Browse > Article
http://dx.doi.org/10.3745/KTCCS.2013.2.5.217

Indirect Branch Target Address Verification for Defense against Return-Oriented Programming Attacks  

Park, Soohyun (홍익대학교 컴퓨터공학과)
Kim, Sunil (홍익대학교 컴퓨터공학과)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.2, no.5, 2013 , pp. 217-222 More about this Journal
Abstract
Return-Oriented Programming(ROP) is an advanced code-reuse attack like a return-to-libc attack. ROP attacks combine gadgets in program code area and make functions like a Turing-complete language. Some of previous defense methods against ROP attacks show high performance overhead because of dynamic execution flow analysis and can defend against only certain types of ROP attacks. In this paper, we propose Indirect Branch Target Address Verification (IBTAV). IBTAV detects ROP attacks by checking if target addresses of indirect branches are valid. IBTAV can defends against almost all ROP attacks because it verifies a target address of every indirect branch instruction. Since IBTAV does not require dynamic execution flow analysis, the performance overhead of IBTAV is relatively low. Our evaluation of IBTAV on SPEC CPU 2006 shows less than 15% performance overhead.
Keywords
Program Security; Return-Oriented Programming; Program Transformation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Visual Studio .Net 2003, "Introduction to Instrumentation and Tracing", http://msdn.microsoft.com/en-us/library/aa983649 (VS.71).aspx
2 C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood.., "Pin: Building customized program analysis tools with dynamic instrumentation.", Proceedings of PLDI 2005, pp.190-200, ACM, 2005.
3 Francillon, A., Perito D. and Castelluccia, C.,"Defending embedded systems against control flow attacks.", Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp.19-26, ACM, 2009.
4 Davi, L.; Sadeghi, A. and Winandy, M., "ROPdefender: A detection tool to defend against return-oriented programming attacks.", Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp.40-51, ACM, 2011.
5 Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B. and Xie, L., "DROP: Detecting return-oriented programming malicious code", Information Systems Security, pp.163-177, Springer, 2009.
6 Checkoway, S.; Davi, L.; Dmitrienko, A.; Sadeghi, A.; Shacham, H. and Winandy, M., "Return-oriented programming without returns", Proceedings of the 17th ACM conference on Computer and communications security, pp.559-572, ACM, 2010.
7 Bletsch, T., Jiang, X., Freeh, V. and Liang, Z., "Jump-oriented programming: A new class of code-reuse attack", Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp.30-40, ACM, 2011.
8 Pappas, V., Polychronakis, M. and Keromytis, A., "Smashing the gadgets: Hindering return-oriented programming using in-place code randomization.", Security and Privacy (SP), 2012 IEEE Symposium on, pp.601-615, IEEE, 2012.
9 Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D. and Kirda, E., "G-Free: defeating return-oriented programming through gadget-less binaries.", Proceedings of the 26th Annual Computer Security Applications Conference, pp.49-68, USENIX, 2010.
10 Tools Interface Standards - TIS: Executable and Linkable Format(ELF), version 1.2. Portable formats specications (1995)
11 Standard performance Evaluation Corporation. http://www.spec.org/benchmarks.html
12 Jonathan Salwan, "ROPgadget Tool", http://shell-storm.org/project/ROPgadget
13 Roemer, R.; Buchanan, E.; Shacham, H. and Savage, S. "Return-oriented programming: Systems, languages, and applications", ACM Transactions on Information and System Security (TISSEC), ACM, 2012.
14 c0ntex, "Bypassing non-executable-stack during exploitation using return-to-libc", "http://www.infosecwriters.com/text_ resources/pdf/return-to-libc.pdf"
15 Theo de Raadt, "i386 W^X", "http://marc.info/ ?l=openbsdmisc& m=105056000801065"
16 Aleph One, "Smashing The Stack For Fun And Profit", Phrack, 7(49), 1996.
17 Zeng, B.; Tan, G. and Morrisett, G., "Combining control-flow integrity and static analysis for efficient and validated data sandboxing", Proceedings of the 18th ACM conference on Computer and communications security, pp.29-40, 2011.
18 Abadi, M.; Budiu, M.; Erlingsson, &U. and Ligatti, J., "Control-flow integrity principles, implementations, and applications", ACM Trans. Inf. Syst. Secur., ACM, 2009.
19 Bletsch, T.; Jiang, X. and Freeh, V., "Mitigating code-reuse attacks with control-flow locking.", Proceedings of the 27th Annual Computer Security Applications Conference, pp.353-362, 2011.