eavesROP: Listening for ROP Payloads in Data Streams

Jämthagen, Christopher; Karlsson, Linus; Stankovski, Paul; Hell, Martin

eavesROP: Listening for ROP Payloads in Data Streams

Mark

Jämthagen, Christopher ^LU ; Karlsson, Linus ^LU

; Stankovski, Paul ^LU

and Hell, Martin ^LU (2014) ISC 2014 In Lecture Notes in Computer Science 8783. p.413-424

Abstract: We consider the problem of detecting exploits based on

return-oriented programming. In contrast to previous works we investigate

to which extent we can detect ROP payloads by only analysing

streaming data, i.e., we do not assume any modifications to the target

machine, its kernel or its libraries. Neither do we attempt to execute any

potentially malicious code in order to determine if it is an attack. While

such a scenario has its limitations, we show that using a layered approach

with a filtering mechanism together with the Fast Fourier Transform, it

is possible to detect ROP payloads even in the presence of noise and

assuming that the target system employs... (More); We consider the problem of detecting exploits based on

return-oriented programming. In contrast to previous works we investigate

to which extent we can detect ROP payloads by only analysing

streaming data, i.e., we do not assume any modifications to the target

machine, its kernel or its libraries. Neither do we attempt to execute any

potentially malicious code in order to determine if it is an attack. While

such a scenario has its limitations, we show that using a layered approach

with a filtering mechanism together with the Fast Fourier Transform, it

is possible to detect ROP payloads even in the presence of noise and

assuming that the target system employs ASLR. Our approach, denoted

eavesROP, thus provides a very lightweight and easily deployable mitigation

against certain ROP attacks. It also provides the added merit

of detecting the presence of a brute-force attack on ASLR since library

base addresses are not assumed to be known by eavesROP. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/4861887

author

Jämthagen, Christopher ^LU ; Karlsson, Linus ^LU

; Stankovski, Paul ^LU

and Hell, Martin ^LU

organization

publishing date

2014

type

Chapter in Book/Report/Conference proceeding

publication status

published

subject

keywords

Return-Oriented Programming, ROP, Pattern Matching, ASLR

host publication

Information Security/Lecture Notes in Computer Science

series title

Lecture Notes in Computer Science

editor

Chow, Sherman S. M. ; Camenisch, Jan ; Hui, Lucas C. K. and Yiu, Siu Ming

volume

8783

pages

413 - 424

publisher

Springer

conference name

ISC 2014

conference dates

2014-10-12 - 2014-10-14

external identifiers

scopus:84921341193

ISSN

0302-9743

ISBN

978-3-319-13256-3

978-3-319-13257-0

DOI

10.1007/978-3-319-13257-0_25

language

English

LU publication?

yes

id

0fde4dfb-021b-4f03-8019-e239b9a19c02 (old id 4861887)

date added to LUP

2016-04-04 11:44:16

date last changed

2025-01-06 20:27:50

@inproceedings{0fde4dfb-021b-4f03-8019-e239b9a19c02,
  abstract     = {{We consider the problem of detecting exploits based on<br/><br>
return-oriented programming. In contrast to previous works we investigate<br/><br>
to which extent we can detect ROP payloads by only analysing<br/><br>
streaming data, i.e., we do not assume any modifications to the target<br/><br>
machine, its kernel or its libraries. Neither do we attempt to execute any<br/><br>
potentially malicious code in order to determine if it is an attack. While<br/><br>
such a scenario has its limitations, we show that using a layered approach<br/><br>
with a filtering mechanism together with the Fast Fourier Transform, it<br/><br>
is possible to detect ROP payloads even in the presence of noise and<br/><br>
assuming that the target system employs ASLR. Our approach, denoted<br/><br>
eavesROP, thus provides a very lightweight and easily deployable mitigation<br/><br>
against certain ROP attacks. It also provides the added merit<br/><br>
of detecting the presence of a brute-force attack on ASLR since library<br/><br>
base addresses are not assumed to be known by eavesROP.}},
  author       = {{Jämthagen, Christopher and Karlsson, Linus and Stankovski, Paul and Hell, Martin}},
  booktitle    = {{Information Security/Lecture Notes in Computer Science}},
  editor       = {{Chow, Sherman S. M. and Camenisch, Jan and Hui, Lucas C. K. and Yiu, Siu Ming}},
  isbn         = {{978-3-319-13256-3}},
  issn         = {{0302-9743}},
  keywords     = {{Return-Oriented Programming; ROP; Pattern Matching; ASLR}},
  language     = {{eng}},
  pages        = {{413--424}},
  publisher    = {{Springer}},
  series       = {{Lecture Notes in Computer Science}},
  title        = {{eavesROP: Listening for ROP Payloads in Data Streams}},
  url          = {{https://lup.lub.lu.se/search/files/12849163/eavesROP.pdf}},
  doi          = {{10.1007/978-3-319-13257-0_25}},
  volume       = {{8783}},
  year         = {{2014}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

eavesROP: Listening for ROP Payloads in Data Streams