Academic Commons

Articles

ROP Payload Detection Using Speculative Code Execution

Polychronakis, Michalis; Keromytis, Angelos D.

The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on shellcode identification are oblivious to this new breed of exploits, since attack vectors may not contain binary code anymore. In this paper, we present a detection method for the identification of ROP payloads in arbitrary data such as network traffic or process memory buffers. Our technique speculatively drives the execution of code that already exists in the address space of a targeted process according to the scanned input data, and identifies the execution of valid ROP code at runtime. Our experimental evaluation demonstrates that our prototype implementation can detect a broad range of ROP exploits against Windows applications without false positives, while it can be easily integrated into existing defenses based on shell-code detection.

Subjects

Files

Also Published In

Title
Proceedings of the 6th International Conference on Malicious and Unwanted Software: October 18-19, 2011, Fajardo, Puerto Rico, USA
DOI
https://doi.org/10.1109/MALWARE.2011.6112327

More About This Work

Academic Units
Computer Science
Publisher
IEEE
Published Here
July 6, 2012
Academic Commons provides global access to research and scholarship produced at Columbia University, Barnard College, Teachers College, Union Theological Seminary and Jewish Theological Seminary. Academic Commons is managed by the Columbia University Libraries.