Abstract
Combining short instruction sequences originated only from existing code pieces, Return Oriented Programming (ROP) attacks can bypass the code-integrity effort model. To defeat this kind of attacks, current approaches check every instruction executed on a processor, which results in heavy performance overheads. In this paper, we propose an innovative approach, called HDROP, to detecting the attacks. It utilizes the observation that ROP attacks often make branch predictor in modern processors fail to determine the accurate branch destination. With the support of PMC (Performance Monitoring Counters) that is capable of counting performance events, we catch the abnormal increase in branch mis-prediction and detect the existence of ROP attacks. In HDROP, each basic unit being checked consists of hundreds of instructions rather than a single one, which effectively avoids significant performance overheads. The prototype system we developed on commodity hardware shows that HDROP succeeds in detecting ROP attacks, and the performance tests demonstrate that our approach has acceptably lower overheads.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (2008)
Seshadri, A., Luk, M., Qu, N., et al.: SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles (October 2007)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with return-less kernels. In: Proceedings of the 5th ACM SIGOPS EuroSys Conference (2010)
Onarlioglu, K., Bilge, L., Lanzi, A., et al.: G-free: Defeating return-oriented programming through gadget-less binaries. In: Proceedings of the 26th ACSAC (2010)
Checkoway, S., Davi, L., Dmitrienko, A., et al.: Return-oriented programming without returns. In: Proceedings of the 17th CCS (2010)
Bletsch, T., Jiang, X., Freeh, V.W., et al.: Jump-oriented programming: A new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (2011)
Hund, R., Holz, T., Freiling, F.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of USENIX Security 2009. USENIX (August 2009)
Chen, P., Xing, X., Mao, B., et al.: Automatic construction of jump-oriented programming shellcode (on the x86). In: Proceedings of 6th ASIACCS (2011)
Buchanan, E., Roemer, R., Shacham, H., et al.: When good instructions go bad: Generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (2008)
Checkoway, S., Feldman, A.J., Kantor, B., et al.: Can DREs provide long-lasting security? the case of return-oriented programming and the AVC Advantage. In: Proceedings of EVT/WOTE (2009)
Kornau, T.: Return oriented programming for the arm architecture. Technical report (2010)
Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks. Technical Report HGI-TR-2010-001 (2010)
Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Proceedings of 4th STC (2009)
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)
Intel. Intel 64 and ia-32 architectures software developers manual, volume 3b: System programming guide, part 2
UnixBench (2012), http://ftp.tux.org/pub/benchmarks/system/unixbench
Bletsch, T., Jiang, X.: Mitigating Code-Reuse Attacks with Control-Flow Locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC (2011)
Luk, C.-K., Cohn, R., Muth, R., et al.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Sarkar, V., Hall, M.W. (eds.) Proceedings of PLDI (2005)
Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. SIGPLAN Not. 42(6), 89–100 (2007)
Pappas, V.: kBouncer: Efficient and transparent ROP mitigation. Technical report, Columbia University (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhou, H., Wu, X., Shi, W., Yuan, J., Liang, B. (2014). HDROP: Detecting ROP Attacks Using Performance Monitoring Counters. In: Huang, X., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2014. Lecture Notes in Computer Science, vol 8434. Springer, Cham. https://doi.org/10.1007/978-3-319-06320-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-06320-1_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06319-5
Online ISBN: 978-3-319-06320-1
eBook Packages: Computer ScienceComputer Science (R0)