Xusheng Li,Zhisheng Hu,Haizhou Wang,Yiwei Fu,Ping Chen,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1807.11110

2024-02-13

Abstract:Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that ROPNN has high detection rate (99.3%) and a very low false positive rate (0.01%). ROPNN successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. Additionally, ROPNN detects all 10 ROP exploits that can bypass Bin-CFI. ROPNN is non-intrusive and does not incur any runtime overhead to the protected program.

Cryptography and Security

Ping Chen,Hai Xiao,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-10772-6_13

2009-01-01

Abstract:Return-Oriented Programming (ROP) is a new technique that helps the attacker construct malicious code mounted on x86/SPARC executables without any function call at all. Such technique makes the ROP malicious code contain no instruction, which is different from existing attacks. Moreover, it hides the malicious code in benign code. Thus, it circumvents the approaches that prevent control flow diversion outside legitimate regions (such as W *** X ) and most malicious code scanning techniques (such as anti-virus scanners). However, ROP has its own intrinsic feature which is different from normal program design: (1) uses short instruction sequence ending in "ret", which is called gadget, and (2) executes the gadgets contiguously in specific memory space, such as standard GNU libc. Based on the features of the ROP malicious code, in this paper, we present a tool DROP, which is focused on dynamically detecting ROP malicious code. Preliminary experimental results show that DROP can efficiently detect ROP malicious code, and have no false positives and negatives.

Ping Chen,Xiao Xing,Hao Han,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-17714-9_11

2010-01-01

Abstract:Return-Oriented Programming (ROP) is a code-reuse technique which helps the attacker construct malicious code by using the instruction snippets in existing libraries/executables. Such technique makes the ROP program contain no malicious instructions. Moreover, in recent research, Return-Oriented Programming without returns has been proposed, which can be used to mount an attack without any independent return instructions, therefore, ROP malicious code circumvents the existing defenses which are based on the assumption that the ROP malicious code should use the ret without corresponding call. In this paper, we found the intrinsic feature of the ROP shellcode, and proposed an efficient method which can detect the ROP malicious code (including the one without returns). Preliminary experimental results show that our method can efficiently detect ROP malicious code and have no false positives and negatives.

Xusheng Li,Zhisheng Hu,Haizhou Wang,Yiwei Fu,Ping Chen,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.3233/jcs-191368

2020-01-01

Journal of Computer Security

Abstract:Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present DeepReturn, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that DeepReturn has high detection rate (99.3%) and a very low false positive rate (0.01%). DeepReturn successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. DeepReturn is non-intrusive and does not incur any runtime overhead to the protected program.

Alex Yao Chu Zhu,Wei Qi Yan,Roopak Sinha

DOI: https://doi.org/10.4018/ijdcf.20211101.oa7

2021-01-01

International Journal of Digital Crime and Forensics

Abstract:Most Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS) cannot defend the attacks from a Return Oriented Program (ROP) which applies code reusing and exploiting techniques without the need for code injection. Malicious attackers chain a short sequence as a gadget and execute this gadget as an arbitrary (Turing-complete) behavior in the target program. Lots of ROP defense tools have been developed with satisfactory performance and low costs overhead, but malicious attackers can evade ROP tools. Therefore, it needs security researchers to continually improve existing ROP defense tools, because the defense ability of target devices, such as smartphones is weak, and such devices are being increasingly targeted. Our contribution in this paper is to propose an ROP defense method that has provided a better performance of defense against ROP attacks than existing ROP defense tools.

