Geodesic
About detection of code reuse attacks
Modelirovanie i analiz informacionnyh sistem, Tome 26 (2019) no. 2, pp. 213-228.

Voir la notice de l'article provenant de la source Math-Net.Ru

When exploiting software vulnerabilities such as buffer overflows, code reuse techniques are often used today. Such attacks allow you to bypass the protection against the execution of code in the stack, which is implemented at the software and hardware level in modern information systems. At the heart of these attacks lies the detection, in the vulnerable program of suitable areas, of executable code — gadgets — and chaining these gadgets into chains. The article proposes a way to protect applications from attacks that use code reuse. For this purpose, features that distinguish the chains of gadgets from typical chains of legal basic blocks of the program are highlighted. The appearance of an atypical chain of the base block during program execution may indicate the execution of a malicious code. An algorithm for identifying atypical chains has been developed. A feature of the algorithm is that it is focused on identifying all currently known techniques of re-execution of the code. The developed algorithm is based on a modified QEMU virtualization system. One of the hallmarks of the chain of gadgets is the execution at the end of the chain of instructions of the processor used to call the function of the operating system. For the Linux operating system based on the x86/64 architecture, experiments have been conducted showing the importance of this feature in detecting the execution of the malicious code.
Mots-clés : code reuse
Keywords: software vulnerability. 
@article{MAIS_2019_26_2_a2,
     author = {Yu. V. Kosolapov},
     title = {About detection of code reuse attacks},
     journal = {Modelirovanie i analiz informacionnyh sistem},
     pages = {213--228},
     publisher = {mathdoc},
     volume = {26},
     number = {2},
     year = {2019},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/MAIS_2019_26_2_a2/}
}
TY  - JOUR
AU  - Yu. V. Kosolapov
TI  - About detection of code reuse attacks
JO  - Modelirovanie i analiz informacionnyh sistem
PY  - 2019
SP  - 213
EP  - 228
VL  - 26
IS  - 2
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/MAIS_2019_26_2_a2/
LA  - ru
ID  - MAIS_2019_26_2_a2
ER  - 
%0 Journal Article
%A Yu. V. Kosolapov
%T About detection of code reuse attacks
%J Modelirovanie i analiz informacionnyh sistem
%D 2019
%P 213-228
%V 26
%N 2
%I mathdoc
%U http://geodesic.mathdoc.fr/item/MAIS_2019_26_2_a2/
%G ru
%F MAIS_2019_26_2_a2
Yu. V. Kosolapov. About detection of code reuse attacks. Modelirovanie i analiz informacionnyh sistem, Tome 26 (2019) no. 2, pp. 213-228. http://geodesic.mathdoc.fr/item/MAIS_2019_26_2_a2/

[1] Shacham H., “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)”, Proceedings of the 14th ACM conference on Computer and communications security, 2007, 552–561

[2] Buchanan E., Roemer R., Shacham H., Savage S., “When good instructions go bad: generalizing return-oriented programming to risc”, Proceedings of the 15th ACM conference on Computer and communications security, 2008, 27–38

[3] (Last access 26.11.2018) http://ropshell.com

[4] Binlin C., Jianming F., Zhiyi Y., “Heap Spraying Attack Detection Based on Sled Distance”, International Journal of Digital Content Technology and its Applications(JDCTA), 6:14 (2012), 379–386 | DOI

[5] Davi L., Sadeghi A., Winandy M., “ROPdefender: a detection tool to defend against return-oriented programming attacks”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, 40–51

[6] Davi L., Koeberl P., Sadeghi A., “Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation”, Proceedings of the 51st Annual Design Automation Conference (San Francisco, CA, USA, 2014), 1–6

[7] Ge X., Talele N., Payer M., Jaeger T., “Fine-grained control-flow integrity for kernel software”, IEEE European Symposium on Security and Privacy (2016), 179–194

[8] Usui T., Ikuse T., Iwamura M., Yada T., “POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity”, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, 1808–1810 | DOI

[9] Cawan S. C. Arnold S. R., Beattie S. M., Wagle P. M., Pointguard: method and system for protecting programs against pointer corruption attacks, Patent US7752459B2, 2010

[10] Cheng Y., Zhou Z., Miao Y., Ding X., Deng H. R., “ROPecker: A Generic and Practical Approach For Defending Against ROP Attack”, Symposium on Network and Distributed System Security (NDSS) (2014), 1–14 | MR

[11] Chen P., Xiao H., Shen X., Yin X., Mao B., Xie L., “DROP: Detecting Return-Oriented Programming Malicious Code”, Lecture Notes in Computer Science, 5905, 2009, 163–177 | DOI

[12] Control-flow Enforcement Technology Preview, , 2017 (Last access 26.11.2018) http://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

[13] Checkoway S., Davi L., Dmitrienko A., Sadeghi A. R., Shacham H., Winandy M., “Return-oriented programming without returns”, Proceedings of the 17th ACM conference on Computer and communications security, 2010, 559–572

[14] Sadeghi A., Niksefat S., Rostamipour M., “Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions”, Journal of Computer Virology and Hacking Techniques, 14:2 (2018), 139–156 | DOI

[15] Yao F., Chen J., Venkataramani G., “Jop-alarm: Detecting jump-oriented programming-based anomalies in applications”, IEEE 31st International Conference on Computer Design (ICCD) (2013), 467–470

[16] Goktas E., Athanasopoulos E., Polychronakis M., Bos H., Portokalidis G., “Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard”, Proceedings of the 23rd USENIX Security Symposium, 2014, 417–432

[17] Carlini N., Wagner D., “ROP is still dangerous: breaking modern defenses”, SEC'14 Proceedings of the 23rd USENIX conference on Security Symposium, 2014, 385–399

[18] Aho A. V., Sethi R., Ullman J. D., Compilers: Principles, Techniques, and Tools, Pearson Education, Inc, 1986

[19] Kayaalp M., Schmitt T., Nomani J., Ponomarev D., Abu-Ghazaleh N., “Scrap: architecture for signature-based protection from code reuse attacks”, Proceedings of IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013), 2013, 258–269 | MR

[20] (Last access 06.12.2018) https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-iii/

[21] Katoch V., Bypassing ASLR/DEP, (Last access 06.12.2018) https://www.exploit-db.com/docs/english/17914-bypassing-aslrdep.pdf

[22] Pappas V., Polychronakis M., Keromytis A. D., “Transparent ROP Exploit Mitigation Using Indirect Branch Tracing”, Proc. of the 22nd USENIX Security Symposium, 2013, 447–462

[23] (Last access 03.12.2018) https://www.securityfocus.com/bid/62780/info

[24] Moser A., Kruegel C., Kirda E., “Limits of Static Analysis for Malware Detection”, Proceedings of Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2008, 421–430

[25] Hu H., Shinde S., Adrian S., Chua Z. L., Saxena P., Liang Z., “Data-oriented programming: On the expressiveness of non-control data attacks”, Security and Privacy (SP) Symposium (2016), 969–986

[26] Ma H., Lu K., Ma X., Zhang H., Jia C., Gao D., “Software watermarking using return-oriented programming”, Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015, 369–380

[27] Gao D., Method for obfuscation of code using return oriented programming, Patent WO2016126206A1, 2015

[28] Lu K., Xiong S., Gao D., “Ropsteg: program steganography with return oriented programming”, Proceedings of the 4th ACM conference on Data and application security and privacy, 2014, 265–272