ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets

SUMMARY Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be min- imized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method ac-celerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.

[1]  Angelos Stavrou,et al.  Detecting ROP with Statistical Learning of Program Characteristics , 2017, CODASPY.

[2]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.

[3]  Davide Balzarotti,et al.  ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks , 2016, AsiaCCS.

[4]  Katsumi Wasaki,et al.  A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation , 2016 .

[5]  L. Hui,et al.  Listening for ROP Payloads in Data Streams , 2016 .

[6]  Angelos Stavrou,et al.  Preventing Exploits in Microsoft Office Documents Through Content Randomization , 2015, RAID.

[7]  YoungHan Choi,et al.  STROP: Static Approach for Detection of Return-Oriented Programming Attack in Network , 2015, IEICE Trans. Commun..

[8]  Yasuyuki Tanaka,et al.  n-ROPdetector: Proposal of a Method to Detect the ROP Attack Code on the Network , 2014, SafeConfig '14.

[9]  Linus Karlsson,et al.  eavesROP: Listening for ROP Payloads in Data Streams , 2014, ISC.

[10]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[11]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.

[12]  Ahmad-Reza Sadeghi,et al.  Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets , 2013, RAID.

[13]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Takeo Hariu,et al.  Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks , 2012, ACSAC '12.

[15]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[16]  Niels Provos,et al.  SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks , 2011, USENIX Security Symposium.

[17]  Evangelos P. Markatos,et al.  Combining static and dynamic analysis for the detection of malicious documents , 2011, EUROSEC '11.

[18]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[19]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[20]  Bing Mao,et al.  Efficient Detection of the Return-Oriented Programming Malicious Code , 2010, ICISS.

[21]  Evangelos P. Markatos,et al.  Comprehensive shellcode detection using runtime heuristics , 2010, ACSAC '10.

[22]  Dong Xuan,et al.  Malicious Shellcode Detection with Virtual Memory Snapshots , 2010, 2010 Proceedings IEEE INFOCOM.

[23]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[24]  Simson L. Garfinkel,et al.  Bringing science to digital forensics with standardized forensic corpora , 2009, Digit. Investig..

[25]  Muhammad Zubair Shafiq,et al.  Malware detection using statistical analysis of byte-level file content , 2009, CSI-KDD '09.

[26]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[27]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.