ROPocop - Dynamic Mitigation of Code-Reuse Attacks
Andreas Follner, Eric Bodden
TL;DR
ROPocop is a dynamic binary instrumentation tool that detects and prevents code-reuse attacks like ROP on Windows x86, offering a practical security measure with manageable performance overhead before patches are available.
Contribution
It introduces ROPocop, a novel, OS-independent approach for real-time detection and mitigation of code-reuse attacks using dynamic binary instrumentation without source code access.
Findings
Successfully detected all tested real-world exploits
Average overhead of 2.4x on SPEC CPU2006 benchmarks
No false alarms during evaluation
Abstract
Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques, but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks by both monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Diamond and Carbon-based Materials Research