Efficient detection of the return-oriented programming malicious code

Authors:
Ping Chen;Xiao Xing;Hao Han;Bing Mao;Li Xie
Affiliations:
State Key Laboratory for Novel Software Technology, Nanjing University, Department of Computer Science and Technology, Nanjing University, Nanjing;State Key Laboratory for Novel Software Technology, Nanjing University, Department of Computer Science and Technology, Nanjing University, Nanjing;State Key Laboratory for Novel Software Technology, Nanjing University, Department of Computer Science and Technology, Nanjing University, Nanjing;State Key Laboratory for Novel Software Technology, Nanjing University, Department of Computer Science and Technology, Nanjing University, Nanjing;State Key Laboratory for Novel Software Technology, Nanjing University, Department of Computer Science and Technology, Nanjing University, Nanjing
Venue:
ICISS'10 Proceedings of the 6th international conference on Information systems security
Year:
2010

Citing 16
Cited 2

Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Pin: building customized program analysis tools with dynamic instrumentation

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Control-flow integrity

Proceedings of the 12th ACM conference on Computer and communications security
Valgrind: a framework for heavyweight dynamic binary instrumentation

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Address obfuscation: an efficient approach to combat a board range of memory error exploits

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

Proceedings of the 14th ACM conference on Computer and communications security
Code injection attacks on harvard-architecture devices

Proceedings of the 15th ACM conference on Computer and communications security
When good instructions go bad: generalizing return-oriented programming to RISC

Proceedings of the 15th ACM conference on Computer and communications security
Defending embedded systems against control flow attacks

Proceedings of the first ACM workshop on Secure execution of untrusted code
Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks

Proceedings of the 2009 ACM workshop on Scalable trusted computing
DROP: Detecting Return-Oriented Programming Malicious Code

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
SigFree: A Signature-Free Buffer Overflow Attack Blocker

IEEE Transactions on Dependable and Secure Computing
Defeating return-oriented rootkits with "Return-Less" kernels

Proceedings of the 5th European conference on Computer systems
Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Can DREs provide long-lasting security? the case of return-oriented programming and the AVC advantage

EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Return-oriented programming without returns

Proceedings of the 17th ACM conference on Computer and communications security

ROPdefender: a detection tool to defend against return-oriented programming attacks

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Booby trapping software

Proceedings of the 2013 workshop on New security paradigms workshop

Quantified Score

Hi-index	0.00

Visualization

Abstract

Return-Oriented Programming (ROP) is a code-reuse technique which helps the attacker construct malicious code by using the instruction snippets in existing libraries/executables. Such technique makes the ROP program contain no malicious instructions. Moreover, in recent research, Return-Oriented Programming without returns has been proposed, which can be used to mount an attack without any independent return instructions, therefore, ROP malicious code circumvents the existing defenses which are based on the assumption that the ROP malicious code should use the ret without corresponding call. In this paper, we found the intrinsic feature of the ROP shellcode, and proposed an efficient method which can detect the ROP malicious code (including the one without returns). Preliminary experimental results show that our method can efficiently detect ROP malicious code and have no false positives and negatives.