Xusheng Li,Zhisheng Hu,Haizhou Wang,Yiwei Fu,Ping Chen,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1807.11110

2024-02-13

Abstract:Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that ROPNN has high detection rate (99.3%) and a very low false positive rate (0.01%). ROPNN successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. Additionally, ROPNN detects all 10 ROP exploits that can bypass Bin-CFI. ROPNN is non-intrusive and does not incur any runtime overhead to the protected program.

Cryptography and Security

Chao Yang,Tao Zheng,Zhitian Lin

DOI: https://doi.org/10.1109/sere-c.2014.22

2014-01-01

Abstract:More attention has been paid to program security since ROP had been proposed. An ROP defence scheme based on detecting frequent ret sequences was designed in 2009 and it was proved an useful way to defend most ROP attacks. However, this scheme was bypassed by Lgadget, which makes use of long ret sequences and was proposed by J Cao in 2013. Based on J Cao's work, this paper improves the Lgadgets and designs a frame work automatically distributing gadgets addresses into the stack to trigger an ROP exploit. Our work includes turing-complete gadgets gathering, definition and compilation of upper level language, and automated linking and chaining of the gadgets in the stack. We demonstrate the viability and effectiveness of this kind of automatic exploit.

HUANG Zhi-jun,ZHENG Tao

2012-01-01

Computer Science

Abstract:With the adoption of W♁X technology,the traditional code injection attacks have been almost eliminated,so the return-to-lib attack has been greatly restrained.Under this circumstance,Doc.Hovav Shacham promoted the ROP idea,which is short for Return-Oriented Programming.Based on the theory of stack overflow,making using of the valid short instruction sequences that end with ret instructions to construct gadget collections with Turning-Complete features,the ROP idea can accomplish the task of compute and attack.In this paper,we presented achievements in ROP field and ROP's ability of attack since its promotion,and then illustrated the direction for development of the automation of ROP attack and its current achievements,after that,analyzed and predicted the future development of ROP automation.Simultaneously,we discussed strategies and methods aiming at eliminating this attack based on its characteristics,introduced exisiting achievements of defending this attack by comparing their merits and demerits,gave our own perspectives of these defending strategies and methods about how to change and improve them.

Alex Yao Chu Zhu,Wei Qi Yan,Roopak Sinha

DOI: https://doi.org/10.4018/ijdcf.20211101.oa7

2021-01-01

International Journal of Digital Crime and Forensics

Abstract:Most Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS) cannot defend the attacks from a Return Oriented Program (ROP) which applies code reusing and exploiting techniques without the need for code injection. Malicious attackers chain a short sequence as a gadget and execute this gadget as an arbitrary (Turing-complete) behavior in the target program. Lots of ROP defense tools have been developed with satisfactory performance and low costs overhead, but malicious attackers can evade ROP tools. Therefore, it needs security researchers to continually improve existing ROP defense tools, because the defense ability of target devices, such as smartphones is weak, and such devices are being increasingly targeted. Our contribution in this paper is to propose an ROP defense method that has provided a better performance of defense against ROP attacks than existing ROP defense tools.

Zichen Wang,Jingyi Wang,Fu Song,Kun Wang,Hongyi Pu,Peng Cheng

DOI: https://doi.org/10.1145/3626205.3659149

2024-01-01

Abstract:Industrial robots are widely used in industrial production as mechanical devices. It is essential to guarantee that their control software operates safely and properly, as any functional or security-related defects may lead to serious incidents. However, industrial robots are programmed mostly in proprietary languages varying from vendor to vendor, making it challenging to formally analyze their correctness in a unified way. One of the most representative robot programming languages is the RAPID language proposed by ABB Robotics. In this paper, we present K-RAPID, a formal executable semantics of RAPID in the K-Framework (K). K-RAPID is developed according to the official ABB documentation and defined in a generic extensible manner. It can be used either for validating the correctness of compiler implementation or analyzing the control programs written in RAPID. We evaluate the correctness of K-RAPID by executing 563 test programs collected from multiple sources and comparing the results against the official robot simulation environment RobotStudio. The results suggest that K-RAPID covers the core features of RAPID correctly. Moreover, we show how we could apply K-RAPID to verify RAPID programs using LTL model checking and to provide a formal specification of RAPID to uncover inappropriate behaviors in the programs.

