Identification of Return-Oriented Programming Attacks Using RISC-V Instruction Trace Data

Koranek, Daniel; Graham, Steve; Borghetti, Brett J.; Henry, Wayne

doi:10.1109/access.2022.3170479

Cited by 4 publications

(4 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Like DeepCheck, HeNet [122] is a CFI technique that leverages IPT to analyze the execution state of a program, but adopts a hierarchical ensemble of DNNs to enhance ROP detection accuracy. More recently, Koranek et al [123] developed specialized LSTM models to analyze RISC-V ISA execution traces and determine whether they were subject to ROP exploitation.…”

Section: B Influence Of Emerging Technologies 1) Machine Learningmentioning

confidence: 99%

Memory Integrity Techniques for Memory-Unsafe Languages: A Survey

Moghadam,

Serra,

Aromolo

et al. 2024

IEEE Access

View full text Add to dashboard Cite

The complexity of modern software systems, the integration of several software components, and the increasing exposure to public networks make systems more susceptible to cyber-attacks, especially those targeting memory. Memory error exploitation received worldwide attention thanks to the Morris worm in 1988 and has been around for over 30 years. As a matter of fact, attacks that involve memory safety, such as buffer overflows, are still a plague in modern software. The research in countering those kinds of attacks has gone in several directions. This work surveys memory integrity techniques developed during the last quarter century for embedded or general-purpose open-source operating systems, ranging from older mechanisms to state-of-the-art solutions. A comparison of various memory integrity techniques is presented to examine their effectiveness and technical significance. Insights into ongoing trends and developments are also provided to assess their potential impact in the foreseeable future.

show abstract

Section: B Influence Of Emerging Technologies 1) Machine Learningmentioning

confidence: 99%

Memory Integrity Techniques for Memory-Unsafe Languages: A Survey

Moghadam,

Serra,

Aromolo

et al. 2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…A recent study by Koranek et al (2022) also focused on ROP on RISC-V to proffer solutions towards detection of ROP on RISC-V by using deep learning (DL) models to distinguish features from execution trace. Koranek et al analysed branch patterns in ROP as valuable information towards ROP detection.…”

Section: Related Workmentioning

confidence: 99%

“…In addition to this, the existing protections have not reasonably considered vulnerability of RISC-V-based binaries. Apart from the knowledge of underlying dangers of ROP on RISC-V, recent study by Koranek et al (2022) also presents models that were developed with focus on ROP gadgets as valuable resource for ML towards detection of possible ROP. Understanding of the behaviour of gadgets would be useful in this regard.…”

Section: Introductionmentioning

confidence: 99%

Ret-gadgets in RISC-V-based Binaries Resulting in Traps for Hijackers

Oyinloye

Speakman

Eze

2023

iccws

View full text Add to dashboard Cite

The presence of instructions within executable programs is what makes the binaries executable. However, attackers leverage on the same to achieve some form of Control Flow Hijacking (CFH). Such code re-use attacks have also been found to lead to Denial of Service (DoS). An example of code re-use attack is Return Oriented Programming (ROP) which is caused by passing input crafted as chained sequences of instructions that are already existing as subroutines in the target program. The instructions are called gadgets and they would normally end with ret. The ret instructions enable the flow of hijacked execution from one set of instruction to another within the attacker’s control. There could however be exceptions depending on the structure of the chained gadgets where the chained gadget fails to run its course due to inability of specific gadgets to replace the value in the return address (ra) register. The dangers of chained gadgets are not a new idea but the possibility for an attacker’s gadget chain to fall into a trap during a ROP attack is not commonly addressed. In addition to this, recent studies have revealed that understanding the behaviours of gadgets would be useful for building information base in training machine learning (ML) models to combat ROP. This study explains the behaviour of certain ROP gadgets showing the possibility of occurrence of a loop in execution during exploitation. A sample program which accesses gadgets from the GNU C library (glibc) is used to demonstrate the findings. Gadgets identified with this possibility are poor for chaining as they do not contain instructions to load or move new values to the ra register and would produce unreliable exploits. This would result in a trap for the chained gadgets instead of arbitrary code execution, and DoS on the path of the user. This implies that the impact that a ROP chain could have on a targeted process does not only rely on the underlying system architecture but also on relies on the structure of the chained gadget. In this paper, the RISC-V architecture is the focus, new gadget finders (scripts are available) are presented, and sample of chained gadgets are analysed on a RISC-V -based binary.

show abstract

“…Authors in [1] conducted a thorough investigation to detect a fault using a counter-based built-in self-test strategy in a Rocket RISC-V microprocessor prototyped on FPGA. This study [2] created a dataset of execution traces containing Return Oriented Programming (ROP) exploitation on the RISC-V Instruction Set Architecture and used deep learning AI models like long shortterm memory (LSTM) to distinguish exploited traces from non-exploited traces to detect ROP attacks. The authors in [3] proposed a methodology to perform real-time monitoring of software that kept track of hardware performance counters executing on embedded processors in cyber-physical systems.…”

Section: Introductionmentioning

confidence: 99%

Anomaly Behaviour tracing of CHERI-RISC V using Hardware-Software Co-design

Borowski,

Pal,

Saha

et al. 2023

2023 21st IEEE Interregional NEWCAS Conference (NEWCAS)

View full text Add to dashboard Cite

Capability Hardware Enhanced RISC Instructions (CHERI) is an extension of conventional ISAs with capabilities enabling fine-grained memory protection. Recently, RISC-V ISA has been extended to CHERI-RISC-V (aka Flute) with additional support for CHERI. In this paper, we have proposed a lightweight continuous monitoring system (CMS) based on hardware-software co-design that communicates with the RISC -V to identify any abnormalities in its operational behaviour. The digital hardware of the functionality of CMS and the CHERI Flute RISC-V has been prototyped in the FPGA. The CMS extracts the different features from RISC-V and transmits them to the processing system via an API. Further, an anomaly detection program is being executed by the ARM processor residing in the PS portion of the ZYNQ. This program enables continuous evaluation of the system operation to spot hardware failure or unusual system behaviour. Finally, the complete design has been prototyped and verified on Zynq FPGA ZC706.

show abstract

Identification of Return-Oriented Programming Attacks Using RISC-V Instruction Trace Data

Cited by 4 publications

References 32 publications

Memory Integrity Techniques for Memory-Unsafe Languages: A Survey

Memory Integrity Techniques for Memory-Unsafe Languages: A Survey

Ret-gadgets in RISC-V-based Binaries Resulting in Traps for Hijackers

Anomaly Behaviour tracing of CHERI-RISC V using Hardware-Software Co-design

Contact Info

Product

Resources

About