research-article

ROPdefender: a detection tool to defend against return-oriented programming attacks

Authors:
Lucas Davi

Technische Universität Darmstadt, Darmstadt, Germany

Technische Universität Darmstadt, Darmstadt, Germany
View Profile

,
Ahmad-Reza Sadeghi

Technische Universität Darmstadt, Darmstadt, Germany

Technische Universität Darmstadt, Darmstadt, Germany
View Profile

,
Marcel Winandy

Ruhr-Universität Bochum, Bochum, Germany

Ruhr-Universität Bochum, Bochum, Germany
View Profile

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications SecurityMarch 2011Pages 40–51https://doi.org/10.1145/1966913.1966920

Published:22 March 2011Publication History

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Pages 40–51

ABSTRACT

Modern runtime attacks increasingly make use of the powerful return-oriented programming (ROP) attack techniques and principles such as recent attacks on Apple iPhone and Acrobat products to name some. These attacks even work under the presence of modern memory protection mechanisms such as data execution prevention (DEP). In this paper, we present our tool, ROPdefender, that dynamically detects conventional ROP attacks (that are based on return instructions). In contrast to existing solutions, ROPdefender can be immediately deployed by end-users, since it does not rely on side information (e.g., source code or debugging information) which are rarely provided in practice. Currently, our tool adds a runtime overhead of 2x which is comparable to similar instrumentation-based tools.

References

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In CCS '05: Proceedings of the 12th ACM Conference on Computer and Communications Security, pages 340--353. ACM, 2005. Google ScholarDigital Library
M. Abadi, M. Budiu, U. Erlingsson, G. C. Necula, and M. Vrable. XFI: software guards for system address spaces. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 75--88. USENIX Association, 2006. Google ScholarDigital Library
Adobe Systems. Security Advisory for Flash Player, Adobe Reader and Acrobat: CVE-2010-1297. http://www.adobe.com/support/security/advisories/apsa10-01.html, 2010.Google Scholar
Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 1996.Google Scholar
Anonymous. Once upon a free(). Phrack Magazine, 57(9), 2001.Google Scholar
blexim. Basic integer overflows. Phrack Magazine, 60(10), 2002.Google Scholar
D. L. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. http://groups.csail.mit.edu/cag/rio/derek-phd-thesis.pdf, 2004. PhD thesis, M.I.T. Google ScholarDigital Library
E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 27--38. ACM, 2008. Google ScholarDigital Library
B. Buck and J. K. Hollingsworth. An API for runtime code patching. Int. J. High Perform. Comput. Appl., 14(4):317--329, 2000. Google ScholarDigital Library
B. M. Cantrill, M. W. Shapiro, and A. H. Leventhal. Dynamic instrumentation of production systems. In Proceedings of USENIX 2004 Annual Technical Conference, pages 15--28. USENIX Association, 2004. Google ScholarDigital Library
S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS '10: Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 559--572. ACM, 2010. Google ScholarDigital Library
S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of EVT/WOTE 2009, 2009. Google ScholarDigital Library
P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In A. Prakash and I. Gupta, editors, Fifth International Conference on Information Systems Security (ICISS 2010), volume 5905 of Lecture Notes in Computer Science, pages 163--177. Springer, 2009. Google ScholarDigital Library
P. Chen, X. Xing, H. Han, B. Mao, and L. Xie. Efficient detection of the return-oriented programming malicious code. In Sixth International Conference on Information Systems Security (ICISS 2010), volume 6503 of Lecture Notes in Computer Science, pages 140--155. Springer, 2010. Google ScholarDigital Library
T. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In International Conference on Distributed Computing Systems, pages 409--417. IEEE Computer Society, 2001. Google ScholarDigital Library
T. Chiueh and M. Prasad. A binary rewriting defense against stack based overflow attacks. In Proceedings of the USENIX Annual Technical Conference, pages 211--224. USENIX Association, 2003.Google Scholar
J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing, pages 196--206, 2007. Google ScholarDigital Library
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard TM: protecting pointers from buffer overflow vulnerabilities. In SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium, pages 91--104. USENIX Association, 2003. Google ScholarDigital Library
C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In SSYM'98: Proceedings of the 7th conference on USENIX Security Symposium, pages 63--78. USENIX Association, 1998. Google ScholarDigital Library
D. Dai Zovi. Practical return-oriented programming. SOURCE Boston 2010, Apr. 2010. Presentation. Slides: http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf.Google Scholar
L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the 4th ACM Workshop on Scalable Trusted Computing (STC'09), pages 49--54. ACM, 2009. Google ScholarDigital Library
T. Dullien, T. Kornau, and R.-P. Weinmann. A framework for automated architecture-independent gadget search. In Proceedings of the 4th USENIX Workshop on Offensive Technologies (WOOT), 2010. Google ScholarDigital Library
A. Edwards, A. Srivastava, and H. Vo. Vulcan binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, April 2001.Google Scholar
A. Francillon and C. Castelluccia. Code injection attacks on harvard-architecture devices. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 15--26. ACM, 2008. Google ScholarDigital Library
A. Francillon, D. Perito, and C. Castelluccia. Defending embedded systems against control flow attacks. In Proceedings of the 1st Workshop on Secure Execution of Untrusted Code (SecuCode'09), pages 19--26. ACM, 2009. Google ScholarDigital Library
M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium, pages 55--66. USENIX Association, 2001. Google ScholarDigital Library
gera. Advances in format string exploitation. Phrack Magazine, 59(12), 2002.Google Scholar
D. Goodin. Apple quicktime backdoor creates code-execution peril. http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/, 2010.Google Scholar
S. Gupta, P. Pratap, H. Saran, and S. Arun-Kumar. Dynamic code instrumentation to detect and recover from return address corruption. In WODA '06: Proceedings of the 2006 international workshop on Dynamic systems analysis, pages 65--72. ACM, 2006. Google ScholarDigital Library
J. Halliday. Jailbreakme released for apple devices. http://www.guardian.co.uk/technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal, Aug. 2010.Google Scholar
M. Howard and M. Thomlinson. Windows vista isv security. http://msdn.microsoft.com/en-us/library/bb430720.aspx, Apr. 2007.Google Scholar
R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium. USENIX Association, 2009. Google ScholarDigital Library
Intel Corporation. Intel 64 and ia-32 architectures software developer's manuals. http://www.intel.com/products/processor/manuals/.Google Scholar
Intel Parallel Studio. http://software.intel.com/en-us/intel-parallel-studio-home/.Google Scholar
V. Iozzo and R.-P. Weinmann. Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN. http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/, Mar 2010.Google Scholar
jduck. The latest adobe exploit and session upgrading. http://blog.metasploit.com/2010/03/latest-adobe-exploit-and-session.html, 2010.Google Scholar
V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191--206. USENIX Association, 2002. Google ScholarDigital Library
T. Kornau. Return oriented programming for the ARM architecture. http://zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf, 2009. Master thesis, Ruhr-University Bochum, Germany.Google Scholar
L. Le. Payload already inside: data re-use for ROP exploits. In Black Hat USA, July 2010.Google Scholar
J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European conference on Computer systems, EuroSys '10, pages 195--208. ACM, 2010. Google ScholarDigital Library
F. Lindner. Developments in Cisco IOS forensics. CONFidence 2.0. http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf, Nov. 2009.Google Scholar
C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pages 190--200. ACM, June 2005. Google ScholarDigital Library
Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.Google Scholar
Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 58(4), 2001.Google Scholar
N. Nethercote. Dynamic binary analysis and instrumentation. http://valgrind.org/docs/phd2004.pdf, 2004. PhD thesis, University of Cambridge.Google Scholar
N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Not., 42(6):89--100, 2007. Google ScholarDigital Library
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed Security Symposium, 2005.Google Scholar
K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference, Dec. 2010. Google ScholarDigital Library
PaX Team. http://pax.grsecurity.net/.Google Scholar
S. Ragan. Adobe confirms zero-day - rop used to bypass windows defenses. http://www.thetechherald.com/article.php/201036/6128/, 2010.Google Scholar
G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009). IEEE, 2009. Google ScholarDigital Library
H. Security. Pwn2Own 2009: Safari, IE 8 and Firefox exploited. http://www.h-online.com/security/news/item/Pwn2Own-2009-Safari-IE-8--and-Firefox-exploited-740663.html, 2010.Google Scholar
H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS '07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552--561. ACM, 2007. Google ScholarDigital Library
H. Shacham, E. jin Goh, N. Modadugu, B. Pfaff, and D. Boneh. On the effectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298--307. ACM, 2004. Google ScholarDigital Library
S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702, 2008.Google Scholar
Solar Designer. "return-to-libc" attack. Bugtraq, 1997.Google Scholar
A. Sotirov and M. Dowd. Bypassing browser memory protections in Windows Vista. http://www.phreedom.org/research/bypassing-browser-memory-protections/, Aug. 2008. Presented at Black Hat 2008.Google Scholar
SPEC Standard Performance Evaluation Corporation. http://www.spec.org.Google Scholar
Vendicator. Stack Shield: A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield.Google Scholar
P. Vreugdenhil. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit. http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf, 2010.Google Scholar
T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the 31st IEEE Symposium on Security & Privacy (Oakland'10). IEEE Computer Society, 2010. Google ScholarDigital Library

