HDROP: Detecting ROP Attacks Using Performance Monitoring Counters

Combining short instruction sequences originated only from existing code pieces, Return Oriented Programming (ROP) attacks can bypass the code-integrity effort model. To defeat this kind of attacks, current approaches check every instruction executed on a processor, which results in heavy performance overheads. In this paper, we propose an innovative approach, called HDROP, to detecting the attacks. It utilizes the observation that ROP attacks often make branch predictor in modern processors fail to determine the accurate branch destination. With the support of PMC (Performance Monitoring Counters) that is capable of counting performance events, we catch the abnormal increase in branch mis-prediction and detect the existence of ROP attacks. In HDROP, each basic unit being checked consists of hundreds of instructions rather than a single one, which effectively avoids significant performance overheads. The prototype system we developed on commodity hardware shows that HDROP succeeds in detecting ROP attacks, and the performance tests demonstrate that our approach has acceptably lower overheads.

[1]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[2]  Hovav Shacham,et al.  Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage , 2009, EVT/WOTE.

[3]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[4]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[5]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[6]  Xuxian Jiang,et al.  Mitigating code-reuse attacks with control-flow locking , 2011, ACSAC '11.

[7]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[8]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[9]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[10]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[11]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[12]  Bing Mao,et al.  Automatic construction of jump-oriented programming shellcode (on the x86) , 2011, ASIACCS '11.

[13]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[14]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[15]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[16]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[17]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.