Paper Info
Title
ROPNN: Detection of ROP Payloads Using Deep Neural Networks.
Abstract
Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code (known as gadgets) to perform arbitrary operations on target machines. Existing detection mechanisms against ROP often rely on certain heuristic rules and/or require instrumentations to the program or the compiler. As a result, they exhibit low detection efficiency and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks, to detect ROP payloads in HTTP requests, PDF files, and images, etc. The disassembler treats application input data as code pointers to potential gadgets and aims to find any potential gadget chains. The identified potential gadget chains are then classified by the deep neural network as benign or malicious. We propose novel methods to generate the two training datasets, respectively, and process huge amount (TB-level) of raw input data to obtain sufficient training data. Our experiments show that ROPNN has high detection rate (98.3%) while maintaining very low false positive rate (0.01%). To show ROPNN is usable in practical scenario, we also test it against ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools Ropper and ROPC. ROPNN successfully detects all of the 80 exploits. Meanwhile, ROPNN is completely non-intrusive and does not incur any runtime overhead to the protected program.
Year
Venue
Field
2018
arXiv: Cryptography and Security
Address space,Pointer (computer programming),Heuristic,Computer science,Gadget,Compiler,Theoretical computer science,Disassembler,Artificial neural network,Code (cryptography),Embedded system
DocType
Volume
Citations 
Journal
abs/1807.11110
1
PageRank 
References 
Authors
0.34
32
6
Name
Order
Citations
PageRank
Xusheng Li110.34
Zhisheng Hu273.86
Yiwei Fu322.43
Ping Chen419713.22
Minghui Zhu511.02
Peng Liu672.17