ABSTRACT
Modern runtime attacks increasingly make use of the powerful return-oriented programming (ROP) attack techniques and principles such as recent attacks on Apple iPhone and Acrobat products to name some. These attacks even work under the presence of modern memory protection mechanisms such as data execution prevention (DEP). In this paper, we present our tool, ROPdefender, that dynamically detects conventional ROP attacks (that are based on return instructions). In contrast to existing solutions, ROPdefender can be immediately deployed by end-users, since it does not rely on side information (e.g., source code or debugging information) which are rarely provided in practice. Currently, our tool adds a runtime overhead of 2x which is comparable to similar instrumentation-based tools.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In CCS '05: Proceedings of the 12th ACM Conference on Computer and Communications Security, pages 340--353. ACM, 2005. Google ScholarDigital Library
- M. Abadi, M. Budiu, U. Erlingsson, G. C. Necula, and M. Vrable. XFI: software guards for system address spaces. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 75--88. USENIX Association, 2006. Google ScholarDigital Library
- Adobe Systems. Security Advisory for Flash Player, Adobe Reader and Acrobat: CVE-2010-1297. http://www.adobe.com/support/security/advisories/apsa10-01.html, 2010.Google Scholar
- Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 1996.Google Scholar
- Anonymous. Once upon a free(). Phrack Magazine, 57(9), 2001.Google Scholar
- blexim. Basic integer overflows. Phrack Magazine, 60(10), 2002.Google Scholar
- D. L. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. http://groups.csail.mit.edu/cag/rio/derek-phd-thesis.pdf, 2004. PhD thesis, M.I.T. Google ScholarDigital Library
- E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 27--38. ACM, 2008. Google ScholarDigital Library
- B. Buck and J. K. Hollingsworth. An API for runtime code patching. Int. J. High Perform. Comput. Appl., 14(4):317--329, 2000. Google ScholarDigital Library
- B. M. Cantrill, M. W. Shapiro, and A. H. Leventhal. Dynamic instrumentation of production systems. In Proceedings of USENIX 2004 Annual Technical Conference, pages 15--28. USENIX Association, 2004. Google ScholarDigital Library
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS '10: Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 559--572. ACM, 2010. Google ScholarDigital Library
- S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of EVT/WOTE 2009, 2009. Google ScholarDigital Library
- P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In A. Prakash and I. Gupta, editors, Fifth International Conference on Information Systems Security (ICISS 2010), volume 5905 of Lecture Notes in Computer Science, pages 163--177. Springer, 2009. Google ScholarDigital Library
- P. Chen, X. Xing, H. Han, B. Mao, and L. Xie. Efficient detection of the return-oriented programming malicious code. In Sixth International Conference on Information Systems Security (ICISS 2010), volume 6503 of Lecture Notes in Computer Science, pages 140--155. Springer, 2010. Google ScholarDigital Library
- T. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In International Conference on Distributed Computing Systems, pages 409--417. IEEE Computer Society, 2001. Google ScholarDigital Library
- T. Chiueh and M. Prasad. A binary rewriting defense against stack based overflow attacks. In Proceedings of the USENIX Annual Technical Conference, pages 211--224. USENIX Association, 2003.Google Scholar
- J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing, pages 196--206, 2007. Google ScholarDigital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard TM: protecting pointers from buffer overflow vulnerabilities. In SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium, pages 91--104. USENIX Association, 2003. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In SSYM'98: Proceedings of the 7th conference on USENIX Security Symposium, pages 63--78. USENIX Association, 1998. Google ScholarDigital Library
- D. Dai Zovi. Practical return-oriented programming. SOURCE Boston 2010, Apr. 2010. Presentation. Slides: http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf.Google Scholar
- L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the 4th ACM Workshop on Scalable Trusted Computing (STC'09), pages 49--54. ACM, 2009. Google ScholarDigital Library
- T. Dullien, T. Kornau, and R.-P. Weinmann. A framework for automated architecture-independent gadget search. In Proceedings of the 4th USENIX Workshop on Offensive Technologies (WOOT), 2010. Google ScholarDigital Library
- A. Edwards, A. Srivastava, and H. Vo. Vulcan binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, April 2001.Google Scholar
- A. Francillon and C. Castelluccia. Code injection attacks on harvard-architecture devices. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 15--26. ACM, 2008. Google ScholarDigital Library
- A. Francillon, D. Perito, and C. Castelluccia. Defending embedded systems against control flow attacks. In Proceedings of the 1st Workshop on Secure Execution of Untrusted Code (SecuCode'09), pages 19--26. ACM, 2009. Google ScholarDigital Library
- M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium, pages 55--66. USENIX Association, 2001. Google ScholarDigital Library
- gera. Advances in format string exploitation. Phrack Magazine, 59(12), 2002.Google Scholar
