Detecting Return Oriented Programming by Examining Positions of Saved Return Addresses
In the recent years, return-oriented programming (ROP) has become the most widely used exploitation technique, achieving arbitrary code execution without injecting any code at all. This is possible by executing small sequences of assembly instructions found in binaries, also known as gadgets. Gadgets cannot do complex operations by themselves but when chained together, they can do any arbitrary operations theoretically. There were many mitigations proposed in the past but they either introduced large overhead or were too complex. In this paper, we propose a simple method of detecting ROP attacks by calculating distance between saved return addresses in the runtime stack. Examined ROP exploits which were published on the Internet resulted short distances between return addresses, which are gadget addresses, compared to that of normal control flow of the program. Our method can be used as a stand-alone tool or part of sequential checks in existing tools.
KeywordsReturn oriented programming Code reuse attack Detection
This work was supported by the IT R&D program of MKE/KEIT. [KI001810039260, Integrated dev-environment for personal, biz-customized open mobile cloud service and Collaboration tech for heterogeneous devices on server].
- 1.Solar Designer: Getting around non-executable stack (and fix). Bugtraq, Aug 1997.Google Scholar
- 2.Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications, Security, pp. 552–561 (2007).Google Scholar
- 3.PaX Team: PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt
- 4.Pwn2own Contest, http://pwn2own.zerodayinitiative.com
- 5.Davi, L., Sadephi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Asokan, N., Nita-Rotaru, C., Seifert, J.-P. (eds.) Proceedings of STC 2009, pp. 49–54. ACM Press (2009).Google Scholar
- 6.Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code. Malicious and Unwanted Software, In (2011)Google Scholar
- 7.Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: Defeating return-oriented programming through gadget-less binaries. ACSAC, In (2010)Google Scholar
- 8.Microsoft BlueHat Prize, http://www.microsoft.com/security/bluehatprize
- 9.Pappas, V.: kBouncer: Efficient and transparent ROP mitigation (2012).Google Scholar
- 10.PHP 5.3.6 Buffer Overflow PoC (ROP, http://www.exploit-db.com/exploits/17486)
- 11.Exploit Database, http://www.exploit-db.com