Detecting ROP with Statistical Learning of Program Characteristics

Elsabagh, Mohamed; Barbará, Daniel; Fleck, Dan; Stavrou, Angelos

doi:10.1145/3029806.3029812

Cited by 22 publications

(23 citation statements)

References 19 publications

(36 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We expect our programs to trigger coarse-grained CFI defenses that monitor branches [30] or microarchitectural effects [35]. As our goal is to protect legitimate software, we expect the user can whitelist such an application, as it was the case for instance with Microsoft EMET and JavaScript JIT compilers from browsers.…”

Section: Discussionmentioning

confidence: 99%

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

Borrello,

Coppa,

D'Elia

2020

Preprint

View full text Add to dashboard Cite

Largely known for attack scenarios, code reuse techniques at a closer look reveal properties that are appealing also for program obfuscation. We explore the popular return-oriented programming paradigm under a new light, transforming program functions into chains of gadgets that coexist seamlessly with the surrounding software stack. We show how to build chains that can withstand state-to-the-art static and dynamic deobfuscation approaches, evaluating the robustness and overheads of the design over common programs. The results suggest a significant increase in the amount of resources that would be required to carry man-at-the-end attacks. CCS CONCEPTS• Security and privacy → Software and application security;• Software and its engineering → Software notations and tools.

show abstract

Section: Discussionmentioning

confidence: 99%

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

Borrello,

Coppa,

D'Elia

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…ROPMEMU [29] offers a method for analyzing sophisticated ROP chains on memory by leveraging multi-path execution. EigenROP [30] is similar to ROPminer in that it uses statistical learning for detection. The difference is that it is based on microarchitecture-independent run-time features.…”

Section: Rop Detection By Dynamic Analysismentioning

confidence: 99%

ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets

Toshinori

Ikuse²,

Otsuki³

et al. 2020

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second-or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.

show abstract

“…As in previous work on malware detectors [37,47] and debug trace analysers [10,14,59], we add in a channel from the commit stage of the main core, to transport the opcode, program count, instruction commit time and operand data to the GPEs. We also transport hardware counter data [28,30,36,46]. Together, these channels allow a large amount of visibility into execution.…”

Section: Data Channelsmentioning

confidence: 99%

“…Hardware performance counters have been shown to be important for a number of detection techniques [28,30,36]. We give the GPEs access to these values from the main core.…”

Section: Hardware/software Countersmentioning

confidence: 99%

The Guardian Council

Ainsworth

Jones

2020

Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Syste

View full text Add to dashboard Cite

Systems security is becoming more challenging in the face of untrusted programs and system users. Safeguards against attacks currently in use, such as buffer overflows, control-flow integrity, side channels and malware, are limited. Software protection schemes, while flexible, are often too expensive, and hardware schemes, while fast, are too constrained or out-of-date to be practical.We demonstrate the best of both worlds with the Guardian Council, a novel parallel architecture to enforce a wide range of highly customisable and diverse security policies. We leverage heterogeneity and parallelism in the design of our system to perform security enforcement for a large highperformance core on a set of small microcontroller-sized cores. These Guardian Processing Elements (GPEs) are many orders of magnitude more efficient than conventional outof-order superscalar processors, bringing high-performance security at very low power and area overheads. Alongside these highly parallel cores we provide fixed-function logging and communication units, and a powerful programming model, as part of an architecture designed for security.Evaluation on a range of existing hardware and software protection mechanisms, reimplemented on the Guardian Council, demonstrates the flexibility of our approach with negligible overheads, out-performing prior work in the literature. For instance, 4 GPEs can provide forward control-flow integrity with 0% overhead, while 6 GPEs can provide a full shadow stack at only 2%.

show abstract

Detecting ROP with Statistical Learning of Program Characteristics

Cited by 22 publications

References 19 publications

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets

The Guardian Council

Contact Info

Product

Resources

About