Skip to main content
SpringerLink
Log in

Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

Return-oriented programming (ROP) offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that do not require any modification to end-user platforms. Specifically, we propose a novel framework that efficiently analyzes documents (PDF, Office, or HTML files) and detects whether they contain a returnoriented programming payload. To do so, we provide advanced techniques for taking memory snapshots of a target application, efficiently transferring the snapshots to a host system, as well as novel static analysis and filtering techniques to identify and profile chains of code pointers referencing ROP gadgets (that may even reside in randomized libraries). Our evaluation of over 7,662 benign and 57 malicious documents demonstrate that we can perform such analysis accurately and expeditiously — with the vast majority of documents analyzed in about 3 seconds.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: Principles, implementations, and applications. ACM Transactions on Information and Systems Security, 13(1) (October 2009)

    Google Scholar 

  2. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with wit. In: IEEE Symposium on Security and Privacy (2008)

    Google Scholar 

  3. One, A.: Smashing the stack for fun and profit. Phrack Magazine 49(14) (1996)

    Google Scholar 

  4. Bletsch, T.K., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security (2011)

    Google Scholar 

  5. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: Generalizing return-oriented programming to RISC. In: ACM Conference on Computer and Communications Security (2008)

    Google Scholar 

  6. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX Symposium on Operating Systems Design and Implementation (2006)

    Google Scholar 

  7. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (2010)

    Google Scholar 

  8. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  9. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium (2005)

    Google Scholar 

  10. Cova, M., Kruegel, C., Giovanni, V.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: International Conference on World Wide Web (2010)

    Google Scholar 

  11. Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security Symposium (1998)

    Google Scholar 

  12. Davi, L., Sadeghi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: ACM Workshop on Scalable Trusted Computing (2009)

    Google Scholar 

  13. Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks. In: ACM Symposium on Information, Computer and Communications Security (2011)

    Google Scholar 

  14. Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: ACM Conference on Computer and Communications Security (2008)

    Google Scholar 

  16. Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: USENIX Security Symposium (2001)

    Google Scholar 

  17. Gadgets DNA. How PDF exploit being used by JailbreakMe to Jailbreak iPhone iOS, http://www.gadgetsdna.com/iphone-ios-4-0-1-jailbreak-execution-flow-using-pdf-exploit/5456/

  18. Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digital Investigation 6, 2–11 (2009)

    Article  Google Scholar 

  19. Hiser, J.D., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go. In: IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  20. jduck. The latest adobe exploit and session upgrading (2010), https://community.rapid7.com/community/metasploit/blog/2010/03/18/the-latest-adobe-exploit-and-session-upgrading

  21. Kayaalp, M., Ozsoy, M., Ghazaleh, N.A., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Transactions on Computers 99(PrePrints) (2012)

    Google Scholar 

  22. Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (2006)

    Google Scholar 

  23. Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security Symposium (2002)

    Google Scholar 

  24. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet Malware. In: IEEE Symposium on Security and Privacy, pp. 443–457 (2012)

    Google Scholar 

  25. Kornau, T.: Return oriented programming for the ARM architecture. Master’s thesis, Ruhr-University (2009)

    Google Scholar 

  26. Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ”return-less” kernels. In: European Conf. on Computer Systems (2010)

    Google Scholar 

  27. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  28. Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 101–120. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  29. Microsoft. Data Execution Prevention, DEP (2006), http://support.microsoft.com/kb/875352/EN-US/

  30. Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Annual Computer Security Applications Conference, pp. 421–430 (2007)

    Google Scholar 

  31. Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: Ccured: type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems (2005)

    Google Scholar 

  32. Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine 58(4) (2001)

    Google Scholar 

  33. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: defeating return-oriented programming through gadget-less binaries. In: Annual Computer Security Applications Conference (2010)

    Google Scholar 

  34. Van Overveldt, T., Kruegel, C., Vigna, G.: FlashDetect: ActionScript 3 Malware Detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 274–293. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  35. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  36. Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: MALWARE (2011)

    Google Scholar 

  37. Serna, F.J.: The info leak era on software exploitation. In: Black Hat USA (2012)

    Google Scholar 

  38. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (2007)

    Google Scholar 

  39. Shacham, H., Jin Goh, E., Modadugu, N., Pfaff, B., Boneh, D.: On the effectiveness of address-space randomization. In: ACM Conference on Computer and Communications Security (2004)

    Google Scholar 

  40. Snow, K.Z., Krishnan, S., Monrose, F., Provos, N.: Shellos: enabling fast detection and forensic analysis of code injection attacks. In: USENIX Security Symposium (2011)

    Google Scholar 

  41. Snow, K.Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (2013)

    Google Scholar 

  42. Spafford, E.H.: The Internet worm: Crisis and aftermath. Communications of the ACM 32(6), 678–687 (1989)

    Article  Google Scholar 

  43. Szekeres, L., Payer, M., Wei, T., Song, D.: SOK: Eternal War in Memory. In: IEEE Symposium on Security and Privacy (2013)

    Google Scholar 

  44. Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: European Workshop on System Security (2011)

    Google Scholar 

  45. Vreugdenhil, P.: Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit (2010)

    Google Scholar 

  46. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  47. Xia, Y., Liu, Y., Chen, H., Zang, B.: Cfimon: Detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks (2012)

    Google Scholar 

  48. Zovi, D.D.: Practical return-oriented programming. RSA Conference (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of North Carolina at Chapel Hill, USA

    Blaine Stancill, Kevin Z. Snow, Nathan Otterness & Fabian Monrose

  2. CASED, Technische Universität Darmstadt, Germany

    Lucas Davi & Ahmad-Reza Sadeghi

Authors
  1. Blaine Stancill
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kevin Z. Snow
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nathan Otterness
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fabian Monrose
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lucas Davi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stancill, B., Snow, K.Z., Otterness, N., Monrose, F., Davi, L., Sadeghi, AR. (2013). Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation