Xusheng Li,Zhisheng Hu,Haizhou Wang,Yiwei Fu,Ping Chen,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1807.11110

2024-02-13

Abstract:Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that ROPNN has high detection rate (99.3%) and a very low false positive rate (0.01%). ROPNN successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. Additionally, ROPNN detects all 10 ROP exploits that can bypass Bin-CFI. ROPNN is non-intrusive and does not incur any runtime overhead to the protected program.

Cryptography and Security

HAN Hao,MAO Bing,XIE Li

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.04.040

2012-01-01

Abstract:Return-oriented Programming(ROP) is a new attack based on code-reuse technique.This paper proposes a dynamic runtime detection system for return-oriented programming attack,studies the intrinsic nature of ROP and its variant.According to these nature,it designs ret integrity checking,call integrity checking and jmp integrity checking.The detecting system is implemented to static instrument and dynamic run-time checking.Static instrument assemble the analysis code into the program to be detected and dynamic run-time checking do the real detection with the three integrity checking.Preliminary experimental results show that the method can efficiently detect ROP malicious code and have no false positives and negatives.

Zhi Jun Huang,Tao Zheng,Jia Liu

DOI: https://doi.org/10.1109/sees.2012.6225491

2012-01-01

Abstract:With the popularity of embedded devices, especially smart phones, a growing attention has been paid to their programs' security. Many viruses on PC platforms migrated to embedded device have brought new threats to the security of the embedded platform. ROP (Return-Oriented Programming) attack is one of them. At the same time, traditional protective measures on PC platform tend to lose effect in embedded devices due to differences among platforms and architectures which bring significant challenges to virus protection on embedded devices. Defending ROP attack confronts the same problem. Existing protective methods against ROP attack on PC rarely work well on an embedded platform. This paper presents a protective algorithm against ROP virus on the embedded ARM platform. Furthermore, we develop a Valgrind tool to implement this algorithm with dynamic binary instrumentation technology which can effectively prevent the ROP attack and its variants on the ARM platform.

Alex Yao Chu Zhu,Wei Qi Yan,Roopak Sinha

DOI: https://doi.org/10.4018/ijdcf.20211101.oa7

2021-01-01

International Journal of Digital Crime and Forensics

Abstract:Most Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS) cannot defend the attacks from a Return Oriented Program (ROP) which applies code reusing and exploiting techniques without the need for code injection. Malicious attackers chain a short sequence as a gadget and execute this gadget as an arbitrary (Turing-complete) behavior in the target program. Lots of ROP defense tools have been developed with satisfactory performance and low costs overhead, but malicious attackers can evade ROP tools. Therefore, it needs security researchers to continually improve existing ROP defense tools, because the defense ability of target devices, such as smartphones is weak, and such devices are being increasingly targeted. Our contribution in this paper is to propose an ROP defense method that has provided a better performance of defense against ROP attacks than existing ROP defense tools.

Ping Chen,Hai Xiao,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-10772-6_13

2009-01-01

Abstract:Return-Oriented Programming (ROP) is a new technique that helps the attacker construct malicious code mounted on x86/SPARC executables without any function call at all. Such technique makes the ROP malicious code contain no instruction, which is different from existing attacks. Moreover, it hides the malicious code in benign code. Thus, it circumvents the approaches that prevent control flow diversion outside legitimate regions (such as W *** X ) and most malicious code scanning techniques (such as anti-virus scanners). However, ROP has its own intrinsic feature which is different from normal program design: (1) uses short instruction sequence ending in "ret", which is called gadget, and (2) executes the gadgets contiguously in specific memory space, such as standard GNU libc. Based on the features of the ROP malicious code, in this paper, we present a tool DROP, which is focused on dynamically detecting ROP malicious code. Preliminary experimental results show that DROP can efficiently detect ROP malicious code, and have no false positives and negatives.

Ping Chen,Xiao Xing,Hao Han,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-17714-9_11

2010-01-01

Abstract:Return-Oriented Programming (ROP) is a code-reuse technique which helps the attacker construct malicious code by using the instruction snippets in existing libraries/executables. Such technique makes the ROP program contain no malicious instructions. Moreover, in recent research, Return-Oriented Programming without returns has been proposed, which can be used to mount an attack without any independent return instructions, therefore, ROP malicious code circumvents the existing defenses which are based on the assumption that the ROP malicious code should use the ret without corresponding call. In this paper, we found the intrinsic feature of the ROP shellcode, and proposed an efficient method which can detect the ROP malicious code (including the one without returns). Preliminary experimental results show that our method can efficiently detect ROP malicious code and have no false positives and negatives.

Andreas Follner,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.1504.02288

2015-04-09

Abstract:Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques, but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks by both monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite show an average overhead of 2.4x, which is comparable to similar approaches, which give weaker guarantees. Real-world applications show only an initially noticeable input lag and no stutter. In our evaluation our tool successfully detected all 11 of the latest real-world code-reuse exploits, with no false alarms. Therefore, despite the overhead, it is a viable, temporary solution to secure critical systems against exploits if a vendor patch is not yet available.

