ROPocop — Dynamic mitigation of code-reuse attacks

Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques; but nevertheless, new exploits that successfully bypass these technolog...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:Journal of information security and applications Ročník 29; s. 16 - 26
Hlavní autori: Follner, Andreas, Bodden, Eric
Médium: Journal Article
Jazyk:English
Vydavateľské údaje: Elsevier Ltd 01.08.2016
Predmet:
Buffer overflow
Code-reuse attack
Dynamic binary instrumentation
Exploit mitigation
Return-oriented programming
System security
Code-reuse attack
Return-oriented programming
Exploit mitigation
System security
Buffer overflow
Dynamic binary instrumentation
ISSN:2214-2126
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques; but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks both by monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite show an average overhead of 2.4×, which is comparable to similar approaches, which give weaker guarantees. Real-world applications show only an initially noticeable input lag and no stutter. In our evaluation our tool successfully detected all 11 of the latest real-world code-reuse exploits, with no false alarms. Therefore, despite the overhead, it is a viable, temporary solution to secure critical systems against exploits if a vendor patch is not yet available.
ISSN:2214-2126
DOI:10.1016/j.jisa.2016.01.002