Publication Type

Conference Proceeding Article

Version

Postprint

Publication Date

9-2011

Abstract

Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W ⊕ X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

Keywords

Return-oriented programming, packer, printable shellcode, polymorphic malware

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

Recent Advances in Intrusion Detection: 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011)

Volume

6961

First Page

101

Last Page

120

ISBN

9783642236440

Identifier

10.1007/978-3-642-23644-0_6

Publisher

Springer Verlag

City or Country

Menlo Park, CA

Creative Commons License

Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Additional URL

http://dx.doi.org/10.1007/978-3-642-23644-0_6

Share

COinS