research-article

Defeating ROP Through Denial of Stack Pivot

Authors:

Aravind Prakash,

Heng YinAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 111 - 120

https://doi.org/10.1145/2818000.2818023

Published: 07 December 2015 Publication History

Abstract

Return-Oriented Programming (ROP) is a popular and prevalent infiltration technique. While current solutions based on code randomization, artificial diversification and Control-Flow Integrity (CFI) have rendered ROP attacks harder to accomplish, they have been unsuccessful in completely eliminating them. Particularly, CFI-based approaches lack incremental deployability and impose high performance overhead -- two key requirements for practical application. In this paper, we present a novel compiler-level defense against ROP attacks. We observe that stack pivoting -- a key step in executing ROP attacks -- often moves the stack pointer from the stack region to a non-stack (often heap) region, thereby violating the integrity of the stack pointer. Unlike CFI-based defenses, our defense does not rely on the control-flow of the program. Instead, we assert the sanity of stack pointer at predetermined execution points in order to detect stack pivoting and thereby defeat ROP. The key advantage of our approach is that it allows for incremental deployability, an Achilles heel for CFI. That is, we can selectively protect some modules that can coexist with other unprotected modules. Other advantages include: (1) We do not depend on ASLR -- which is particularly vulnerable to information disclosure attacks, and (2) We do not make any assumptions regarding the so called "gadget". We implemented our defense in a proof-of-concept LLVM-based system called PBlocker. We evaluated PBlocker on SPEC 2006 benchmark and show an average runtime overhead of 1.04%.

References

[1]

Metasploit penetration testing framework. http://http://www.metasploit.com/.

[2]

Microsoft Enhanced Mitigation Experience Toolkit. http://support.microsoft.com/kb/2458544, August 2014.

[3]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05), pages 340--353, 2005.

Digital Library

[4]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In USENIX Security, volume 3, pages 105--120, 2003.

Digital Library

[5]

S. Bhatkar and R. Sekar. Data Space Randomization. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 1--22. Springer, 2008.

Digital Library

[6]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking Blind. In IEEE Symposium on Security and Privacy (SP'2014), pages 227--242. IEEE, 2014.

Digital Library

[7]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-Oriented Programming: A New Class of Code-Reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 30--40. ACM, 2011.

Digital Library

[8]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security'14), 2014.

Digital Library

[9]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM conference on Computer and communications security, pages 559--572. ACM, 2010.

Digital Library

[10]

X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida. Stackarmor: Comprehensive protection from stack-based memory error vulnerabilities for binaries. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15).

[11]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. Ropecker: A generic and practical approach for defending against rop attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.

[12]

M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical Report CMU-CS-02-197, Carnegie Mellon University, 2002.

[13]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Usenix Security, volume 98, pages 63--78, 1998.

Digital Library

[14]

J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In Proceedings of 35th IEEE Symposium on Security and Privacy (Oakland'14), 2014.

Digital Library

[15]

T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security, ASIACCS, volume 15, 2015.

Digital Library

[16]

L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-r. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS'12), 2012.

[17]

L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Symposium on Network and Distributed System Security (NDSS'15).

[18]

J. DeMott. Bypassing EMET 4.1. https://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf.

[19]

E. Eng and D. Caselden. Operation Clandestine Wolf -- Adobe Flash Zero-Day in APT3 Phishing Campaign. https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html.

[20]

I. Fratric. Runtime prevention of return-oriented programming attacks. http://ropguard.googlecode.com/svn-history/r2/trunk/doc/ropguard.pdf, 2014.

[21]

E. Göktaş, E. Anthanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of 35th IEEE Symposium on Security and Privacy (Oakland'14), 2014.

Digital Library

[22]

D. Jang, Z. Tatlock, and S. Lerner. SafeDispatch: Securing C++ virtual calls from memory corruption attacks. In Proceedings of 21st Annual Network and Distributed System Security Symposium (NDSS'14), 2014.

[23]

T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In USENIX Annual Technical Conference, General Track, pages 275--288, 2002.

Digital Library

[24]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.

Digital Library

[25]

W. Lian, H. Shacham, and S. Savage. Too LeJIT to Quit: Extending JIT Spraying to ARM. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15), 2015.

[26]

V. Mohan, P. Larsen, S. Brunthaler, K. Hamlen, and M. Franz. Opaque control-flow integrity. In Symposium on Network and Distributed System Security (NDSS), 2015.

[27]

K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 49--58. ACM, 2010.

Digital Library

[28]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming using in-place Code Randomization. In IEEE Symposium on Security and Privacy (SP'2012), pages 601--615, 2012.

Digital Library

[29]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In USENIX Security, 2013.

