ROPK++: An enhanced ROP attack detection framework for Linux operating system

A major security challenge for today's computer software is buffer overflow and other memory-related attacks. To exploit buffer overflow vulnerabilities in presence of the classical defense mechanisms such as write-xor-execute, attackers take advantage of code reuse attacks. The code reuse attacks allow an adversary to perform arbitrary operations on a victim's system by constructing a chain of small code sequences called gadgets that are present in vulnerable program's memory. In order to remedy code reuse attacks, many defense approaches have been proposed, each using a different mechanism for detecting attacks and having its own merits and downsides. In this paper, we analyze and scrutinize one of the most influential Linux-based defense mechanisms called ROPecker. Our analysis shows that ROPecker has weaknesses that may allow an attacker to bypass detection. Then we propose ROPK++ which by adding additional integrity checks, fixes the weaknesses in ROPecker and offers a more effective defensive approach against code reuse attacks in Linux-based systems. We compare the proposed approach with ROPecker in terms of security features and performance overhead and show its superiority and advantages.

[1]  Debin Gao,et al.  Launching Return-Oriented Programming Attacks against Randomized Relocatable Executables , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[2]  Lucas Davi Code-reuse attacks and defenses , 2015 .

[3]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[4]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[5]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[6]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[7]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[8]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[9]  Hamid Reza Shahriari,et al.  Tiny jump-oriented programming attack (A class of code reuse attacks) , 2015, 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC).

[10]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[11]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[12]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[13]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[14]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[15]  Vasilis Pappas,et al.  kBouncer : Efficient and Transparent ROP Mitigation , 2012 .

[16]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.