{"title":"使用推测代码执行的ROP有效负载检测","authors":"M. Polychronakis, A. Keromytis","doi":"10.1109/MALWARE.2011.6112327","DOIUrl":null,"url":null,"abstract":"The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on shellcode identification are oblivious to this new breed of exploits, since attack vectors may not contain binary code anymore. In this paper, we present a detection method for the identification of ROP payloads in arbitrary data such as network traffic or process memory buffers. Our technique speculatively drives the execution of code that already exists in the address space of a targeted process according to the scanned input data, and identifies the execution of valid ROP code at runtime. Our experimental evaluation demonstrates that our prototype implementation can detect a broad range of ROP exploits against Windows applications without false positives, while it can be easily integrated into existing defenses based on shell-code detection.","PeriodicalId":375300,"journal":{"name":"2011 6th International Conference on Malicious and Unwanted Software","volume":"97 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"49","resultStr":"{\"title\":\"ROP payload detection using speculative code execution\",\"authors\":\"M. Polychronakis, A. Keromytis\",\"doi\":\"10.1109/MALWARE.2011.6112327\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on shellcode identification are oblivious to this new breed of exploits, since attack vectors may not contain binary code anymore. In this paper, we present a detection method for the identification of ROP payloads in arbitrary data such as network traffic or process memory buffers. Our technique speculatively drives the execution of code that already exists in the address space of a targeted process according to the scanned input data, and identifies the execution of valid ROP code at runtime. Our experimental evaluation demonstrates that our prototype implementation can detect a broad range of ROP exploits against Windows applications without false positives, while it can be easily integrated into existing defenses based on shell-code detection.\",\"PeriodicalId\":375300,\"journal\":{\"name\":\"2011 6th International Conference on Malicious and Unwanted Software\",\"volume\":\"97 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-10-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"49\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2011 6th International Conference on Malicious and Unwanted Software\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MALWARE.2011.6112327\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 6th International Conference on Malicious and Unwanted Software","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2011.6112327","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
ROP payload detection using speculative code execution
The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on shellcode identification are oblivious to this new breed of exploits, since attack vectors may not contain binary code anymore. In this paper, we present a detection method for the identification of ROP payloads in arbitrary data such as network traffic or process memory buffers. Our technique speculatively drives the execution of code that already exists in the address space of a targeted process according to the scanned input data, and identifies the execution of valid ROP code at runtime. Our experimental evaluation demonstrates that our prototype implementation can detect a broad range of ROP exploits against Windows applications without false positives, while it can be easily integrated into existing defenses based on shell-code detection.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