Digital Library

[30]

A. Prakash, X. Hu, and H. Yin. vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15), 2015.

[31]

A. Prakash, H. Yin, and Z. Liang. Enforcing System-wide Control Flow Integrity for Exploit Detection and Diagnosis. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS'13), pages 311--322, 2013.

Digital Library

[32]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552--561. ACM, 2007.

Digital Library

[33]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security, pages 298--307. ACM, 2004.

Digital Library

[34]

F. Shuster, T. Tendyck, C. Liebchen, L. Davi, A.-r. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming, On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In Proceedings of 36th IEEE Symposium on Security and Privacy (Oakland'15), 2015.

Digital Library

[35]

K. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (SP'2013), pages 574--588, 2013.

Digital Library

[36]

P. team. PaX: Address space alyout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2003.

[37]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In Proceedings of 23rd USENIX Security Symposium (USENIX Security'14), pages 941--955, 2014.

Digital Library

[38]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In NDSS, pages 2000--02, 2000.

[39]

Z. Wang and X. Jiang. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In IEEE Symposium on Security and Privacy (Oakland'10), pages 380--395, 2010.

Digital Library

[40]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS'12), pages 157--168. ACM, 2012.

Digital Library

[41]

H. Xu and S. J. Chapin. Address-space layout randomization using code islands. Journal of Computer Security, 17(3):331--362, 2009.

Digital Library

[42]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland'13), pages 559--573, 2013.

Digital Library

[43]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (Usenix Security'13), pages 337--352, 2013.

Digital Library

Cited By

Ma TChen SWu YDeng ESong ZChen QGuo MAamodt TJerger NSwift M(2023)Efficient Scheduler Live Update for Linux Kernel with ModularizationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582054(194-207)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582054
Welearegai GHu CHammer C(2023)Detecting and Preventing ROP Attacks using Machine Learning on ARM2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00092(667-677)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00092
Zou CGao YXue J(2022)Practical Software-Based Shadow Stacks on x86-64ACM Transactions on Architecture and Code Optimization10.1145/355697719:4(1-26)Online publication date: 7-Oct-2022
https://dl.acm.org/doi/10.1145/3556977
Show More Cited By

Defeating ROP Through Denial of Stack Pivot
1. Security and privacy
  1. Systems security
2. Software and its engineering
  1. Software notations and tools

Recommendations

SeBROP: blind ROP attacks without returns
Abstract
Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like ...
Towards defeating network denial-of-service attacks
Mitigating denial of service attacks: a tutorial

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
372
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)7

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ma TChen SWu YDeng ESong ZChen QGuo MAamodt TJerger NSwift M(2023)Efficient Scheduler Live Update for Linux Kernel with ModularizationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582054(194-207)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582054
Welearegai GHu CHammer C(2023)Detecting and Preventing ROP Attacks using Machine Learning on ARM2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00092(667-677)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00092
Zou CGao YXue J(2022)Practical Software-Based Shadow Stacks on x86-64ACM Transactions on Architecture and Code Optimization10.1145/355697719:4(1-26)Online publication date: 7-Oct-2022
https://dl.acm.org/doi/10.1145/3556977
Nikolaev RNadeem HStone CRavindran BFalsafi BFerdman MLu SWenisch T(2022)Adelie: continuous address space layout re-randomization for Linux driversProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507779(483-498)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507779
Zou CWang XGao YXue J(2022)Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-RandomizationACM Transactions on Software Engineering and Methodology10.1145/349451631:2(1-37)Online publication date: 4-Mar-2022
https://dl.acm.org/doi/10.1145/3494516
Pierazzi FCristalli SBruschi DColajanni MMarchetti MLanzi A(2021)Glyph: Efficient ML-Based Detection of Heap Spraying AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.301792516(740-755)Online publication date: 2021
https://doi.org/10.1109/TIFS.2020.3017925
Ozdemir SSaptarshi RPrakash APonomarev D(2021)Track Conventions, Not Attack Signatures: Fortifying X86 ABI and System Call Interfaces to Mitigate Code Reuse Attacks2021 International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED51797.2021.00029(176-188)Online publication date: Sep-2021
https://doi.org/10.1109/SEED51797.2021.00029
Wu WChen YXing XZou WHeninger NTraynor P(2019)KEPLERProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361421(1187-1204)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361421
Burow NZhang XPayer M(2019)SoK: Shining Light on Shadow Stacks2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00076(985-999)Online publication date: May-2019
https://doi.org/10.1109/SP.2019.00076
Schwarz MWeiser SGruss D(2019)Practical Enclave Malware with Intel SGXDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-22038-9_9(177-196)Online publication date: 6-Jun-2019
https://doi.org/10.1007/978-3-030-22038-9_9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents