ROPecker:
A Generic and Practical Approach
for Defending against ROP Attacks
Yueqiang Cheng, Zongwei Zhou, Miao Yu,
Xuhua Ding, Robert H. Deng
NDSS 2014
Background
• Typical memory exploit involves code injection
– Put malicious code in a predictable location
– Pass control to it
• non-executable (NX), W⊕X
– Hardware support
• AMD “NX” bit, Intel “XD” bit (in post-2004 CPUs)
• NX block most (if not all) code injection exploits
2
Return-Oriented Programming
stack
low
0x080484f4
esp
0x0804a014
0x080484f6
0x080484cf
0x08048675
high
code
0x080484f4:
pop %eax
ret
...
0x080484f6:
mov (%eax), %eax
ret
...
0x080484cf:
call %eax;
ret
…
0x08048675:
sh\0
…
0x0804a014:
system addr
actions
eax = 0x0804a014
eax = system addr
Call system(sh)
3
ROP cont.
• Gadgets
– Code section: functionality
– Linking section: control transfer
0x080484f4:
pop %eax
ret
• indirect jump instruction (e.g., ret, call %eax, jmp %eax)
– Aligned and unaligned
• For non-fixed length instruction sets (e.g., x86)
– Sparse Distribution & Small size
– ret-based ROP
jmp/call-based ROP
Last Branch Record (LBR)
• Dedicated Registers
– (src ip, dst ip)
– 16 pairs available
– Enabled through MSR
– Accessible in Ring-0
– NOT distinguish processes
5
Existing Approaches
• Prevention
– Randomization:
• Address Layout Space Randomization (ALSR)
• Binary stirring (CCS’12)
– Control flow integrity
• CCFIR (S&P’13)
• Detection
– Abnormal behaviors
– kBouncer, DROP
Check Every Ret
&
Call-Ret-Pair Checking
&
Ret Frequency Checking
ROPdefender Remove Gadgets
Enforce Control
[AsiaCCS’11]
&
Flow Integrity
Instruction
HyperCrop
DROP
&
[ICISS’11]
Randomization
[ICISS '09]
Remove Gadgets
Performance Overhead
High
Existing Approaches
Low
ILR and
Smashing
[Oakland’12]
Binary Stirring
[CCS’12]
No rewriting
G-Free
[ACSAC’10]
Return-less
[EuroSys’10]
CFLocking
[ACSAC '11]
Binary rewriting
Program binary
Source code
Requirments
7
Goals
Detection & Prevention
• Generic
– ret-based & jmp/call-based
• Transparent
– w/o source code
– keep the binary integrity
• Low performance overhead
8
Methodology
• How to detect
– A long sequence of gadgets
• When to detect
– Sliding window
• Within, no intervention
• Out of the window, check
– Critical system calls
9
Detection
• Call-ret violation
– Jmp/call-based attack
• CFI
– Completeness and accuracy
• Victim’s Execution consists of
– a long sequence of gadgets
– chained by indirect branch instructions.
10
Feasibility
Gadget chain length
• Normal execution
– Max length 10
• ROP execution
– Min length 17
• Detection length
Max
normal
 Detection  Min
ROP
11
Time to detect
• A sliding window
– Within the window, no detection
– When jump out, perform detection
– Imple.
• Only within the window, the code is executable
• When jump out, page fault
• Critical syscalls
– mmap, mprotect, execev
12
Sliding Window Update
13
Feasibility
• Sliding window size
– large: better performance & worse accuracy
– small: better accuracy & worse performance
• ROP requirement
– 20KB code size
• 8KB (2 pages) or 16KB (4 pages)
14
Algorithm
15
Algorithm
1. Filter non-relevant events
2. Check the history
– Gadget chain length in LBRs
3. Search the future
– Gadget chain length in the future
4. Continue / Crash
16
LBR record
• NOT distinguish processes
• Search backwards
– Until context switch
– (kernel IP, user IP)
• Useful records
– (context switch, Latest branch] 16 at most
17
Execution emulator
• Search the future execution
– Possible gadgets
• ret – predictable
• jmp/call – need emulation
– shadow environment
– copy-on-write execution
18
Pre-processing Phase
ROPT Offline Processing Phase
Arbitrary
Binary
Code
Disassembly
Engine
Inst. &
Gadget
lists
Conversion
Engine
Inst. &
Gadget
Bit-Vectors
• 6 bytes each time
• Byte by byte
• Instruction & gadgets info
19
IG Database
memory mapping
• syscall interception
• data structure analysis
20
Architecture
Run-time Phase
Offline Phase
lib1
Stack
…
App X
Binary
libn
…
CPU
Execution
Trace
Apps
Pre-processor
ROPecker
Kernel Module
Instruction & Gadget
Database
Kernel
21
Implementation
• Prototype
– Ubuntu 12.04 with kernel 3.2.0-29
– A kernel module with 7K SLOC
• Checking points
– #PF exception
– Critical system calls
• open, close
• mmap2, munmap, mprotect
• execve
22
Evaluation
• Accuracy
– Application with ROP attack
– Normal applications
• Performance
– Micro-benchmark
• Cost for system call interception, #PF exception
• Cost for ROP checking
– Macro benchmark
• Benchmark suite
23
Security Evaluation
• Real attacks
– ROPeme
– Htediter (exploitDB)
• Generated by Q
– Gadgets inside 253 apps under /bin & /usr/bin
– All detected
24
SPEC INT2006 Benchmarks: CPU
2.6 % performance lose
25
Disk I/O Performance: Bonnie++
1.56 % performance overhead
26
Network Performance: httpd
27
Micro Benchmark
28
Conclusion
• Generic detection of ROP attack
• Sliding window checks
• Implementation & evaluation
29
30
Discussions
• Short gadget chain
• Long gadget
• ROP within sliding window
– Dynamic sliding window size
• Dynamically-generated code
• Sliding window thrashing
31