ROP payload detection using speculative code execution

The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on she...

Full description

Saved in:
Bibliographic Details
Main Authors: Polychronakis, M., Keromytis, A. D.
Format: Conference Proceeding
Language:English
Subjects:
Detectors
Payloads
Programming
Prototypes
Runtime
Software
Vectors
Citations: Items that cite this one
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on shellcode identification are oblivious to this new breed of exploits, since attack vectors may not contain binary code anymore. In this paper, we present a detection method for the identification of ROP payloads in arbitrary data such as network traffic or process memory buffers. Our technique speculatively drives the execution of code that already exists in the address space of a targeted process according to the scanned input data, and identifies the execution of valid ROP code at runtime. Our experimental evaluation demonstrates that our prototype implementation can detect a broad range of ROP exploits against Windows applications without false positives, while it can be easily integrated into existing defenses based on shell-code detection.
DOI:10.1109/MALWARE.2011.6112327