Yuan Wei,Senlin Luo,Jianwei Zhuge,Jing Gao,Ennan Zheng,Bo Li,Limin Pan

DOI: https://doi.org/10.1109/ACCESS.2019.2937585

IF: 3.9

2019-01-01

IEEE Access

Abstract:Return Oriented Programming (ROP) chains attack has been widely used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protection. However, the generation technology for ROP chains is still in a state of manual coding. While, current techniques for automatically generating ROP chains are still insufficiently researched and have few successful applications. On the other hand, the existing methods are based on using Intermediate Language (IL) which is in order to translate the semantics of original instructions for symbolic execution, and then fill in a predefined gadget arrangement to automatically construct a gadget list. This kind of methods may bring following problems: (1) when converting semantics of original to IL, there is a large amount of overhead time, critical instructions may be discarded; (2) the process of populating a predetermined gadget arrangement is inflexible and may fail to construct ROP chains due to address mismatching. In this paper, we propose the Automatic ROP chains Generation (ARG) which is the first fully automatic ROP chains generation tool without using IL. Tested with data from 6 open-source international Capture The Flag (CTF) competitions and 3 Common Vulnerabilities & Exposures (CVE)s, this technology successfully generated ROP chains for all of them. According to the obtained results, our technique can automatically create ROP payloads and reduce up to 80% of ROP exploit payloads. It takes only 3-5 seconds to exploit successfully, compared to manual analysis for at least 60 minutes, as well as it can effectively bypass both Write XOR Execute (W circle plus X) and ASLR.

LIU Zhi,ZHANG Xiao-song,WU Yue

DOI: https://doi.org/10.3969/j.issn.1000-1220.2013.07.035

2013-01-01

Abstract:Return-Oriented-Programming(ROP) attacks can bypass traditional defenses such as DEP and W ⊕ X.Current detection techniques have high false positives w hich are unable to accurately distinguish attacks from normal instruction execution.ROP attacks need to invoke system calls to achieve attacking goal,before w hich registers must be set to correct values;also each x86 instruction corresponds to one or more gadgets.Bases on such characteristics,a new ROP attack defense technique on binary level w as proposed: it intercepts return instructions,from w hich counts the number of gadgets,then check w hether registers have been changed to correct values just before invoking system call.It does not rely on heuristics and provides accurate detection of ROP attacks by stack smashing.Prototype system is implemented w ith dynamic binary instrumentation tool,and w e evaluated the system w ith normal programs and ROP attacks.Experiment results show it causes low false positives and negatives w hile makes little overhead.

Kangjie Lu,Dabi Zou,Weiping Wen,Debin Gao

DOI: https://doi.org/10.1007/978-3-642-23644-0_6

2011-01-01

Abstract:Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W⊕X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

Ping Chen,Xiao Xing,Bing Mao,Li Xie,Xiaobin Shen,Xinchun Yin

DOI: https://doi.org/10.1145/1966913.1966918

2011-01-01

Abstract:Return-Oriented Programming (ROP) is a technique which leverages the instruction gadgets in existing libraries/executables to construct Turing complete programs. However, ROP attack is usually composed with gadgets which are ending in ret instruction without the corresponding call instruction. Based on this fact, several defense mechanisms have been proposed to detect the ROP malicious code. To circumvent these defenses, Return-Oriented Programming without returns has been proposed recently, which uses the gadgets ending in jmp instruction but with much diversity. In this paper, we propose an improved ROP techniques to construct the ROP shellcode without returns. Meanwhile we implement a tool to automatically construct the real-world Return-Oriented Programming without returns shellcode, which as demonstrated in our experiment can bypass most of the existing ROP defenses.

Wenbiao Ding,Xiao Xing,Ping Chen,Zhi Xin,Bing Mao

DOI: https://doi.org/10.1109/MALWARE.2014.6999408

2014-01-01

Abstract:Return-oriented programming is a kind of codereuse technique for attackers, which is very effective to bypass the DEP defense. However, the instruction snippet (we call it gadget) is often unprintable 1. This shortcoming can limit the ROP attack to be deployed to practice, since non-ASCII scanning can detect such ROP payload. In this paper, we present a novel method that only uses the printable gadgets, as such it can circumvent the non-ASCII detection. However, this method is non-trival because printable gadgets count for about 10 percents of all the gadgets we can find in existing code(e.g., library or program code). Additionally, not only the gadget address but also data should all be printable in our ROP payload. To construct the printable ROP payload, we propose reverse derivation method to transform original shellcode to printable ROP payload. The transformation is driven by state machines, which indicate the status of data flows. Experimental results show that our method can construct the printable ROP payload that has the same functionality as the real-world malicious shellcode, in addition, the construction process is totally automatic.

Kangjie Lu,Dabi Zou,Weiping Wen,Debin Gao

DOI: https://doi.org/10.1145/2076732.2076784

2011-01-01

Abstract:Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.

