ROP chains in malicious documents. Our method generates a hidden Markov model (HMM) of ROP chains as well as one of benign documents by learning known malicious and benign documents and libraries used for ROP gadgets. Detection is performed by calculating the likelihood ratio between malicious and benign HMMs. In addition, we reduce the number of false positives by ROP chain integrity checking, which confirms whether ROP gadgets link properly if they are executed. Experimental results showed that our method can detect ROP-based malicious documents with no false negatives and few false positives at high throughput.

References

[1]

S. Garfinkel et al. Bringing science to digital forensics with standardized forensic corpora. digital investigation, 6:S2--S11, 2009.

Digital Library

Google Scholar

[2]

Google. Virustotal. https://www.virustotal.com/.

Google Scholar

[3]

C. Jamthagen et al. eavesrop: Listening for rop payloads in data streams. In Proceedings of the International Conference on Information Security, pages 413--424. Springer, 2014.

Google Scholar

[4]

L. R. Rabiner. A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE, 77(2):257--286, 1989.

Crossref

Google Scholar

[5]

Rapid7. Metasploit. http://www.metasploit.com/.

Google Scholar

[6]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552--561. ACM, 2007.

Digital Library

Google Scholar

[7]

B. Stancill et al. Check my profile: Leveraging static analysis for fast and accurate detection of rop gadgets. In Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 62--81. Springer, 2013.

Digital Library

Google Scholar

[8]

Y. Tanaka et al. n-ropdetector: Proposal of a method to detect the rop attack code on the network. In Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation, pages 33--36. ACM, 2014.

Digital Library

Google Scholar

[9]

C. YoungHan et al. Strop: Static approach for detection of return-oriented programming attack in network. IEICE Transactions on Communications, 98(1):242--251, 2015.

Google Scholar

Cited By

View all

Yang GLiu XTang C(2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
https://doi.org/10.3390/electronics11203363
Kosolapov Y(2021)On Detecting Code Reuse AttacksAutomatic Control and Computer Sciences10.3103/S014641162007011154:7(573-583)Online publication date: 8-Feb-2021
https://doi.org/10.3103/S0146411620070111
Kosolapov Y(2019)About Detection of Code Reuse AttacksModeling and Analysis of Information Systems10.18255/1818-1015-2019-2-213-22826:2(213-228)Online publication date: 20-Jun-2019
https://doi.org/10.18255/1818-1015-2019-2-213-228

Index Terms

POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

n-ROPdetector: Proposal of a Method to Detect the ROP Attack Code on the Network
SafeConfig '14: Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation

Targeted attacks exploiting a zero-day vulnerability are serious threats for many organizations. One reason is that generally available attack tools are very powerful and easy-to-use for attackers. In this paper, we propose n-ROPdetector that detects ...
Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks
TrustED '14: Proceedings of the 4th International Workshop on Trustworthy Embedded Devices

Code reuse attacks such as return-oriented programming (ROP) are predominant attack techniques that are extensively used to exploit vulnerabilities in modern software programs. ROP maliciously combines short instruction sequences (gadgets) residing in ...
Packed, printable, and polymorphic return-oriented programming
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W⊕X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis ...

Comments

Information & Contributors

Information

Published In

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Check for updates

Author Tags

Qualifiers

Poster

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
296
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)2

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Yang GLiu XTang C(2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
https://doi.org/10.3390/electronics11203363
Kosolapov Y(2021)On Detecting Code Reuse AttacksAutomatic Control and Computer Sciences10.3103/S014641162007011154:7(573-583)Online publication date: 8-Feb-2021
https://doi.org/10.3103/S0146411620070111
Kosolapov Y(2019)About Detection of Code Reuse AttacksModeling and Analysis of Information Systems10.18255/1818-1015-2019-2-213-22826:2(213-228)Online publication date: 20-Jun-2019
https://doi.org/10.18255/1818-1015-2019-2-213-228

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

n-ROPdetector: Proposal of a Method to Detect the ROP Attack Code on the Network

Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks

Packed, printable, and polymorphic return-oriented programming