Abstract
Return-oriented programming (ROP) offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that do not require any modification to end-user platforms. Specifically, we propose a novel framework that efficiently analyzes documents (PDF, Office, or HTML files) and detects whether they contain a returnoriented programming payload. To do so, we provide advanced techniques for taking memory snapshots of a target application, efficiently transferring the snapshots to a host system, as well as novel static analysis and filtering techniques to identify and profile chains of code pointers referencing ROP gadgets (that may even reside in randomized libraries). Our evaluation of over 7,662 benign and 57 malicious documents demonstrate that we can perform such analysis accurately and expeditiously — with the vast majority of documents analyzed in about 3 seconds.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: Principles, implementations, and applications. ACM Transactions on Information and Systems Security, 13(1) (October 2009)
Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with wit. In: IEEE Symposium on Security and Privacy (2008)
One, A.: Smashing the stack for fun and profit. Phrack Magazine 49(14) (1996)
Bletsch, T.K., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security (2011)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: Generalizing return-oriented programming to RISC. In: ACM Conference on Computer and Communications Security (2008)
Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX Symposium on Operating Systems Design and Implementation (2006)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (2010)
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium (2005)
Cova, M., Kruegel, C., Giovanni, V.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: International Conference on World Wide Web (2010)
Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security Symposium (1998)
Davi, L., Sadeghi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: ACM Workshop on Scalable Trusted Computing (2009)
Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks. In: ACM Symposium on Information, Computer and Communications Security (2011)
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)
Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: ACM Conference on Computer and Communications Security (2008)
Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: USENIX Security Symposium (2001)
Gadgets DNA. How PDF exploit being used by JailbreakMe to Jailbreak iPhone iOS, http://www.gadgetsdna.com/iphone-ios-4-0-1-jailbreak-execution-flow-using-pdf-exploit/5456/
Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digital Investigation 6, 2–11 (2009)
Hiser, J.D., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go. In: IEEE Symposium on Security and Privacy (2012)
jduck. The latest adobe exploit and session upgrading (2010), https://community.rapid7.com/community/metasploit/blog/2010/03/18/the-latest-adobe-exploit-and-session-upgrading
Kayaalp, M., Ozsoy, M., Ghazaleh, N.A., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Transactions on Computers 99(PrePrints) (2012)
Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (2006)
Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security Symposium (2002)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet Malware. In: IEEE Symposium on Security and Privacy, pp. 443–457 (2012)
Kornau, T.: Return oriented programming for the ARM architecture. Master’s thesis, Ruhr-University (2009)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ”return-less” kernels. In: European Conf. on Computer Systems (2010)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)
Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 101–120. Springer, Heidelberg (2011)
Microsoft. Data Execution Prevention, DEP (2006), http://support.microsoft.com/kb/875352/EN-US/
Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Annual Computer Security Applications Conference, pp. 421–430 (2007)
Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: Ccured: type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems (2005)
Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine 58(4) (2001)
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: defeating return-oriented programming through gadget-less binaries. In: Annual Computer Security Applications Conference (2010)
Van Overveldt, T., Kruegel, C., Vigna, G.: FlashDetect: ActionScript 3 Malware Detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 274–293. Springer, Heidelberg (2012)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy (2012)
Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: MALWARE (2011)
Serna, F.J.: The info leak era on software exploitation. In: Black Hat USA (2012)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (2007)
Shacham, H., Jin Goh, E., Modadugu, N., Pfaff, B., Boneh, D.: On the effectiveness of address-space randomization. In: ACM Conference on Computer and Communications Security (2004)
Snow, K.Z., Krishnan, S., Monrose, F., Provos, N.: Shellos: enabling fast detection and forensic analysis of code injection attacks. In: USENIX Security Symposium (2011)
Snow, K.Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (2013)
Spafford, E.H.: The Internet worm: Crisis and aftermath. Communications of the ACM 32(6), 678–687 (1989)
Szekeres, L., Payer, M., Wei, T., Song, D.: SOK: Eternal War in Memory. In: IEEE Symposium on Security and Privacy (2013)
Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: European Workshop on System Security (2011)
Vreugdenhil, P.: Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit (2010)
Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (2012)
Xia, Y., Liu, Y., Chen, H., Zang, B.: Cfimon: Detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks (2012)
Zovi, D.D.: Practical return-oriented programming. RSA Conference (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stancill, B., Snow, K.Z., Otterness, N., Monrose, F., Davi, L., Sadeghi, AR. (2013). Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)