- D. Goodin. Apple quicktime backdoor creates code-execution peril. http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/, 2010.Google Scholar
- S. Gupta, P. Pratap, H. Saran, and S. Arun-Kumar. Dynamic code instrumentation to detect and recover from return address corruption. In WODA '06: Proceedings of the 2006 international workshop on Dynamic systems analysis, pages 65--72. ACM, 2006. Google ScholarDigital Library
- J. Halliday. Jailbreakme released for apple devices. http://www.guardian.co.uk/technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal, Aug. 2010.Google Scholar
- M. Howard and M. Thomlinson. Windows vista isv security. http://msdn.microsoft.com/en-us/library/bb430720.aspx, Apr. 2007.Google Scholar
- R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium. USENIX Association, 2009. Google ScholarDigital Library
- Intel Corporation. Intel 64 and ia-32 architectures software developer's manuals. http://www.intel.com/products/processor/manuals/.Google Scholar
- Intel Parallel Studio. http://software.intel.com/en-us/intel-parallel-studio-home/.Google Scholar
- V. Iozzo and R.-P. Weinmann. Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN. http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/, Mar 2010.Google Scholar
- jduck. The latest adobe exploit and session upgrading. http://blog.metasploit.com/2010/03/latest-adobe-exploit-and-session.html, 2010.Google Scholar
- V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191--206. USENIX Association, 2002. Google ScholarDigital Library
- T. Kornau. Return oriented programming for the ARM architecture. http://zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf, 2009. Master thesis, Ruhr-University Bochum, Germany.Google Scholar
- L. Le. Payload already inside: data re-use for ROP exploits. In Black Hat USA, July 2010.Google Scholar
- J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European conference on Computer systems, EuroSys '10, pages 195--208. ACM, 2010. Google ScholarDigital Library
- F. Lindner. Developments in Cisco IOS forensics. CONFidence 2.0. http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf, Nov. 2009.Google Scholar
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pages 190--200. ACM, June 2005. Google ScholarDigital Library
- Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.Google Scholar
- Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 58(4), 2001.Google Scholar
- N. Nethercote. Dynamic binary analysis and instrumentation. http://valgrind.org/docs/phd2004.pdf, 2004. PhD thesis, University of Cambridge.Google Scholar
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Not., 42(6):89--100, 2007. Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed Security Symposium, 2005.Google Scholar
- K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference, Dec. 2010. Google ScholarDigital Library
- PaX Team. http://pax.grsecurity.net/.Google Scholar
- S. Ragan. Adobe confirms zero-day - rop used to bypass windows defenses. http://www.thetechherald.com/article.php/201036/6128/, 2010.Google Scholar
- G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009). IEEE, 2009. Google ScholarDigital Library
- H. Security. Pwn2Own 2009: Safari, IE 8 and Firefox exploited. http://www.h-online.com/security/news/item/Pwn2Own-2009-Safari-IE-8--and-Firefox-exploited-740663.html, 2010.Google Scholar
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS '07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552--561. ACM, 2007. Google ScholarDigital Library
- H. Shacham, E. jin Goh, N. Modadugu, B. Pfaff, and D. Boneh. On the effectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298--307. ACM, 2004. Google ScholarDigital Library
- S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702, 2008.Google Scholar
- Solar Designer. "return-to-libc" attack. Bugtraq, 1997.Google Scholar
- A. Sotirov and M. Dowd. Bypassing browser memory protections in Windows Vista. http://www.phreedom.org/research/bypassing-browser-memory-protections/, Aug. 2008. Presented at Black Hat 2008.Google Scholar
- SPEC Standard Performance Evaluation Corporation. http://www.spec.org.Google Scholar
- Vendicator. Stack Shield: A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield.Google Scholar
- P. Vreugdenhil. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit. http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf, 2010.Google Scholar
- T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the 31st IEEE Symposium on Security & Privacy (Oakland'10). IEEE Computer Society, 2010. Google ScholarDigital Library
Index Terms
- ROPdefender: a detection tool to defend against return-oriented programming attacks
Recommendations
Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications SecurityWe introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
G-Free: defeating return-oriented programming through gadget-less binaries
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications ConferenceDespite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. ...
ROP-Hunt: Detecting Return-Oriented Programming Attacks in Applications
Security, Privacy, and Anonymity in Computation, Communication, and StorageAbstractReturn-oriented Programming (ROP) is a new exploitation technique that can perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences. Although many defense mechanisms have been proposed, some new ...
Comments