Transparent ROP Exploit Mitigation Using Indirect Branch Tracing

Return-oriented programming (ROP) has become the primary exploitation technique for system compromise in the presence of non-executable page protections. ROP exploits are facilitated mainly by the lack of complete address space randomization coverage or the presence of memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations. In this paper we present a practical runtime ROP exploit prevention technique for the protection of third-party applications. Our approach is based on the detection of abnormal control transfers that take place during ROP code execution. This is achieved using hardware features of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to the protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for installed programs in the same fashion as user-friendly mitigation toolkits like Microsoft's EMET. The results of our evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially crafted workloads that continuously trigger its core detection component, while it has negligible overhead for actual user applications. In our experiments with in-the-wild ROP exploits, kBouncer successfully protected all tested applications, including Internet Explorer, Adobe Flash Player, and Adobe Reader.

[1]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[3]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[4]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[6]  Peng Xu,et al.  Wine , 2006, A Handbook of Food Processing in Classical Rome.

[7]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[8]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[9]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[10]  Xuxian Jiang,et al.  Mitigating code-reuse attacks with control-flow locking , 2011, ACSAC '11.

[11]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[12]  Adrian Perrig,et al.  XTRec: Secure Real-Time Execution Trace Recording on Commodity Platforms , 2011, 2011 44th Hawaii International Conference on System Sciences.

[13]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[14]  It Informatics Windows Filtering Platform , 2012 .

[15]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[16]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[17]  Michalis Polychronakis,et al.  An Empirical Study of Real-world Polymorphic Code Injection Attacks , 2009, LEET.

[18]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[19]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[20]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[21]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[23]  G. Carleton,et al.  PROFILE-GUIDED OPTIMIZATIONS , 1998 .

[24]  Mehmet Kayaalp,et al.  Branch regulation: Low-overhead protection from code reuse attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[25]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[26]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[27]  Proteus Valre Kresten Windows Filtering Platform , 2012 .

[28]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[29]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[30]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[31]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[32]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[33]  Kim M. Hazelwood,et al.  Dynamic program analysis of Microsoft Windows applications , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[34]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[35]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[36]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[37]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[38]  Haibo Chen,et al.  Security breaches as PMU deviation: detecting and identifying security attacks using performance counters , 2011, APSys.

[39]  Robert A. Heinlein The Number of the Beast , 1980 .

[40]  Mary Lou Soffa,et al.  Exploiting hardware advances for software testing and debugging: NIER track , 2011, 2011 33rd International Conference on Software Engineering (ICSE).