Kangjie Lu,Dabi Zou,Weiping Wen,Debin Gao

DOI: https://doi.org/10.1007/978-3-642-23644-0_6

2011-01-01

Abstract:Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W⊕X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

Sanjeeu Das,Bihuan Chen,Mahintham Chandramohan,Yang Liu,Wei Zhang

DOI: https://doi.org/10.1016/j.cose.2017.11.011

IF: 5.105

2017-01-01

Computers & Security

Abstract:Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attacks at runtime. It is built on the observation that ROP exploits usually trigger different hardware events than normal programs generated by compilers. Hence, we leverage hardware performance counters to track such hardware events and analyze behavioral patterns of ROP attacks. ROPSentry has two approaches. The ROP-only defense approach detects ROP attacks via capturing the patterns of ROP exploits, where we propose to sample the hardware performance counters at mispredicted return events instead of at every microinstruction for a low performance overhead. To further reduce performance overhead, we propose a self-adaptive defense approach to dynamically switch between low and high sampling rates. It detects the patterns of spraying attacks (i.e., one common ROP payload delivery technique) at a low sampling rate, and then switches to a high sampling rate for detecting the patterns of ROP exploits. Our evaluation on 11 real-world ROP exploits, 50 synthetically generated ROP exploits and 1000 benign websites has shown that, the ROP-only and self-adaptive approaches are effective in detecting ROP attacks with low performance overhead (11% and 1% respectively) as well as low false positive; and they significantly outperform the state-of-the-art techniques in terms of performance overhead without losing the detection accuracy.

Ammari Nader,Joan Calvet,Jose M. Fernandez

DOI: https://doi.org/10.48550/arXiv.2005.11886

2020-05-25

Abstract:Return Oriented Programming (ROP) is a technique by which an attacker can induce arbitrary behavior inside a vulnerable program without injecting a malicious code. The continues failure of the currently deployed defenses against ROP has made it again one of the most powerful memory corruption attacks. ROP is also considered as one of the most flexible attacks, its level of flexibility, unlike other code reuse attacks, can reach the Turing completeness. Several efforts have been undertaken to study this threat and to propose better defense mechanisms (mitigation or prevention), yet the majority of them are not deeply reviewed nor officially <a class="link-external link-http" href="http://implemented.Furthermore" rel="external noopener nofollow">this http URL</a>, similar studies show that the techniques proposed to prevent ROP-based exploits usually yield a high false-negative rate and a higher false-positive rate, not to mention the overhead that they introduce into the protected program. The first part of this research work aims at providing an in-depth analysis of the currently available anti-ROP solutions (deployed and proposed), focusing on inspecting their defense logic and summarizing their weaknesses and problems. The second part of this work aims at introducing our proposed Indicators Of Compromise (IOCs) that could be used to improve the detection rate of ROP attacks. The three suggested indicators could detect these attacks at run-time by checking the presence of some artifacts during the execution of the targeted program.

Cryptography and Security

ZhiJun Huang,Tao Zheng,Yunxiu Shi,Ang Li

DOI: https://doi.org/10.1109/icsai.2012.6223219

2012-01-01

Abstract:As the proposition of the idea of Return-Oriented Programming (ROP), programs will face new challenges from viruses, and many of current defense measures will be ineffective. With fine granularity, covert virus features, deliberate and sophisticated construction and rare static characteristics, ROP attack can circumvent many traditional defense measures and its variant Jump-Oriented Programming (JOP) attack makes lots of current special ROP defense tools lose their effects. Under this circumstance, it's imperative to discover the dynamic features of ROP exploits. At this time, bringing in the technology of Dynamic Binary Instrumentation (DBI) provides powerful support for dynamic analysis of ROP attack. In this paper, we will introduce a defense measure to ROP attack. By identifying malicious program execution flow and restricting the function call specification of general program libraries, we will prevent the turning-complete features of ROP attack. Our detection method can restrain malicious use of shared libraries by ROP and defend a large part of ROP attacks.

Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Andreas Follner,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.1504.02288

2015-04-09

Abstract:Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques, but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks by both monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite show an average overhead of 2.4x, which is comparable to similar approaches, which give weaker guarantees. Real-world applications show only an initially noticeable input lag and no stutter. In our evaluation our tool successfully detected all 11 of the latest real-world code-reuse exploits, with no false alarms. Therefore, despite the overhead, it is a viable, temporary solution to secure critical systems against exploits if a vendor patch is not yet available.

