ROPecker: A Generic and Practical Approach For Defending Against ROP Attack

Author

Yueqiang CHENG, Singapore Management UniversityFollow
Zongwei ZHOU, Carnegie Mellon University
Yu MIAO, Carnegie Mellon University
Xuhua DING, Singapore Management UniversityFollow
Robert H. DENG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

2-2014

Abstract

Return-Oriented Programming (ROP) is a sophisticated exploitation technique that is able to drive target applications to perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences (gadgets). Existing defense mechanisms either only handle specific types of gadgets, require access to source code and/or a customized compiler, break the integrity of application binary, or suffer from high performance overhead. In this paper, we present a novel system, ROPecker, to efficiently and effectively defend against ROP attacks without relying on any other side information (e.g., source code and compiler support) or binary rewriting. ROPecker detects an ROP attack at run-time by checking the presence of a sufficiently long chain of gadgets in past and future execution flow, with the assistance of the taken branches recorded in the Last Branch Record (LBR) registers and an efficient technique combining offline analysis with run-time emulation. We also design a sliding window mechanism to invoke the detection logic in proper timings, which achieves both high detection accuracy and efficiency. We build an ROPecker prototype on x86-based Linux computers and evaluate its security effectiveness, space cost and performance overhead. In our experiment, ROPecker can detect all ROP attacks from real-world examples and generated by the general purpose ROP compiler Q. It has small footprints on memory and disk storage, and only incurs acceptable performance overhead on CPU computation, disk I/O and network I/O.

Discipline

Information Security

Research Areas

Cybersecurity

Publication

NDSS Symposium 2014: Proceedings of the 21st Network and Distributed System Security Symposium, San Diego, February 23-26

First Page

1

Last Page

14

Identifier

10.14722/ndss.2014.23156

Publisher

Internet Society

City or Country

Reston, VA

Citation

CHENG, Yueqiang; ZHOU, Zongwei; MIAO, Yu; DING, Xuhua; and DENG, Robert H.. ROPecker: A Generic and Practical Approach For Defending Against ROP Attack. (2014). NDSS Symposium 2014: Proceedings of the 21st Network and Distributed System Security Symposium, San Diego, February 23-26. 1-14.
Available at: https://ink.library.smu.edu.sg/sis_research/1973

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.14722/ndss.2014.23156