Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy 2017
DOI: 10.1145/3029806.3029812
|View full text |Cite
|
Sign up to set email alerts
|

Detecting ROP with Statistical Learning of Program Characteristics

Abstract: Return-Oriented Programming (ROP) has emerged as one of the most widely used techniques to exploit software vulnerabilities. Unfortunately, existing ROP protections suffer from a number of shortcomings: they require access to source code and compiler support, focus on specific types of gadgets, depend on accurate disassembly and construction of Control Flow Graphs, or use hardware-dependent (microarchitectural) characteristics. In this paper, we propose EigenROP, a novel system to detect ROP payloads based on … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
22
1

Year Published

2018
2018
2023
2023

Publication Types

Select...
4
3
2

Relationship

0
9

Authors

Journals

citations
Cited by 23 publications
(23 citation statements)
references
References 19 publications
0
22
1
Order By: Relevance
“…We expect our programs to trigger coarse-grained CFI defenses that monitor branches [30] or microarchitectural effects [35]. As our goal is to protect legitimate software, we expect the user can whitelist such an application, as it was the case for instance with Microsoft EMET and JavaScript JIT compilers from browsers.…”
Section: Discussionmentioning
confidence: 99%
“…We expect our programs to trigger coarse-grained CFI defenses that monitor branches [30] or microarchitectural effects [35]. As our goal is to protect legitimate software, we expect the user can whitelist such an application, as it was the case for instance with Microsoft EMET and JavaScript JIT compilers from browsers.…”
Section: Discussionmentioning
confidence: 99%
“…ROPMEMU [29] offers a method for analyzing sophisticated ROP chains on memory by leveraging multi-path execution. EigenROP [30] is similar to ROPminer in that it uses statistical learning for detection. The difference is that it is based on microarchitecture-independent run-time features.…”
Section: Rop Detection By Dynamic Analysismentioning
confidence: 99%
“…As in previous work on malware detectors [37,47] and debug trace analysers [10,14,59], we add in a channel from the commit stage of the main core, to transport the opcode, program count, instruction commit time and operand data to the GPEs. We also transport hardware counter data [28,30,36,46]. Together, these channels allow a large amount of visibility into execution.…”
Section: Data Channelsmentioning
confidence: 99%
“…Hardware performance counters have been shown to be important for a number of detection techniques [28,30,36]. We give the GPEs access to these values from the main core.…”
Section: Hardware/software Countersmentioning
confidence: 99%