Advertisement

Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets

  • Blaine Stancill
  • Kevin Z. Snow
  • Nathan Otterness
  • Fabian Monrose
  • Lucas Davi
  • Ahmad-Reza Sadeghi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8145)

Abstract

Return-oriented programming (ROP) offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that do not require any modification to end-user platforms. Specifically, we propose a novel framework that efficiently analyzes documents (PDF, Office, or HTML files) and detects whether they contain a returnoriented programming payload. To do so, we provide advanced techniques for taking memory snapshots of a target application, efficiently transferring the snapshots to a host system, as well as novel static analysis and filtering techniques to identify and profile chains of code pointers referencing ROP gadgets (that may even reside in randomized libraries). Our evaluation of over 7,662 benign and 57 malicious documents demonstrate that we can perform such analysis accurately and expeditiously — with the vast majority of documents analyzed in about 3 seconds.

Keywords

return-oriented programming malware analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: Principles, implementations, and applications. ACM Transactions on Information and Systems Security, 13(1) (October 2009)Google Scholar
  2. 2.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with wit. In: IEEE Symposium on Security and Privacy (2008)Google Scholar
  3. 3.
    One, A.: Smashing the stack for fun and profit. Phrack Magazine 49(14) (1996)Google Scholar
  4. 4.
    Bletsch, T.K., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security (2011)Google Scholar
  5. 5.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: Generalizing return-oriented programming to RISC. In: ACM Conference on Computer and Communications Security (2008)Google Scholar
  6. 6.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX Symposium on Operating Systems Design and Implementation (2006)Google Scholar
  7. 7.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (2010)Google Scholar
  8. 8.
    Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium (2005)Google Scholar
  10. 10.
    Cova, M., Kruegel, C., Giovanni, V.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: International Conference on World Wide Web (2010)Google Scholar
  11. 11.
    Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security Symposium (1998)Google Scholar
  12. 12.
    Davi, L., Sadeghi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: ACM Workshop on Scalable Trusted Computing (2009)Google Scholar
  13. 13.
    Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks. In: ACM Symposium on Information, Computer and Communications Security (2011)Google Scholar
  14. 14.
    Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: ACM Conference on Computer and Communications Security (2008)Google Scholar
  16. 16.
    Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: USENIX Security Symposium (2001)Google Scholar
  17. 17.
    Gadgets DNA. How PDF exploit being used by JailbreakMe to Jailbreak iPhone iOS, http://www.gadgetsdna.com/iphone-ios-4-0-1-jailbreak-execution-flow-using-pdf-exploit/5456/
  18. 18.
    Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digital Investigation 6, 2–11 (2009)CrossRefGoogle Scholar
  19. 19.
    Hiser, J.D., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  20. 20.
  21. 21.
    Kayaalp, M., Ozsoy, M., Ghazaleh, N.A., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Transactions on Computers 99(PrePrints) (2012)Google Scholar
  22. 22.
    Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (2006)Google Scholar
  23. 23.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security Symposium (2002)Google Scholar
  24. 24.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet Malware. In: IEEE Symposium on Security and Privacy, pp. 443–457 (2012)Google Scholar
  25. 25.
    Kornau, T.: Return oriented programming for the ARM architecture. Master’s thesis, Ruhr-University (2009)Google Scholar
  26. 26.
    Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ”return-less” kernels. In: European Conf. on Computer Systems (2010)Google Scholar
  27. 27.
    Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  28. 28.
    Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 101–120. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  29. 29.
    Microsoft. Data Execution Prevention, DEP (2006), http://support.microsoft.com/kb/875352/EN-US/
  30. 30.
    Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Annual Computer Security Applications Conference, pp. 421–430 (2007)Google Scholar
  31. 31.
    Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: Ccured: type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems (2005)Google Scholar
  32. 32.
    Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine 58(4) (2001)Google Scholar
  33. 33.
    Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: defeating return-oriented programming through gadget-less binaries. In: Annual Computer Security Applications Conference (2010)Google Scholar
  34. 34.
    Van Overveldt, T., Kruegel, C., Vigna, G.: FlashDetect: ActionScript 3 Malware Detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 274–293. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  35. 35.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  36. 36.
    Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: MALWARE (2011)Google Scholar
  37. 37.
    Serna, F.J.: The info leak era on software exploitation. In: Black Hat USA (2012)Google Scholar
  38. 38.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (2007)Google Scholar
  39. 39.
    Shacham, H., Jin Goh, E., Modadugu, N., Pfaff, B., Boneh, D.: On the effectiveness of address-space randomization. In: ACM Conference on Computer and Communications Security (2004)Google Scholar
  40. 40.
    Snow, K.Z., Krishnan, S., Monrose, F., Provos, N.: Shellos: enabling fast detection and forensic analysis of code injection attacks. In: USENIX Security Symposium (2011)Google Scholar
  41. 41.
    Snow, K.Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  42. 42.
    Spafford, E.H.: The Internet worm: Crisis and aftermath. Communications of the ACM 32(6), 678–687 (1989)CrossRefGoogle Scholar
  43. 43.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SOK: Eternal War in Memory. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  44. 44.
    Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: European Workshop on System Security (2011)Google Scholar
  45. 45.
    Vreugdenhil, P.: Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit (2010)Google Scholar
  46. 46.
    Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (2012)Google Scholar
  47. 47.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: Cfimon: Detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks (2012)Google Scholar
  48. 48.
    Zovi, D.D.: Practical return-oriented programming. RSA Conference (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Blaine Stancill
    • 1
  • Kevin Z. Snow
    • 1
  • Nathan Otterness
    • 1
  • Fabian Monrose
    • 1
  • Lucas Davi
    • 2
  • Ahmad-Reza Sadeghi
    • 2
  1. 1.Department of Computer ScienceUniversity of North Carolina at Chapel HillUSA
  2. 2.CASEDTechnische Universität DarmstadtGermany

Personalised recommendations