Skip to main content
SpringerLink
Log in

Detecting Return Oriented Programming by Examining Positions of Saved Return Addresses

  • Conference paper
  • First Online:
Ubiquitous Information Technologies and Applications

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 214))

  • 2261 Accesses

Abstract

In the recent years, return-oriented programming (ROP) has become the most widely used exploitation technique, achieving arbitrary code execution without injecting any code at all. This is possible by executing small sequences of assembly instructions found in binaries, also known as gadgets. Gadgets cannot do complex operations by themselves but when chained together, they can do any arbitrary operations theoretically. There were many mitigations proposed in the past but they either introduced large overhead or were too complex. In this paper, we propose a simple method of detecting ROP attacks by calculating distance between saved return addresses in the runtime stack. Examined ROP exploits which were published on the Internet resulted short distances between return addresses, which are gadget addresses, compared to that of normal control flow of the program. Our method can be used as a stand-alone tool or part of sequential checks in existing tools.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Solar Designer: Getting around non-executable stack (and fix). Bugtraq, Aug 1997.

    Google Scholar 

  2. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications, Security, pp. 552–561 (2007).

    Google Scholar 

  3. PaX Team: PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt

  4. Pwn2own Contest, http://pwn2own.zerodayinitiative.com

  5. Davi, L., Sadephi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Asokan, N., Nita-Rotaru, C., Seifert, J.-P. (eds.) Proceedings of STC 2009, pp. 49–54. ACM Press (2009).

    Google Scholar 

  6. Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code. Malicious and Unwanted Software, In (2011)

    Google Scholar 

  7. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: Defeating return-oriented programming through gadget-less binaries. ACSAC, In (2010)

    Google Scholar 

  8. Microsoft BlueHat Prize, http://www.microsoft.com/security/bluehatprize

  9. Pappas, V.: kBouncer: Efficient and transparent ROP mitigation (2012).

    Google Scholar 

  10. PHP 5.3.6 Buffer Overflow PoC (ROP, http://www.exploit-db.com/exploits/17486)

  11. Exploit Database, http://www.exploit-db.com

Download references

Acknowledgments

This work was supported by the IT R&D program of MKE/KEIT. [KI001810039260, Integrated dev-environment for personal, biz-customized open mobile cloud service and Collaboration tech for heterogeneous devices on server].

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Sungkyunkwan University, Suwon, Korea

    Jae-Won Min & Sung-Min Jung

  2. College of Information and Communication Engineering, Sungkyunkwan University, Suwon, Korea

    Tai-Myoung Chung

Authors
  1. Jae-Won Min
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sung-Min Jung
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tai-Myoung Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jae-Won Min .

Editor information

Editors and Affiliations

  1. and Education, Computer Science and Engineering, Korea University of Technology, Chungjeolno, Byeongchun 1600, CheonAn, 330-861, Korea, Republic of (South Korea)

    Youn-Hee Han

  2. , Division of Computer Science and Enginee, SoonChunHyang University, Sinchang, Chungnam, 336-745, Korea, Republic of (South Korea)

    Doo-Soon Park

  3. , Dept of Computer Science, City University of Hong Kong, Tat Chee Avenue, Kowloon, 83, Hong Kong SAR

    Weijia Jia

  4. , Division of Computer Engineering, Mokwon University, Do-An-Buk-Ro 88, Daejeon, 302-729, Korea, Republic of (South Korea)

    Sang-Soo Yeo

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Science+Business Media Dordrecht

About this paper

Cite this paper

Min, JW., Jung, SM., Chung, TM. (2013). Detecting Return Oriented Programming by Examining Positions of Saved Return Addresses. In: Han, YH., Park, DS., Jia, W., Yeo, SS. (eds) Ubiquitous Information Technologies and Applications. Lecture Notes in Electrical Engineering, vol 214. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-5857-5_85

Download citation

  • DOI: https://doi.org/10.1007/978-94-007-5857-5_85

  • Published:

  • Publisher Name: Springer, Dordrecht

  • Print ISBN: 978-94-007-5856-8

  • Online ISBN: 978-94-007-5857-5

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation