eavesROP: Listening for ROP Payloads in Data Streams

Forskningsoutput: Kapitel i bok/rapport/Conference proceedingKonferenspaper i proceeding

Abstract

We consider the problem of detecting exploits based on
return-oriented programming. In contrast to previous works we investigate
to which extent we can detect ROP payloads by only analysing
streaming data, i.e., we do not assume any modifications to the target
machine, its kernel or its libraries. Neither do we attempt to execute any
potentially malicious code in order to determine if it is an attack. While
such a scenario has its limitations, we show that using a layered approach
with a filtering mechanism together with the Fast Fourier Transform, it
is possible to detect ROP payloads even in the presence of noise and
assuming that the target system employs ASLR. Our approach, denoted
eavesROP, thus provides a very lightweight and easily deployable mitigation
against certain ROP attacks. It also provides the added merit
of detecting the presence of a brute-force attack on ASLR since library
base addresses are not assumed to be known by eavesROP.

Detaljer

Författare
Enheter & grupper
Forskningsområden

Ämnesklassifikation (UKÄ) – OBLIGATORISK

  • Elektroteknik och elektronik
  • Datavetenskap (datalogi)

Nyckelord

Originalspråkengelska
Titel på värdpublikationInformation Security/Lecture Notes in Computer Science
RedaktörerSherman S. M. Chow, Jan Camenisch, Lucas C. K. Hui, Siu Ming Yiu
FörlagSpringer
Sidor413-424
Volym8783
ISBN (elektroniskt)978-3-319-13257-0
ISBN (tryckt)978-3-319-13256-3
StatusPublished - 2014
PublikationskategoriForskning
Peer review utfördJa
EvenemangISC 2014 - Hong Kong
Varaktighet: 2014 okt 122014 okt 14

Publikationsserier

NamnLecture Notes in Computer Science
FörlagSpringer International Publishing
Volym8783
ISSN (tryckt)0302-9743

Konferens

KonferensISC 2014
Period2014/10/122014/10/14

Nedladdningar

Ingen tillgänglig data