skip to main content
10.1145/3301417.3312494acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Static Analysis of ROP Code

Published: 25 March 2019 Publication History

Abstract

Recent years have witnessed code reuse techniques being employed to craft entire programs such as Jekyll apps, malware droppers, and persistent data-only rootkits. The increased complexity observed in such payloads calls for specific techniques and tools that can help in their analysis. In this paper we propose novel ideas for static analysis of ROP code and apply them to study prominent payloads targeting the Windows platform. Unlike state-of-the-art approaches, we do not require the ROP activation context be reproduced for the analysis. We then propose a guessing mechanism to identify gadget sources for payloads found in documents or over the network.

References

[1]
Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. 2006. Compilers: Principles, Techniques, and Tools (2nd ed.). Addison-Wesley Longman.
[2]
Dennis Andriesse, Asia Slowinska, and Herbert Bos. 2017. Compiler-Agnostic Function Detection in Binaries. In EuroS&P '17. IEEE, 177--189.
[3]
Roberto Baldoni, Emilio Coppa, Daniele Cono D'Elia, and Camil Demetrescu. 2017. Assisting Malware Analysis with Symbolic Execution: A Case Study. In CSCML '17. Springer, 171--188.
[4]
Pietro Borrello, Emilio Coppa, Daniele Cono D'Elia, and Camil Demetrescu. 2019. The ROP Needle: Hiding Trigger-based Injection Vectors via Code Reuse. In SAC '19. ACM, 1962--1970.
[5]
Emilio Coppa, Daniele Cono D'Elia, and Camil Demetrescu. 2017. Rethinking Pointer Reasoning in Symbolic Execution. In ASE '17. IEEE, 613--618.
[6]
Andreas Follner, Alexandre Bartel, and Eric Bodden. 2016. Analyzing the Gadgets. In ESSoS '16. Springer, 155--172.
[7]
Mariano Graziano, Davide Balzarotti, and Alain Zidouemba. 2016. ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks. In ASIA CCS '16. 47--58.
[8]
Xusheng Li, Zhisheng Hu, Yiwei Fu, Ping Chen, Minghui Zhu, and Peng Liu. 2018. ROPNN: Detection of ROP Payloads Using Deep Neural Networks. arXiv.
[9]
Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao. 2011. deRop: Removing Return-oriented Programming from Malware. In ACSAC '11. ACM, 363--372.
[10]
Giorgos Poulios, Christoforos Ntantogian, and Christos Xenakis. 2015. ROPInjector: Using Return Oriented Programming for Polymorphism and Antivirus Evasion. Black Hat USA (2015).
[11]
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-Oriented Programming: Systems, Languages, and Applications. In ACM TISSEC.
[12]
Sebastian Vogl, Jonas Pfoh, Thomas Kittel, and Claudia Eckert. 2014. Persistent Data-only Malware: Function Hooks without Code. In NDSS '14.
[13]
Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. 2013. Jekyll on iOS: When Benign Apps Become Evil. In USENIX Security '13. 559--572.
[14]
Babak Yadegari, Brian Johannesmeyer, Ben Whitely, and Saumya Debray. 2015. A Generic Approach to Automatic Deobfuscation of Executable Code. In SP '15. IEEE, 674--691.

Cited By

View all
  • (2024)Chaotic-Based Shellcode Encryption: A New Strategy for Bypassing Antivirus MechanismsSymmetry10.3390/sym1611152616:11(1526)Online publication date: 14-Nov-2024
  • (2023)ROPfuscator: Robust Obfuscation with ROP2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00026(1-10)Online publication date: May-2023
  • (2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
EuroSec '19: Proceedings of the 12th European Workshop on Systems Security
March 2019
59 pages
ISBN:9781450362740
DOI:10.1145/3301417
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Return oriented programming
  2. code reuse
  3. exploits
  4. static analysis

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

EuroSys '19
Sponsor:
EuroSys '19: Fourteenth EuroSys Conference 2019
March 25 - 28, 2019
Dresden, Germany

Acceptance Rates

EuroSec '19 Paper Acceptance Rate 9 of 25 submissions, 36%;
Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25
Twentieth European Conference on Computer Systems
March 30 - April 3, 2025
Rotterdam , Netherlands

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)16
  • Downloads (Last 6 weeks)0
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Chaotic-Based Shellcode Encryption: A New Strategy for Bypassing Antivirus MechanismsSymmetry10.3390/sym1611152616:11(1526)Online publication date: 14-Nov-2024
  • (2023)ROPfuscator: Robust Obfuscation with ROP2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00026(1-10)Online publication date: May-2023
  • (2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
  • (2021)Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00064(555-568)Online publication date: Jun-2021
  • (2021)Rope: Covert Multi-process Malware Execution with Return-Oriented ProgrammingComputer Security – ESORICS 202110.1007/978-3-030-88418-5_10(197-217)Online publication date: 30-Sep-2021
  • (2021)Beware of Unknown Areas to Notify Adversaries: Detecting Dynamic Binary Instrumentation Runtimes with Low-Level Memory ScanningIntelligent Computing10.1007/978-3-030-80129-8_66(1003-1019)Online publication date: 6-Jul-2021
  • (2020)Techniques Implemented in Software Protectors: A Journey with DBI Through What Protectors Use to Detect Bad GuysProceedings of the Future Technologies Conference (FTC) 2020, Volume 310.1007/978-3-030-63092-8_48(722-737)Online publication date: 31-Oct-2020

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media