Abstract
In the recent years, return-oriented programming (ROP) has become the most widely used exploitation technique, achieving arbitrary code execution without injecting any code at all. This is possible by executing small sequences of assembly instructions found in binaries, also known as gadgets. Gadgets cannot do complex operations by themselves but when chained together, they can do any arbitrary operations theoretically. There were many mitigations proposed in the past but they either introduced large overhead or were too complex. In this paper, we propose a simple method of detecting ROP attacks by calculating distance between saved return addresses in the runtime stack. Examined ROP exploits which were published on the Internet resulted short distances between return addresses, which are gadget addresses, compared to that of normal control flow of the program. Our method can be used as a stand-alone tool or part of sequential checks in existing tools.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Solar Designer: Getting around non-executable stack (and fix). Bugtraq, Aug 1997.
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications, Security, pp. 552–561 (2007).
PaX Team: PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt
Pwn2own Contest, http://pwn2own.zerodayinitiative.com
Davi, L., Sadephi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Asokan, N., Nita-Rotaru, C., Seifert, J.-P. (eds.) Proceedings of STC 2009, pp. 49–54. ACM Press (2009).
Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code. Malicious and Unwanted Software, In (2011)
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: Defeating return-oriented programming through gadget-less binaries. ACSAC, In (2010)
Microsoft BlueHat Prize, http://www.microsoft.com/security/bluehatprize
Pappas, V.: kBouncer: Efficient and transparent ROP mitigation (2012).
PHP 5.3.6 Buffer Overflow PoC (ROP, http://www.exploit-db.com/exploits/17486)
Exploit Database, http://www.exploit-db.com
Acknowledgments
This work was supported by the IT R&D program of MKE/KEIT. [KI001810039260, Integrated dev-environment for personal, biz-customized open mobile cloud service and Collaboration tech for heterogeneous devices on server].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media Dordrecht
About this paper
Cite this paper
Min, JW., Jung, SM., Chung, TM. (2013). Detecting Return Oriented Programming by Examining Positions of Saved Return Addresses. In: Han, YH., Park, DS., Jia, W., Yeo, SS. (eds) Ubiquitous Information Technologies and Applications. Lecture Notes in Electrical Engineering, vol 214. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-5857-5_85
Download citation
DOI: https://doi.org/10.1007/978-94-007-5857-5_85
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-5856-8
Online ISBN: 978-94-007-5857-5
eBook Packages: EngineeringEngineering (R0)