Inferência Estática da Frequência Máxima de Instruções de Retorno para Detecção de Ataques ROP
Abstract
A program subject to a Return Oriented Programming (ROP) attack usually presents an execution trace with a high frequency of return instructions. From this observation, several research groups have proposed to monitor the density of returns to detect ROP attacks. These techniques use universal thresholds: the density of return operations that characterizes an attack is considered to be the same for every application. This paper shows that universal thresholds are easy to circumvent. As an alternative, we introduce a static code analysis that estimates the maximum density of return instructions possible for a program. This analysis determines detection thresholds for each application; thus, making it more difficult for hackers to compromise programs via ROPs.
References
Aho, A. V., Lam, M. S., Sethi, R., and Ullman, J. D. (2006). Compilers: Principles, Techniques, and Tools (2nd Edition). Addison Wesley.
Callas, J. (2011). Smelling a RAT on duqu. On-line.
Carlini, N. and Wagner, D. (2014). ROP is still dangerous: Breaking modern defenses. In Security Symposium, pages 385–399. USENIX.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In CCS, pages 1–14. ACM.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). DROP: Detecting return-oriented programming malicious code. In ISS, pages 163–177. IEEE.
Cheng, Y., Zhou, Z., and Yu, M. (2014). ROPecker: A generic and practical approach for defending against ROP attacks. NDS.
Davi, L., Sadeghi, A., and Winandy, M. (2009). Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In WSTC, pages 49–54.
Eeckhoutte, P. V. (2014). Analyzing heap objects with mona.py. https://www.corelan.be/.
Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Security Symposium, pages 417–432. USENIX.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, A., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In Parallel and Distributed Processing Symposium, 2007. IPDPS 2007. IEEE International, pages 1–6. IEEE.
Han, Y. H., Park, D. S., Jia, W., and Yeo, S. S. (2013). Detecting return oriented programming by examining positions of saved return addresses. In LNEE, pages 3:1–3:18. Springer.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). HyperCrop: a hypervisor-based countermeasure for return oriented programming. In LNCS, pages 46–62. Springer.
Lattner, C. and Adve, V. (2004). Llvm: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75–86. IEEE.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI, pages 190–200. ACM.
Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent rop exploit mitigation using indirect branch tracing. In SEC, pages 447–462. USENIX.
PaX, T. (2003a). Non-executable pages design & implementation.
PaX, T. (2003b). PaX address space layout randomization (ASLR).
Schrijver, A. (2003). Combinatorial optimization: polyhedra and efficiency, volume 24. Springer Science & Business Media.
Shacham, H. (2007). The geometry of innocent flesh on the bone: returninto-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Tymburibá, M., Filho, A., and Feitosa, E. (2014). Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In SBSeg, pages 223– 236. SBC.
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In APSys, pages 6:1–6:5. ACM.
Callas, J. (2011). Smelling a RAT on duqu. On-line.
Carlini, N. and Wagner, D. (2014). ROP is still dangerous: Breaking modern defenses. In Security Symposium, pages 385–399. USENIX.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In CCS, pages 1–14. ACM.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). DROP: Detecting return-oriented programming malicious code. In ISS, pages 163–177. IEEE.
Cheng, Y., Zhou, Z., and Yu, M. (2014). ROPecker: A generic and practical approach for defending against ROP attacks. NDS.
Davi, L., Sadeghi, A., and Winandy, M. (2009). Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In WSTC, pages 49–54.
Eeckhoutte, P. V. (2014). Analyzing heap objects with mona.py. https://www.corelan.be/.
Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Security Symposium, pages 417–432. USENIX.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, A., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In Parallel and Distributed Processing Symposium, 2007. IPDPS 2007. IEEE International, pages 1–6. IEEE.
Han, Y. H., Park, D. S., Jia, W., and Yeo, S. S. (2013). Detecting return oriented programming by examining positions of saved return addresses. In LNEE, pages 3:1–3:18. Springer.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). HyperCrop: a hypervisor-based countermeasure for return oriented programming. In LNCS, pages 46–62. Springer.
Lattner, C. and Adve, V. (2004). Llvm: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75–86. IEEE.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI, pages 190–200. ACM.
Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent rop exploit mitigation using indirect branch tracing. In SEC, pages 447–462. USENIX.
PaX, T. (2003a). Non-executable pages design & implementation.
PaX, T. (2003b). PaX address space layout randomization (ASLR).
Schrijver, A. (2003). Combinatorial optimization: polyhedra and efficiency, volume 24. Springer Science & Business Media.
Shacham, H. (2007). The geometry of innocent flesh on the bone: returninto-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Tymburibá, M., Filho, A., and Feitosa, E. (2014). Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In SBSeg, pages 223– 236. SBC.
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In APSys, pages 6:1–6:5. ACM.
Published
2015-11-09
How to Cite
EMÍLIO, Rubens; TYMBURIBÁ, Mateus; PEREIRA, Fernando Magno Quintão.
Inferência Estática da Frequência Máxima de Instruções de Retorno para Detecção de Ataques ROP. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 15. , 2015, Florianópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2015
.
p. 2-15.
DOI: https://doi.org/10.5753/sbseg.2015.20081.