Index Terms

ROPdefender: a detection tool to defend against return-oriented programming attacks
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications
Special Issue on Computer and Communications Security

We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences ...
Read More
G-Free: defeating return-oriented programming through gadget-less binaries
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. ...
Read More
ROP-Hunt: Detecting Return-Oriented Programming Attacks in Applications
Security, Privacy, and Anonymity in Computation, Communication, and Storage
Abstract
Return-oriented Programming (ROP) is a new exploitation technique that can perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences. Although many defense mechanisms have been proposed, some new ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
March 2011
527 pages
ISBN:9781450305648
DOI:10.1145/1966913
General Chairs:
Bruce Cheung
The University of Hong Kong, China
,
Lucas Chi Kwong Hui
The University of Hong Kong, China
,
Program Chairs:
Ravi Sandhu
University of Texas, San Antonio
,
Duncan S. Wong
City University of Hong Kong, China
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 March 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
binary instrumentation
detection
return-oriented programming
Qualifiers
- research-article
Conference

Acceptance Rates
ASIACCS '11 Paper Acceptance Rate35of217submissions,16%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 182
  Total Citations
  View Citations
- 1,617
  Total Downloads
- Downloads (Last 12 months)106
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ROPdefender: a detection tool to defend against return-oriented programming attacks

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Return-Oriented Programming: Systems, Languages, and Applications

G-Free: defeating return-oriented programming through gadget-less binaries

ROP-Hunt: Detecting Return-Oriented Programming Attacks in Applications