JOURNAL BROWSE
Search
Advanced SearchSearch Tips
Design and Implementation of Efficient Mitigation against Return-oriented Programming
facebook(new window)  Pirnt(new window) E-mail(new window) Excel Download
  • Journal title : Journal of KIISE
  • Volume 41, Issue 12,  2014, pp.1018-1025
  • Publisher : Korean Institute of Information Scientists and Engineers
  • DOI : 10.5626/JOK.2014.41.12.1018
 Title & Authors
Design and Implementation of Efficient Mitigation against Return-oriented Programming
Kim, Jeehong; Kim, Inhyeok; Min, Changwoo; Eom, Young Ik;
 
 Abstract
An ROP attack creates gadget sequences which consist of existing code snippets in a program, and hijacks the control flow of a program by chaining and executing gadget sequences consecutively. Existing defense schemes have limitations in that they cause high execution overhead, an increase in the binary size overhead, and a low applicability. In this paper, we solve these problems by introducing zero-sum defender, which is a fast and space-efficient mitigation scheme against ROP attacks. We find a fundamental property of gadget execution in which control flow starts in the middle of a function without a call instruction and ends with a return instruction. So, we exploit this property by monitoring whether the execution is abused by ROP attacks. We achieve a very low runtime overhead with a very small increase in the binary size. In our experimental results, we verified that our defense scheme prevents real world ROP attacks, and we showed that there is only a 2% performance overhead and a 1% binary size increase overhead in several benchmarks.
 Keywords
return-oriented programming;code reuse attack;software security;malware defense;
 Language
Korean
 Cited by
 References
1.
Aleph One, "Smashing the Stack for Fun and Profit," Phrack Magazine, Vol. 49, No. 1, pp. 14-16, Aug. 1996.

2.
Blexim, "Basic Integer Overflows," Phrack Magazine, Vol. 60, No. 10, pp. 10-16, Dec. 2002.

3.
gera and riq, "Advances in Format String Exploitation," Phrack Magazine, Vol. 59, No. 7, pp. 7-18 Jul. 2002.

4.
Microsoft. (2006, Nov. 20). Data Execution Prevention (DEP) [Online]. Avaliable: http://support.microsoft.com/kb/875352

5.
PaX Team. (2003. May. 1). PaX Non-Executable Page Design & Implementation [Online]. Avaliable: http://pax.grsecurity.net

6.
Solar designer. (1997. Aug, 10). Getting around Non-Executable Stack (and Fix) [Online]. Avaliable: http://seclists.org/bugtraq/1997/Aug/63

7.
H. Shacham, "The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86)," Proc. of ACM Conference on Computer and Communications Security, pp. 552-561, 2007.

8.
jduck. (2010. Mar, 18). The Latest Adobe Exploit and Session Upgrading [Online]. Avaliable: https://community.rapid7.com/community/metasploit/blog/2010/03/18/the-latest-adobe-exploit-and-session-upgrading

9.
D. Goodin. (2010. Aug, 30). Apple QuickTime Backdoor Creates Code-Execution Peril [Online]. Avaliable: http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/

10.
J. Halliday. (2010. Aug, 2). JailbreakMe Released for Apple Devices [Online]. Avaliable: http://www.guardian.co.uk/technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal

11.
R. Hund, T. Holz, and F. C. Freiling, "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms," Proc. of USENIX Security Symposium, pp. 1-16, 2009.

12.
L. Davi, A. R. Sadeghi, and M. Winandy, "ROPdefender: A Detection Tool to Defend against Return-Oriented Programming Attacks," Proc. of ACM Symposium on Information, Computer and Communications Security, pp. 40-51, 2011.

13.
S. Bhatkar, R. Sekar, and D. C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. of USENIX Security Symposium, pp. 271-286, 2005.

14.
J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davison, "ILR: Where'd My Gadgets Go?," Proc. IEEE Symposium on Security and Privacy, pp. 571-585, 2012.

15.
R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, "Binary Stirring: Self-Randomizing Instruction Addresses of Legacy x86 Binary Code," Proc. ACM Conference on Computer and Communications Security, pp. 157-168, 2012.

16.
E. Shioji, Y. Kawakoya, M. Iwamura, and T. Hariu, "Code Shredding: Byte-Granular Randomization of Program Layout for Detecting Code-Reuse Attacks," Proc. Annual Computer Security Applications Conference, pp. 309-318, 2012.

17.
V. Pappas, M. Polychronakis, and A. D, Keromytis, "Transparent ROP Exploit Mitigation Using Indirect Branch Tracing," Proc. of USENIX Security Symposium, pp. 447-462, 2013.

18.
M. Kayaalp, M. Ozsoy, N. B. Abu-Ghazaleh, and D. Ponomarev, "Efficiently Securing Systems from Code Reuse Attack," IEEE Transactions on Computers, Vol. 63, No. 5, pp. 1144-1156, 2014. crossref(new window)

19.
M. Kayaalp, T. Schmitt, J. Nomani, N. Abu-Ghazaleh, and D. Ponomarev, "Signatrue-Based Protection form Code Reuse Attacks," IEEE Transactions on Computers, 2014. (To appear)

20.
S. Park, C. Pyo, S. Kim, and G. Lee, "An Implementation of Program Counter Encoding with TPM," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 1, pp. 13-19, Jan. 2011. (in Korean)

21.
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-Flow Integrity," Proc. ACM Conference on Computer and Communications Security, pp. 340-353, 2005.

22.
K. Onariloglu, L. Bilge, A. Lanzi, D. Balzarotti, and E, Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-Less Binaries," Proc. Annual Computer Security Applications Conference, pp. 49-58, 2010.

23.
J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating Return-Oriented Programming through Gadget-Less Kernels," Proc. European Conference on Computer Systems, pp. 195-208, 2010.

24.
K. Kim, C. Pyo, S. Kim, and G. Le, "Dual-Encoding of Return Addresses for Detection and Defense against Stack Attacks," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 3, pp. 159- 164, Mar. 2011. (in Korean)

25.
K. Kim, T. Kim, C. Pyo, and G. Lee, "A Method Protecting Contfol Flow by Indirect Branch Monitoring and Program Counter Encoding," Journal of KIISE: Computing Practices and Letters, Vol. 20, No. 7, pp. 392-397, Jul. 2014. (in Korean)

26.
J. Kim, I. Kim, C. Min, and Y. I. Eom, "Zero-Sum Defender: Fast and Space-Efficient Defense against Return-Oriented Programming Attacks," IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, Vol. E97-A, No. 1, pp. 303-305, Jan. 2014. crossref(new window)

27.
S. McCamant and G. Morrisett, "Evaluating SFI for a CISC Architecture," Proc. of USENIX Security Symposium, pp. 1-16, 2006.

28.
B. Yee, D. Sehr, G. Dardyk, J. Bradley Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, "Native Client: A Sandbox for Portable, Untrusted x86 Native Code," Proc. IEEE Symposium on Security and Privacy, pp. 79-93, 2009.

29.
L. Le, "Payload already Inside: Deta Re-Use for ROP Exploits," Blackhat USA, pp. 1-21, 2010.

30.
S. Checoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy, "Return-Oriented Programming without Returns," Proc. ACM Conference on Computer and Communications Security, pp. 559-572, 2010.

31.
T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, "Jump-Oriented Programming: A New Class of Code-Reuse Attack," Proc. Annual Computer Security Applications Conference, pp. 30-40, 2011.