ROPGMN：利用动态特征和图匹配网络有效发现 ROP 和变体

IF 6.2 2区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

Future Generation Computer Systems-The International Journal of Escience Pub Date : 2024-10-22 DOI:10.1016/j.future.2024.107567

Weina Niu , Kexuan Zhang , Ran Yan , Jie Li , Yan Zhang , Xiaosong Zhang

{"title":"ROPGMN：利用动态特征和图匹配网络有效发现 ROP 和变体","authors":"Weina Niu , Kexuan Zhang , Ran Yan , Jie Li , Yan Zhang , Xiaosong Zhang","doi":"10.1016/j.future.2024.107567","DOIUrl":null,"url":null,"abstract":"<div><div>Return Oriented Programming (ROP) is one of the most challenging threats to operating systems. Traditional detection and defense techniques for ROP such as stack protection, address randomization, compiler optimization, control flow integrity, and basic block thresholds have certain limitations in accuracy or efficiency. At the same time, they cannot effectively detect ROP variant attacks, such as COP, COOP, JOP. In this paper, we propose a novel ROP and its variants detection approach that first filters the normal execution flow according to four strategies provided and then adopts Graph Matching Network (GMN) to determine whether there is ROP or its variant attack. Moreover, we developed a prototype named ROPGMN with shared memory to solve cross-language and cross-process problems. Using real-world vulnerable programs and constructed programs with dangerous function calls, we conduct extensive experiments with 6 ROP detectors to evaluate ROPGMN. The experimental results demonstrate the effectiveness of ROPGMN in discovering ROPs and their variant attacks with low performance overhead.</div></div>","PeriodicalId":55132,"journal":{"name":"Future Generation Computer Systems-The International Journal of Escience","volume":"164 ","pages":"Article 107567"},"PeriodicalIF":6.2000,"publicationDate":"2024-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ROPGMN: Effective ROP and variants discovery using dynamic feature and graph matching network\",\"authors\":\"Weina Niu , Kexuan Zhang , Ran Yan , Jie Li , Yan Zhang , Xiaosong Zhang\",\"doi\":\"10.1016/j.future.2024.107567\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Return Oriented Programming (ROP) is one of the most challenging threats to operating systems. Traditional detection and defense techniques for ROP such as stack protection, address randomization, compiler optimization, control flow integrity, and basic block thresholds have certain limitations in accuracy or efficiency. At the same time, they cannot effectively detect ROP variant attacks, such as COP, COOP, JOP. In this paper, we propose a novel ROP and its variants detection approach that first filters the normal execution flow according to four strategies provided and then adopts Graph Matching Network (GMN) to determine whether there is ROP or its variant attack. Moreover, we developed a prototype named ROPGMN with shared memory to solve cross-language and cross-process problems. Using real-world vulnerable programs and constructed programs with dangerous function calls, we conduct extensive experiments with 6 ROP detectors to evaluate ROPGMN. The experimental results demonstrate the effectiveness of ROPGMN in discovering ROPs and their variant attacks with low performance overhead.</div></div>\",\"PeriodicalId\":55132,\"journal\":{\"name\":\"Future Generation Computer Systems-The International Journal of Escience\",\"volume\":\"164 \",\"pages\":\"Article 107567\"},\"PeriodicalIF\":6.2000,\"publicationDate\":\"2024-10-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Future Generation Computer Systems-The International Journal of Escience\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167739X24005314\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Future Generation Computer Systems-The International Journal of Escience","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167739X24005314","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

摘要

面向返回编程（ROP）是操作系统面临的最具挑战性的威胁之一。传统的 ROP 检测和防御技术，如堆栈保护、地址随机化、编译器优化、控制流完整性和基本块阈值等，在准确性或效率上都有一定的局限性。同时，它们也无法有效检测 ROP 变体攻击，如 COP、COOP、JOP。本文提出了一种新的 ROP 及其变种检测方法，首先根据提供的四种策略过滤正常执行流，然后采用图形匹配网络（GMN）来判断是否存在 ROP 或其变种攻击。此外，我们还开发了一种名为 ROPGMN 的共享内存原型，用于解决跨语言和跨进程问题。我们使用真实世界中的脆弱程序和带有危险函数调用的构造程序，用 6 种 ROP 检测器进行了大量实验，以评估 ROPGMN。实验结果表明，ROPGMN 能以较低的性能开销有效地发现 ROP 及其变体攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

ROPGMN: Effective ROP and variants discovery using dynamic feature and graph matching network

Return Oriented Programming (ROP) is one of the most challenging threats to operating systems. Traditional detection and defense techniques for ROP such as stack protection, address randomization, compiler optimization, control flow integrity, and basic block thresholds have certain limitations in accuracy or efficiency. At the same time, they cannot effectively detect ROP variant attacks, such as COP, COOP, JOP. In this paper, we propose a novel ROP and its variants detection approach that first filters the normal execution flow according to four strategies provided and then adopts Graph Matching Network (GMN) to determine whether there is ROP or its variant attack. Moreover, we developed a prototype named ROPGMN with shared memory to solve cross-language and cross-process problems. Using real-world vulnerable programs and constructed programs with dangerous function calls, we conduct extensive experiments with 6 ROP detectors to evaluate ROPGMN. The experimental results demonstrate the effectiveness of ROPGMN in discovering ROPs and their variant attacks with low performance overhead.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Future Generation Computer Systems-The International Journal of Escience 工程技术-计算机：理论方法

CiteScore

19.90

自引率

2.70%

发文量

376

审稿时长

10.6 months

期刊介绍： Computing infrastructures and systems are constantly evolving, resulting in increasingly complex and collaborative scientific applications. To cope with these advancements, there is a growing need for collaborative tools that can effectively map, control, and execute these applications. Furthermore, with the explosion of Big Data, there is a requirement for innovative methods and infrastructures to collect, analyze, and derive meaningful insights from the vast amount of data generated. This necessitates the integration of computational and storage capabilities, databases, sensors, and human collaboration. Future Generation Computer Systems aims to pioneer advancements in distributed systems, collaborative environments, high-performance computing, and Big Data analytics. It strives to stay at the forefront of developments in grids, clouds, and the Internet of Things (IoT) to effectively address the challenges posed by these wide-area, fully distributed sensing and computing systems.