Paper Info
Title
Inference of peak density of indirect branches to detect ROP attacks.
Abstract
A program subject to a Return-Oriented Programming (ROP) attack usually presents an execution trace with a high frequency of indirect branches. From this observation, several researchers have proposed to monitor the density of these instructions to detect ROP attacks. These techniques use universal thresholds: the density of indirect branches that characterizes an attack is the same for every application. This paper shows that universal thresholds are easy to circumvent. As an alternative, we introduce an inter-procedural semi-context-sensitive static code analysis that estimates the maximum density of indirect branches possible for a program. This analysis determines detection thresholds for each application; thus, making it more difficult for attackers to compromise programs via ROP. We have used an implementation of our technique in LLVM to find specific thresholds for the programs in SPEC CPU2006. By comparing these thresholds against actual execution traces of corresponding programs, we demonstrate the accuracy of our approach. Furthermore, our algorithm is practical: it finds an approximate solution to a theoretically undecidable problem, and handles programs with up to 700 thousand assembly instructions in 25 minutes.
Year
DOI
Venue
2016
10.1145/2854038.2854049
CGO
Keywords
Field
DocType
Return Oriented Programming, Detection, Static Program Analysis, Security
Static program analysis,Computer science,Inference,Parallel computing,Real-time computing,Return-oriented programming,Spec#,Approximate solution,Benchmark (computing),Undecidable problem
Conference
ISSN
ISBN
Citations 
2164-2397
978-1-5090-4245-6
1
PageRank 
References 
Authors
0.35
23
3
Name
Order
Citations
PageRank
Mateus Tymburibá110.35
Rubens E. A. Moreira211.02
Fernando Magno Quintão Pereira321620.03