On Detecting Code Reuse Attacks

— Today, a code reuse technique is often used when exploiting software vulnerabilities, such as a buffer overflow. These attacks bypass the protection against execution of code in the stack, which is implemented on the hardware and software levels in modern information systems. The attacks are based...

Full description

Saved in:
Bibliographic Details
Published in:Automatic control and computer sciences Vol. 54; no. 7; pp. 573 - 583
Main Author: Kosolapov, Y. V.
Format: Journal Article
Language:English
Published: Moscow Pleiades Publishing 01.12.2020
Springer Nature B.V
Subjects:
Algorithms
Chains
Code reuse
Computer Science
Control Structures and Microprogramming
Information systems
Malware
Microprocessors
Software reuse
software vulnerabilities
code reuse
ISSN:0146-4116, 1558-108X
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:— Today, a code reuse technique is often used when exploiting software vulnerabilities, such as a buffer overflow. These attacks bypass the protection against execution of code in the stack, which is implemented on the hardware and software levels in modern information systems. The attacks are based on finding suitable sections of executable code–gadgets–in the vulnerable program and linking these gadgets into chains. The article proposes a method to protect applications against code reuse attacks. The method is based on detecting properties that distinguish between chains of gadgets and typical chains of legitimate program basic blocks. The appearance of an atypical chain of basic blocks during program execution may indicate the execution of a malicious code. One of the properties of a chain of gadgets is that at the end of the chain a special processor instruction used to call a function of the operating system is executed. Experiments are carried out for the x86/64 Linux operating system which show the importance of this property for detecting malicious code execution. An algorithm for identifying atypical chains is developed which makes it possible to detect all currently known code reuse techniques.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0146-4116
1558-108X
DOI:10.3103/S0146411620070111