Cryptography and Security

HUANG Zhi-jun,ZHENG Tao

2012-01-01

Computer Science

Abstract:With the adoption of W♁X technology,the traditional code injection attacks have been almost eliminated,so the return-to-lib attack has been greatly restrained.Under this circumstance,Doc.Hovav Shacham promoted the ROP idea,which is short for Return-Oriented Programming.Based on the theory of stack overflow,making using of the valid short instruction sequences that end with ret instructions to construct gadget collections with Turning-Complete features,the ROP idea can accomplish the task of compute and attack.In this paper,we presented achievements in ROP field and ROP's ability of attack since its promotion,and then illustrated the direction for development of the automation of ROP attack and its current achievements,after that,analyzed and predicted the future development of ROP automation.Simultaneously,we discussed strategies and methods aiming at eliminating this attack based on its characteristics,introduced exisiting achievements of defending this attack by comparing their merits and demerits,gave our own perspectives of these defending strategies and methods about how to change and improve them.

Sanjeeu Das,Bihuan Chen,Mahintham Chandramohan,Yang Liu,Wei Zhang

DOI: https://doi.org/10.1016/j.cose.2017.11.011

IF: 5.105

2017-01-01

Computers & Security

Abstract:Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attacks at runtime. It is built on the observation that ROP exploits usually trigger different hardware events than normal programs generated by compilers. Hence, we leverage hardware performance counters to track such hardware events and analyze behavioral patterns of ROP attacks. ROPSentry has two approaches. The ROP-only defense approach detects ROP attacks via capturing the patterns of ROP exploits, where we propose to sample the hardware performance counters at mispredicted return events instead of at every microinstruction for a low performance overhead. To further reduce performance overhead, we propose a self-adaptive defense approach to dynamically switch between low and high sampling rates. It detects the patterns of spraying attacks (i.e., one common ROP payload delivery technique) at a low sampling rate, and then switches to a high sampling rate for detecting the patterns of ROP exploits. Our evaluation on 11 real-world ROP exploits, 50 synthetically generated ROP exploits and 1000 benign websites has shown that, the ROP-only and self-adaptive approaches are effective in detecting ROP attacks with low performance overhead (11% and 1% respectively) as well as low false positive; and they significantly outperform the state-of-the-art techniques in terms of performance overhead without losing the detection accuracy.

Ammari Nader,Joan Calvet,Jose M. Fernandez

DOI: https://doi.org/10.48550/arXiv.2005.11886

2020-05-25

Abstract:Return Oriented Programming (ROP) is a technique by which an attacker can induce arbitrary behavior inside a vulnerable program without injecting a malicious code. The continues failure of the currently deployed defenses against ROP has made it again one of the most powerful memory corruption attacks. ROP is also considered as one of the most flexible attacks, its level of flexibility, unlike other code reuse attacks, can reach the Turing completeness. Several efforts have been undertaken to study this threat and to propose better defense mechanisms (mitigation or prevention), yet the majority of them are not deeply reviewed nor officially <a class="link-external link-http" href="http://implemented.Furthermore" rel="external noopener nofollow">this http URL</a>, similar studies show that the techniques proposed to prevent ROP-based exploits usually yield a high false-negative rate and a higher false-positive rate, not to mention the overhead that they introduce into the protected program. The first part of this research work aims at providing an in-depth analysis of the currently available anti-ROP solutions (deployed and proposed), focusing on inspecting their defense logic and summarizing their weaknesses and problems. The second part of this work aims at introducing our proposed Indicators Of Compromise (IOCs) that could be used to improve the detection rate of ROP attacks. The three suggested indicators could detect these attacks at run-time by checking the presence of some artifacts during the execution of the targeted program.

Cryptography and Security

Ping Chen,Xiao Xing,Bing Mao,Li Xie,Xiaobin Shen,Xinchun Yin

DOI: https://doi.org/10.1145/1966913.1966918

2011-01-01

Abstract:Return-Oriented Programming (ROP) is a technique which leverages the instruction gadgets in existing libraries/executables to construct Turing complete programs. However, ROP attack is usually composed with gadgets which are ending in ret instruction without the corresponding call instruction. Based on this fact, several defense mechanisms have been proposed to detect the ROP malicious code. To circumvent these defenses, Return-Oriented Programming without returns has been proposed recently, which uses the gadgets ending in jmp instruction but with much diversity. In this paper, we propose an improved ROP techniques to construct the ROP shellcode without returns. Meanwhile we implement a tool to automatically construct the real-world Return-Oriented Programming without returns shellcode, which as demonstrated in our experiment can bypass most of the existing ROP defenses.

Kangjie Lu,Dabi Zou,Weiping Wen,Debin Gao

DOI: https://doi.org/10.1145/2076732.2076784

2011-01-01

Abstract:Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.