Ping Chen,Hai Xiao,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-10772-6_13

2009-01-01

Abstract:Return-Oriented Programming (ROP) is a new technique that helps the attacker construct malicious code mounted on x86/SPARC executables without any function call at all. Such technique makes the ROP malicious code contain no instruction, which is different from existing attacks. Moreover, it hides the malicious code in benign code. Thus, it circumvents the approaches that prevent control flow diversion outside legitimate regions (such as W *** X ) and most malicious code scanning techniques (such as anti-virus scanners). However, ROP has its own intrinsic feature which is different from normal program design: (1) uses short instruction sequence ending in "ret", which is called gadget, and (2) executes the gadgets contiguously in specific memory space, such as standard GNU libc. Based on the features of the ROP malicious code, in this paper, we present a tool DROP, which is focused on dynamically detecting ROP malicious code. Preliminary experimental results show that DROP can efficiently detect ROP malicious code, and have no false positives and negatives.

Ping-Hai YUAN,Qing-Kai ZENG

DOI: https://doi.org/10.13328/j.cnki.jos.005317

2017-01-01

Abstract:Return-Oriented programming (ROP) is widely applied in modern software vulnerability exploitations.This work demonstrates that Turing-complete ROP code is universally available in everyday software.A big challenge for applying ROP is to construct the functionality of conditional jumps.Because conditional branch instructions are abandoned as they are deemed no use for achieving this functionality,existing works resort to some awkward methods which suffer from high risk of failure.By analyzing the execution context of conditional branch instructions,this study finds that the traditional viewpoint on these instructions only partially reveals the truth.In fact,there are some conditional branch instructions in which two branches each starts a reusable gadget,and these two gadgets fetch the next gadget from different memory cells.Hence,the code snippets beginning at these conditional instructions can implement the conditional jumps for ROP code.Such a code snippet is named if-gadget.Experimental results show that if-gadgets are widely available in executables of Linux and Windows platforms.Evaluations on programs of Binutils demonstrate that,Turing complete ROP code can be achieved with the help of if-gadgets while existing techniques even fail to gather Turing complete gadgets.On platforms such as Ubuntu,because the executables running on them do not support ASLR by default,attackers can construct Turing-complete ROP code on these executables and then mount an attack.Therefore,ROP-based attacks pose a great threat to modern platforms,which is far more serious than originally thought.

ZhiJun Huang,Tao Zheng,Yunxiu Shi,Ang Li

DOI: https://doi.org/10.1109/icsai.2012.6223219

2012-01-01

Abstract:As the proposition of the idea of Return-Oriented Programming (ROP), programs will face new challenges from viruses, and many of current defense measures will be ineffective. With fine granularity, covert virus features, deliberate and sophisticated construction and rare static characteristics, ROP attack can circumvent many traditional defense measures and its variant Jump-Oriented Programming (JOP) attack makes lots of current special ROP defense tools lose their effects. Under this circumstance, it's imperative to discover the dynamic features of ROP exploits. At this time, bringing in the technology of Dynamic Binary Instrumentation (DBI) provides powerful support for dynamic analysis of ROP attack. In this paper, we will introduce a defense measure to ROP attack. By identifying malicious program execution flow and restricting the function call specification of general program libraries, we will prevent the turning-complete features of ROP attack. Our detection method can restrain malicious use of shared libraries by ROP and defend a large part of ROP attacks.

Dandan Xu,Kai Chen,Miaoqian Lin,Chaoyang Lin,XiaoFeng Wang

DOI: https://doi.org/10.1109/tifs.2023.3322319

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Capture-the-flag (CTF) competitions have become highly successful in security education, and heap corruption is considered one of the most difficult and rewarding challenges due to its complexity and real-world impact. However, developing a heap exploit is a challenging task that often requires significant human involvement to manipulate memory layouts and bypass security checks. To facilitate the exploitation of heap corruption, existing solutions develop automated systems that rely on manually crafted patterns to generate exploits. Such manual patterns tend to be specific, which limits their flexibility to cope with the evolving exploit techniques. To address this limitation, we explore the problem of the automatic summarization of exploit patterns. We leverage an observation that public attack artifacts provide key insights into heap exploits. Based upon this observation, we develop AutoPwn, the first artifact-assisted AEG system that automatically summarizes exploit patterns from artifacts of known heap exploits and uses them to guide the exploitation of new programs. Considering the diversity of programs and exploits, we propose to use a novel Exploitation State Machine (ESM), with generic states and transitions to model the exploit patterns, and then efficiently construct it through combining the dynamic monitoring of exploits and the semantic analysis of their text descriptions. We implement a prototype of AutoPwn and evaluate it on 96 testing CTF binaries. The results show that AutoPwn produces 22 successful exploits and 13 partial exploits, preliminarily demonstrating its efficacy.