Cryptography and Security

HUANG Zhi-jun,ZHENG Tao

2012-01-01

Computer Science

Abstract:With the adoption of W♁X technology,the traditional code injection attacks have been almost eliminated,so the return-to-lib attack has been greatly restrained.Under this circumstance,Doc.Hovav Shacham promoted the ROP idea,which is short for Return-Oriented Programming.Based on the theory of stack overflow,making using of the valid short instruction sequences that end with ret instructions to construct gadget collections with Turning-Complete features,the ROP idea can accomplish the task of compute and attack.In this paper,we presented achievements in ROP field and ROP's ability of attack since its promotion,and then illustrated the direction for development of the automation of ROP attack and its current achievements,after that,analyzed and predicted the future development of ROP automation.Simultaneously,we discussed strategies and methods aiming at eliminating this attack based on its characteristics,introduced exisiting achievements of defending this attack by comparing their merits and demerits,gave our own perspectives of these defending strategies and methods about how to change and improve them.

Ping Chen,Xiao Xing,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-17650-0_24

2010-01-01

Abstract:Return Oriented Programming(ROP) is a new technique which can be leveraged to construct a rootkit by reusing the existing code within the kernel. Such ROP rootkit can be designed to evade existing kernel integrity protection mechanism. In this paper, we show that, it is also possible to mount a new type of return-oriented programming rootkit without using any return instructions on x86 platform. Our new attack makes use of certain instruction sequences ending in jmp instead of ret; we show that these sequences occur with sufficient frequency in OS kernel, thereby enabling to construct arbitrary x86 behaviors. Since it does not make use of return instructions, our new attack has negative implications for existing defense methods against traditional ROP attack. Further, we present a design of memory layout arrangement technique for this type of ROP rootkit, whose size is not limited by the kernel stack. Finally, we propose the implementation of this practical attack to demonstrate the feasibility and effectiveness of our approach.

Liang Deng,Qingkai Zeng

DOI: https://doi.org/10.1049/iet-ifs.2015.0372

2016-01-01

IET Information Security

Abstract:Commodity operating system kernels are vulnerable to a wide range of attacks due to the large code base and broad attack surface. Mitigation mechanisms such as code signing, W circle plus X, and code integrity protection have raised the bar for kernel security. In turn, attack mechanisms have also become increasingly advanced. They have evolved from simple injection of malicious code into more sophisticated code-reuse attacks [e.g. return-oriented programming (ROP)]. In this study, the authors describe exception-oriented programming (EOP), a novel code-reuse method to construct kernel malware. Unlike previous ROP that can only reuse a limited part of existing code (gadgets), EOP is able to reuse any instruction in existing code and chain the instructions in any order to generate malicious programmes. As a result, EOP can provide the attackers with more powerful capabilities and less complexity for building kernel malware.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

HAN Hao,MAO Bing,XIE Li

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.04.040

2012-01-01

Abstract:Return-oriented Programming(ROP) is a new attack based on code-reuse technique.This paper proposes a dynamic runtime detection system for return-oriented programming attack,studies the intrinsic nature of ROP and its variant.According to these nature,it designs ret integrity checking,call integrity checking and jmp integrity checking.The detecting system is implemented to static instrument and dynamic run-time checking.Static instrument assemble the analysis code into the program to be detected and dynamic run-time checking do the real detection with the three integrity checking.Preliminary experimental results show that the method can efficiently detect ROP malicious code and have no false positives and negatives.

Zhi Jun Huang,Tao Zheng,Jia Liu

DOI: https://doi.org/10.1109/sees.2012.6225491

2012-01-01

Abstract:With the popularity of embedded devices, especially smart phones, a growing attention has been paid to their programs' security. Many viruses on PC platforms migrated to embedded device have brought new threats to the security of the embedded platform. ROP (Return-Oriented Programming) attack is one of them. At the same time, traditional protective measures on PC platform tend to lose effect in embedded devices due to differences among platforms and architectures which bring significant challenges to virus protection on embedded devices. Defending ROP attack confronts the same problem. Existing protective methods against ROP attack on PC rarely work well on an embedded platform. This paper presents a protective algorithm against ROP virus on the embedded ARM platform. Furthermore, we develop a Valgrind tool to implement this algorithm with dynamic binary instrumentation technology which can effectively prevent the ROP attack and its variants on the ARM platform.

