Advanced

eavesROP: Listening for ROP Payloads in Data Streams (preliminary full version)

Jämthagen, Christopher LU ; Karlsson, Linus LU ; Stankovski, Paul LU and Hell, Martin LU (2014)
Abstract
We consider the problem of detecting exploits based on return-oriented programming. In contrast to previous works we investigate to which extent we can detect ROP payloads by only analysing streaming data, i.e., we do not assume any modifications to the target machine, its kernel or its libraries. Neither do we attempt to execute any potentially malicious code in order to determine if it is an attack. While such a scenario has its limitations, we show that using a layered approach with a filtering mechanism together with the Fast Fourier Transform, it is possible to detect ROP payloads even in the presence of noise and assuming that the target system employs ASLR. Our approach, denoted eavesROP, thus provides a very lightweight and easily... (More)
We consider the problem of detecting exploits based on return-oriented programming. In contrast to previous works we investigate to which extent we can detect ROP payloads by only analysing streaming data, i.e., we do not assume any modifications to the target machine, its kernel or its libraries. Neither do we attempt to execute any potentially malicious code in order to determine if it is an attack. While such a scenario has its limitations, we show that using a layered approach with a filtering mechanism together with the Fast Fourier Transform, it is possible to detect ROP payloads even in the presence of noise and assuming that the target system employs ASLR. Our approach, denoted eavesROP, thus provides a very lightweight and easily deployable mitigation against certain ROP attacks. It also provides the added merit of detecting the presence of a brute-force attack on ASLR since library base addresses are not assumed to be known by eavesROP. (Less)
Please use this url to cite or link to this publication:
author
organization
publishing date
type
Book/Report
publication status
unpublished
subject
keywords
Return-Oriented Programming, ROP, Pattern Matching, ASLR
publisher
[Publisher information missing]
language
English
LU publication?
yes
id
dbb301a9-b97e-44b9-b800-23a8f89e6c0f (old id 4586662)
date added to LUP
2014-08-14 10:18:29
date last changed
2016-04-16 12:18:06
@techreport{dbb301a9-b97e-44b9-b800-23a8f89e6c0f,
  abstract     = {We consider the problem of detecting exploits based on return-oriented programming. In contrast to previous works we investigate to which extent we can detect ROP payloads by only analysing streaming data, i.e., we do not assume any modifications to the target machine, its kernel or its libraries. Neither do we attempt to execute any potentially malicious code in order to determine if it is an attack. While such a scenario has its limitations, we show that using a layered approach with a filtering mechanism together with the Fast Fourier Transform, it is possible to detect ROP payloads even in the presence of noise and assuming that the target system employs ASLR. Our approach, denoted eavesROP, thus provides a very lightweight and easily deployable mitigation against certain ROP attacks. It also provides the added merit of detecting the presence of a brute-force attack on ASLR since library base addresses are not assumed to be known by eavesROP.},
  author       = {Jämthagen, Christopher and Karlsson, Linus and Stankovski, Paul and Hell, Martin},
  institution  = {[Publisher information missing]},
  keyword      = {Return-Oriented Programming,ROP,Pattern Matching,ASLR},
  language     = {eng},
  title        = {eavesROP: Listening for ROP Payloads in Data Streams (preliminary full version)},
  year         = {2014},
}