Sanjeeu Das,Bihuan Chen,Mahintham Chandramohan,Yang Liu,Wei Zhang

DOI: https://doi.org/10.1016/j.cose.2017.11.011

IF: 5.105

2017-01-01

Computers & Security

Abstract:Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attacks at runtime. It is built on the observation that ROP exploits usually trigger different hardware events than normal programs generated by compilers. Hence, we leverage hardware performance counters to track such hardware events and analyze behavioral patterns of ROP attacks. ROPSentry has two approaches. The ROP-only defense approach detects ROP attacks via capturing the patterns of ROP exploits, where we propose to sample the hardware performance counters at mispredicted return events instead of at every microinstruction for a low performance overhead. To further reduce performance overhead, we propose a self-adaptive defense approach to dynamically switch between low and high sampling rates. It detects the patterns of spraying attacks (i.e., one common ROP payload delivery technique) at a low sampling rate, and then switches to a high sampling rate for detecting the patterns of ROP exploits. Our evaluation on 11 real-world ROP exploits, 50 synthetically generated ROP exploits and 1000 benign websites has shown that, the ROP-only and self-adaptive approaches are effective in detecting ROP attacks with low performance overhead (11% and 1% respectively) as well as low false positive; and they significantly outperform the state-of-the-art techniques in terms of performance overhead without losing the detection accuracy.

Jie Li,Weina Niu,Ran Yan,Zhiqin Duan,Beibei Li,Xiaosong Zhang

DOI: https://doi.org/10.1109/trustcom56396.2022.00033

2022-01-01

Abstract:Return-Oriented Programming (ROP) has become one of the most widely used attack techniques for software vulnerability exploitation. Existing ROP detection methods fall into two types: hardware-based methods and software-based methods. The former is strongly dependent on specific hardware architectures and difficult to deploy. Although the latter can alleviate these problems, limited by the selection of features and thresholds, it cannot effectively discover neither variant ROP nor delayed ROP. In this work, we propose an intelligent detection method at runtime and implement the corresponding prototype system, IDROP, which uses real-time execution flow and LSTM to discovery ROP and its variants. Specifically, IDROP analyzes the differences between program execution flows that are independent of the ROP feature thresholds. Firstly, the Aspect Oriented Programming (AOP) is utilized to instrument the tested program, and the sliding window mechanism is applied to screen out suspicious program execution flow snapshots. Then, these suspicious execution flow snapshots are vectorized through data representation techniques. Finally, we build and train an LSTM model to discover ROP. Furthermore, we evaluate the performance of IDROP on a dataset consisting of 6000+ samples. The experimental results show that IDROP is effective in detecting ROP attacks, variant ROP and delayed ROP with an accuracy of 98%, 93% and 80%, respectively. In addition, IDROP has negligible space overhead and low performance overhead, which is similar to that of only using Pin for detection (about additional 2.5 times the program execution time before instrumentation).

Andreas Follner,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.1504.02288

2015-04-09

Abstract:Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques, but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks by both monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite show an average overhead of 2.4x, which is comparable to similar approaches, which give weaker guarantees. Real-world applications show only an initially noticeable input lag and no stutter. In our evaluation our tool successfully detected all 11 of the latest real-world code-reuse exploits, with no false alarms. Therefore, despite the overhead, it is a viable, temporary solution to secure critical systems against exploits if a vendor patch is not yet available.

Cryptography and Security

HAN Hao,MAO Bing,XIE Li

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.04.040

2012-01-01

Abstract:Return-oriented Programming(ROP) is a new attack based on code-reuse technique.This paper proposes a dynamic runtime detection system for return-oriented programming attack,studies the intrinsic nature of ROP and its variant.According to these nature,it designs ret integrity checking,call integrity checking and jmp integrity checking.The detecting system is implemented to static instrument and dynamic run-time checking.Static instrument assemble the analysis code into the program to be detected and dynamic run-time checking do the real detection with the three integrity checking.Preliminary experimental results show that the method can efficiently detect ROP malicious code and have no false positives and negatives.

Zhi Jun Huang,Tao Zheng,Jia Liu

DOI: https://doi.org/10.1109/sees.2012.6225491

2012-01-01

Abstract:With the popularity of embedded devices, especially smart phones, a growing attention has been paid to their programs' security. Many viruses on PC platforms migrated to embedded device have brought new threats to the security of the embedded platform. ROP (Return-Oriented Programming) attack is one of them. At the same time, traditional protective measures on PC platform tend to lose effect in embedded devices due to differences among platforms and architectures which bring significant challenges to virus protection on embedded devices. Defending ROP attack confronts the same problem. Existing protective methods against ROP attack on PC rarely work well on an embedded platform. This paper presents a protective algorithm against ROP virus on the embedded ARM platform. Furthermore, we develop a Valgrind tool to implement this algorithm with dynamic binary instrumentation technology which can effectively prevent the ROP attack and its variants on the ARM platform.