Decompilation of binary programs
Software—Practice & Experience
On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
Intrusion detection using sequences of system calls
Journal of Computer Security
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Signature Generation and Detection of Malware Families
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Code injection attacks on harvard-architecture devices
Proceedings of the 15th ACM conference on Computer and communications security
When good instructions go bad: generalizing return-oriented programming to RISC
Proceedings of the 15th ACM conference on Computer and communications security
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
BinHunt: Automatically Finding Semantic Differences in Binary Programs
ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
Large-scale malware indexing using function-call graphs
Proceedings of the 16th ACM conference on Computer and communications security
Defending embedded systems against control flow attacks
Proceedings of the first ACM workshop on Secure execution of untrusted code
DROP: Detecting Return-Oriented Programming Malicious Code
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Defeating return-oriented rootkits with "Return-Less" kernels
Proceedings of the 5th European conference on Computer systems
Automated classification and analysis of internet malware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Return-oriented programming without returns
Proceedings of the 17th ACM conference on Computer and communications security
G-Free: defeating return-oriented programming through gadget-less binaries
Proceedings of the 26th Annual Computer Security Applications Conference
Jump-oriented programming: a new class of code-reuse attack
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
ROPdefender: a detection tool to defend against return-oriented programming attacks
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
| Hi-index | 0.00 |
Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.