(2015) Learning How to Prevent Return-Oriented Programming Efficiently.
Abstract
Return-oriented programming (ROP) is the most dangerous and most widely used technique to exploit software vulnerabilities. However, the solutions proposed in research often lack viability for real-life deployment. In this paper, we take a novel, statistical approach on detecting ROP programs. Our approach is based on the observation that ROP programs, when executed, produce different micro-architectural events than ordinary programs produced by compilers. Therefore, special registers of modern processors (hardware performance counters) that track these events can be leveraged to detect ROP attacks. We use machine learning techniques to generate a model of this different behavior, and develop a kernel module that detects and prevents ROP at runtime via the learned model. Our evaluation on real-world programs and attacks shows that the runtime overhead of this technique and the number false positives are very low, while preventing all known types of ROP attacks, including recently developed evasion techniques.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Additional Information: | pub_id: 904 Bibtex: PfHaHa_15 URL date: 2016-06-15 |
Uncontrolled Keywords: | rop,security |
Divisions: | Unspecified |
Depositing User: | Sebastian Weisgerber |
Date Deposited: | 26 Jul 2017 10:30 |
Last Modified: | 18 Jul 2019 12:10 |
Primary Research Area: | NRA3: Threat Detection and Defenses |
URI: | https://publications.cispa.saarland/id/eprint/559 |
Actions
Actions (login required)
View Item |