Robin David,Sébastien Bardin,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1612.05675

2016-12-17

Abstract:Software deobfuscation is a crucial activity in security analysis and especially, in malware analysis. While standard static and dynamic approaches suffer from well-known shortcomings, Dynamic Symbolic Execution (DSE) has recently been proposed has an interesting alternative, more robust than static analysis and more complete than dynamic analysis. Yet, DSE addresses certain kinds of questions encountered by a reverser namely feasibility questions. Many issues arising during reverse, e.g. detecting protection schemes such as opaque predicates fall into the category of infeasibility questions. In this article, we present the Backward-Bounded DSE, a generic, precise, efficient and robust method for solving infeasibility questions. We demonstrate the benefit of the method for opaque predicates and call stack tampering, and give some insight for its usage for some other protection schemes. Especially, the technique has successfully been used on state-of-the-art packers as well as on the government-grade X-Tunnel malware -- allowing its entire deobfuscation. Backward-Bounded DSE does not supersede existing DSE approaches, but rather complements them by addressing infeasibility questions in a scalable and precise manner. Following this line, we propose sparse disassembly, a combination of Backward-Bounded DSE and static disassembly able to enlarge dynamic disassembly in a guaranteed way, hence getting the best of dynamic and static disassembly. This work paves the way for robust, efficient and precise disassembly tools for heavily-obfuscated binaries.

Cryptography and Security,Software Engineering

Yuan Wei,Senlin Luo,Jianwei Zhuge,Jing Gao,Ennan Zheng,Bo Li,Limin Pan

DOI: https://doi.org/10.1109/ACCESS.2019.2937585

IF: 3.9

2019-01-01

IEEE Access

Abstract:Return Oriented Programming (ROP) chains attack has been widely used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection. However, the generation technology for ROP chains is still in a state of manual coding. While, current techniques for automatically generating ROP chains are still insufficiently researched and have few successful applications. On the other hand, the existing methods are based on using Intermediate Language (IL) which is in order to translate the semantics of original instructions for symbolic execution, and then fill in a predefined gadget arrangement to automatically construct a gadget list. This kind of methods may bring following problems: (1) when converting semantics of original to IL, there is a large amount of overhead time, critical instructions may be discarded; (2) the process of populating a predetermined gadget arrangement is inflexible and may fail to construct ROP chains due to address mismatching. In this paper, we propose the Automatic ROP chains Generation (ARG) which is the first fully automatic ROP chains generation tool without using IL. Tested with data from 6 open-source international Capture The Flag (CTF) competitions and 3 Common Vulnerabilities & Exposures (CVE)s, this technology successfully generated ROP chains for all of them. According to the obtained results, our technique can automatically create ROP payloads and reduce up to 80% of ROP exploit payloads. It takes only 3-5 seconds to exploit successfully, compared to manual analysis for at least 60 minutes, as well as it can effectively bypass both Write XOR Execute (W circle plus X) and ASLR.

Ping Chen,Xiao Xing,Bing Mao,Li Xie,Xiaobin Shen,Xinchun Yin

DOI: https://doi.org/10.1145/1966913.1966918

2011-01-01

Abstract:Return-Oriented Programming (ROP) is a technique which leverages the instruction gadgets in existing libraries/executables to construct Turing complete programs. However, ROP attack is usually composed with gadgets which are ending in ret instruction without the corresponding call instruction. Based on this fact, several defense mechanisms have been proposed to detect the ROP malicious code. To circumvent these defenses, Return-Oriented Programming without returns has been proposed recently, which uses the gadgets ending in jmp instruction but with much diversity. In this paper, we propose an improved ROP techniques to construct the ROP shellcode without returns. Meanwhile we implement a tool to automatically construct the real-world Return-Oriented Programming without returns shellcode, which as demonstrated in our experiment can bypass most of the existing ROP defenses.