Xusheng Li,Zhisheng Hu,Haizhou Wang,Yiwei Fu,Ping Chen,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.3233/jcs-191368

2020-01-01

Journal of Computer Security

Abstract:Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present DeepReturn, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that DeepReturn has high detection rate (99.3%) and a very low false positive rate (0.01%). DeepReturn successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. DeepReturn is non-intrusive and does not incur any runtime overhead to the protected program.

Ping Chen,Xiao Xing,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-17650-0_24

2010-01-01

Abstract:Return Oriented Programming(ROP) is a new technique which can be leveraged to construct a rootkit by reusing the existing code within the kernel. Such ROP rootkit can be designed to evade existing kernel integrity protection mechanism. In this paper, we show that, it is also possible to mount a new type of return-oriented programming rootkit without using any return instructions on x86 platform. Our new attack makes use of certain instruction sequences ending in jmp instead of ret; we show that these sequences occur with sufficient frequency in OS kernel, thereby enabling to construct arbitrary x86 behaviors. Since it does not make use of return instructions, our new attack has negative implications for existing defense methods against traditional ROP attack. Further, we present a design of memory layout arrangement technique for this type of ROP rootkit, whose size is not limited by the kernel stack. Finally, we propose the implementation of this practical attack to demonstrate the feasibility and effectiveness of our approach.

Kangjie Lu,Dabi Zou,Weiping Wen,Debin Gao

DOI: https://doi.org/10.1007/978-3-642-23644-0_6

2011-01-01

Abstract:Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W⊕X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

Chao Yang,Tao Zheng,Zhitian Lin

DOI: https://doi.org/10.1109/sere-c.2014.22

2014-01-01

Abstract:More attention has been paid to program security since ROP had been proposed. An ROP defence scheme based on detecting frequent ret sequences was designed in 2009 and it was proved an useful way to defend most ROP attacks. However, this scheme was bypassed by Lgadget, which makes use of long ret sequences and was proposed by J Cao in 2013. Based on J Cao's work, this paper improves the Lgadgets and designs a frame work automatically distributing gadgets addresses into the stack to trigger an ROP exploit. Our work includes turing-complete gadgets gathering, definition and compilation of upper level language, and automated linking and chaining of the gadgets in the stack. We demonstrate the viability and effectiveness of this kind of automatic exploit.

Rui Wu,Ping Chen,Bing Mao,Li Xie

DOI: https://doi.org/10.1109/ARES.2012.11

2012-01-01

Abstract:As a code reuse technique, JIT spraying attack becomes popular on the JITed VM (Virtual Machine) (e.g., Javascript Engine, Flash Engine). Using a bug in web applications, an attacker can reuse the code generated by the JIT (Just-In-Time) compiler, which is used to optimize the performance of web applications. JIT spraying attacks can circumvent DEP and ASLR -- protection mechanisms of modern operating systems. Based on the observation that JIT spraying attack mostly uses the immediate operand of the arithmetic instruction to build a shellcode, we propose RIM, a technique that obfuscates the arithmetic operations in the JITed code and prevents attackers from reusing the native code to construct a malicious code. We implement a prototype on Tamarin flash engine and demonstrate the effectiveness of RIM. Experimental results show that RIM's overhead is very low (less than 1%). And RIM greatly improves the security functionality of JIT compilers.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Bingchen Lan,Yan Li,Hao Sun,Chao Su,Yao Liu,Qingkai Zeng

DOI: https://doi.org/10.1109/trustcom.2015.374

2015-01-01

Abstract:Code reuse attacks have become one of the most popular exploitation techniques, and coarse-grained control flow integrity (CFI) is a practical approach used to prevent such attacks. Recently, some new approaches have been proposed to construct call-preceded-ROP attacks to bypass coarse-grained CFI, however, we find that they still fail to bypass shadow stack, which enforces caller-callee semantics to strengthen CFI that constrains the control flow in a much stricter way. Therefore, in this paper, we propose a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack. Quite different from previous code reuse attacks, LOP collects entire functions as basic building blocks (i.e., gadgets), and chains these gadgets in a way that the control flows strictly follow the process of call-ret-pairing. Specifically, LOP selects a particular function with a loop statement, called loop gadget, to chain all the available gadgets. To demonstrate the effectiveness of LOP, we construct a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.

李佳静,梁知音,韦韬,邹维,毛剑

DOI: https://doi.org/10.3724/sp.j.1001.2010.03507

2010-01-01

Abstract:In this paper, a novel method is presented to solve these problems.This method processes the X86 executable programs statically, so it has a higher code coverage than dynamic methods.Besides, it employs a data flow analysis method to identify the jump targets for indirect jumps.It also utilizes optimized tainting mark rules based on the operation semantic of branch conditions.Experiments on 103 real malwares and 7 benign softwares show that the proposed method has the following advantages: For Trojan-spy program detection, it can reduce the false negatives caused by the explicit-flow-sensitive method, and it is effective in dealing with information steal behaviors triggered by some particular conditions.For benign program analysis, it can reduce most of the tainted branches that should be tracked in the original implicit-flow-sensitive method without optimization.