1 / 31

ROPecker : A Generic and Practical Approach for Defending against ROP Attacks

ROPecker : A Generic and Practical Approach for Defending against ROP Attacks. Yueqiang Cheng , Zongwei Zhou , Miao Yu, Xuhua Ding, Robert H. Deng NDSS 2014. Background . Typical memory exploit involves code injection Put malicious code in a predictable location

onaona
Télécharger la présentation

ROPecker : A Generic and Practical Approach for Defending against ROP Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ROPecker: A Generic and Practical Approach for Defending against ROP Attacks Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, Robert H. Deng NDSS 2014

  2. Background • Typical memory exploit involves code injection • Put malicious code in a predictable location • Pass control to it • non-executable (NX), WX • Hardware support • AMD “NX” bit, Intel “XD” bit (in post-2004 CPUs) • NX block most (if not all) code injection exploits

  3. Return-Oriented Programming stack actions code low 0x080484f4: pop %eax ret ... 0x080484f6: mov (%eax), %eax ret ... 0x080484cf: call %eax; ret … 0x08048675: sh\0 … 0x0804a014: system addr eax = 0x0804a014 esp eax = system addr Call system(sh) high

  4. ROP cont. • 0x080484f4: • pop %eax • ret • Gadgets • Codesection: functionality • Linking section: control transfer • indirect jump instruction (e.g., ret, call %eax, jmp %eax) • Aligned and unaligned • For non-fixed length instruction sets (e.g., x86) • SparseDistribution & Small size • ret-based ROP jmp/call-based ROP

  5. Last Branch Record (LBR) • Dedicated Registers • (srcip, dstip) • 16 pairs available • Enabled through MSR • Accessible in Ring-0 • NOT distinguish processes

  6. Existing Approaches • Prevention • Randomization: • Address Layout Space Randomization (ALSR) • Binary stirring (CCS’12) • Control flow integrity • CCFIR (S&P’13) • Detection • Abnormal behaviors • kBouncer, DROP

  7. Check Every Ret • & Call-Ret-Pair Checking & Ret Frequency Checking Existing Approaches Remove Gadgets & Instruction Randomization ROPdefender [AsiaCCS’11] Enforce Control Flow Integrity & Remove Gadgets HyperCrop [ICISS’11] DROP [ICISS '09] Performance Overhead Low High ILR and Smashing [Oakland’12] Return-less [EuroSys’10] G-Free [ACSAC’10] Binary Stirring [CCS’12] CFLocking [ACSAC '11] No rewriting Binary rewriting Program binary Source code Requirments

  8. Goals Detection & Prevention • Generic • ret-based & jmp/call-based • Transparent • w/o source code • keep the binary integrity • Low performance overhead

  9. Methodology • How to detect • A long sequence of gadgets • When to detect • Sliding window • Within, no intervention • Out of the window, check • Critical system calls

  10. Detection • Call-ret violation • Jmp/call-based attack • CFI • Completeness and accuracy • Victim’s Execution consists of • a long sequence of gadgets • chained by indirect branch instructions.

  11. Feasibility Gadget chain length • Normal execution • Max length 10 • ROP execution • Min length 17 • Detection length

  12. Time to detect • A sliding window • Within the window, no detection • When jump out, perform detection • Imple. • Only within the window, the code is executable • When jump out, page fault • Critical syscalls • mmap, mprotect, execev

  13. Sliding Window Update

  14. Feasibility • Sliding window size • large: better performance & worse accuracy • small: better accuracy & worse performance • ROP requirement • 20KB code size • 8KB (2 pages) or 16KB (4 pages)

  15. Algorithm

  16. Algorithm • Filter non-relevant events • Check the history • Gadget chain length in LBRs • Search the future • Gadget chain length in the future • Continue / Crash

  17. LBR record • NOT distinguish processes • Search backwards • Until context switch • (kernel IP, user IP) • Useful records • (context switch, Latest branch] 16 at most

  18. Execution emulator • Search the future execution • Possible gadgets • ret – predictable • jmp/call – need emulation • shadow environment • copy-on-write execution

  19. Pre-processing Phase ROPT Offline Processing Phase Arbitrary Binary Code Disassembly Engine Inst. & Gadget lists Inst. & Gadget Bit-Vectors Conversion Engine • 6 bytes each time • Byte by byte • Instruction & gadgets info

  20. IG Database • memory mapping • syscall interception • data structure analysis

  21. Architecture Stack … Run-time Phase Offline Phase libn App X Binary lib1 … CPU Apps Execution Trace Pre-processor ROPecker Kernel Module Instruction & Gadget Database Kernel

  22. Implementation • Prototype • Ubuntu12.04 with kernel 3.2.0-29 • A kernel module with 7K SLOC • Checking points • #PF exception • Critical system calls • open, close • mmap2, munmap, mprotect • execve

  23. Evaluation • Accuracy • Application with ROP attack • Normal applications • Performance • Micro-benchmark • Cost for system call interception, #PF exception • Cost for ROP checking • Macro benchmark • Benchmark suite

  24. Security Evaluation • Real attacks • ROPeme • Htediter (exploitDB) • Generated by Q • Gadgets inside 253 apps under /bin & /usr/bin • All detected

  25. SPEC INT2006 Benchmarks: CPU 2.6 % performance lose

  26. Disk I/O Performance: Bonnie++ 1.56 % performance overhead

  27. Network Performance: httpd

  28. Micro Benchmark

  29. Conclusion • Generic detection of ROP attack • Sliding window checks • Implementation & evaluation

  30. Thanks

  31. Discussions • Short gadget chain • Long gadget • ROP within sliding window • Dynamic sliding window size • Dynamically-generated code • Sliding window thrashing

More Related