Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
9-2011
Abstract
Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W ⊕ X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.
Keywords
Return-oriented programming, packer, printable shellcode, polymorphic malware
Discipline
Information Security
Research Areas
Information Security and Trust
Publication
Recent Advances in Intrusion Detection: 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011)
Volume
6961
First Page
101
Last Page
120
ISBN
9783642236440
Identifier
10.1007/978-3-642-23644-0_6
Publisher
Springer Verlag
City or Country
Menlo Park, CA
Citation
LU, Kangjie; Zou, Dabi; Wen, Weiping; and GAO, Debin.
Packed, Printable, and Polymorphic Return-Oriented Programming. (2011). Recent Advances in Intrusion Detection: 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011). 6961, 101-120.
Available at: https://ink.library.smu.edu.sg/sis_research/2004
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
http://dx.doi.org/10.1007/978-3-642-23644-0_6