Sammanfattning
We consider the problem of detecting exploits based on
return-oriented programming. In contrast to previous works we investigate
to which extent we can detect ROP payloads by only analysing
streaming data, i.e., we do not assume any modifications to the target
machine, its kernel or its libraries. Neither do we attempt to execute any
potentially malicious code in order to determine if it is an attack. While
such a scenario has its limitations, we show that using a layered approach
with a filtering mechanism together with the Fast Fourier Transform, it
is possible to detect ROP payloads even in the presence of noise and
assuming that the target system employs ASLR. Our approach, denoted
eavesROP, thus provides a very lightweight and easily deployable mitigation
against certain ROP attacks. It also provides the added merit
of detecting the presence of a brute-force attack on ASLR since library
base addresses are not assumed to be known by eavesROP.
return-oriented programming. In contrast to previous works we investigate
to which extent we can detect ROP payloads by only analysing
streaming data, i.e., we do not assume any modifications to the target
machine, its kernel or its libraries. Neither do we attempt to execute any
potentially malicious code in order to determine if it is an attack. While
such a scenario has its limitations, we show that using a layered approach
with a filtering mechanism together with the Fast Fourier Transform, it
is possible to detect ROP payloads even in the presence of noise and
assuming that the target system employs ASLR. Our approach, denoted
eavesROP, thus provides a very lightweight and easily deployable mitigation
against certain ROP attacks. It also provides the added merit
of detecting the presence of a brute-force attack on ASLR since library
base addresses are not assumed to be known by eavesROP.
Originalspråk | engelska |
---|---|
Titel på värdpublikation | Information Security/Lecture Notes in Computer Science |
Redaktörer | Sherman S. M. Chow, Jan Camenisch, Lucas C. K. Hui, Siu Ming Yiu |
Förlag | Springer |
Sidor | 413-424 |
Volym | 8783 |
ISBN (elektroniskt) | 978-3-319-13257-0 |
ISBN (tryckt) | 978-3-319-13256-3 |
DOI | |
Status | Published - 2014 |
Evenemang | ISC 2014 - Hong Kong Varaktighet: 2014 okt. 12 → 2014 okt. 14 |
Publikationsserier
Namn | Lecture Notes in Computer Science |
---|---|
Förlag | Springer International Publishing |
Volym | 8783 |
ISSN (tryckt) | 0302-9743 |
Konferens
Konferens | ISC 2014 |
---|---|
Period | 2014/10/12 → 2014/10/14 |
Ämnesklassifikation (UKÄ)
- Elektroteknik och elektronik
- Datavetenskap (datalogi)