Jump to content
Nytro

ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

ROPdefender: A Detection Tool to Defend Against

Return-Oriented Programming Attacks

ABSTRACT

Modern runtime attacks increasingly make use of the pow-

erful return-oriented programming (ROP) attack techniques

and principles such as recent attacks on Apple iPhone and

Acrobat products to name some. These attacks even work

under the presence of modern memory protection mecha-

nisms such as data execution prevention (DEP). In this pa-

per, we present our tool, ROPdefender, that dynamically de-

tects conventional ROP attacks (that are based on return in-

structions). In contrast to existing solutions, ROPdefender

can be immediately deployed by end-users, since it does not

rely on side information (e.g., source code or debugging in-

formation) which are rarely provided in practice. Currently,

our tool adds a runtime overhead of 2x which is comparable

to similar instrumentation-based tools.

1. INTRODUCTION

Runtime attacks on software aim at subverting the execu-

tion

ow of a program by redirecting execution to malicious

code injected by the adversary. Typically, the control-

ow

of a program is subverted by exploiting memory vulnera-

bilities. Despite extensive research and many proposed so-

lutions in the last decades, such vulnerabilities ) are still

the main source of vulnerabilities in to-

day's applications. Figure 1 shows that the number of buer

over ow vulnerabilities (according to the NIST1 Vulnerabil-

ity database) continues to range from 600 to 700 per year.

Operating systems and processor manufactures provide

solutions to mitigate these kinds of attacks through the

W X (Writable XOR Executable) security model [49, 43],

which prevents an adversary from executing malicious code

by marking a memory page either writable or executable.

Current Windows versions (such as Windows XP, Vista, or

Windows 7) enable W X (named data execution preven-

tion (DEP) [43] in the Windows world) by default.

Download:

http://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/ropdefender.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...