SIGDROP: Signature-based ROP Detection using Hardware Performance Counters

TL;DR

SIGDROP is a low-cost, hardware-based method for detecting ROP attacks in real-time by identifying unique hardware event patterns using existing performance counters, offering effective security with minimal overhead.

Contribution

This work introduces SIGDROP, a novel ROP detection technique utilizing hardware performance counters to identify attack signatures without requiring hardware modifications or source code access.

Findings

Effectively detects ROP attacks with high accuracy.

Maintains low performance and storage overhead.

Operates on commodity processors without hardware changes.

Abstract

Return-Oriented Programming (ROP) is a software exploit for system compromise. By chaining short instruction sequences from existing code pieces, ROP can bypass static code-integrity checking approaches and non-executable page protections. Existing defenses either require access to source code or binary, a customized compiler or hardware modifications, or suffer from high performance and storage overhead. In this work, we propose SIGDROP, a low-cost approach for ROP detection which uses low-level properties inherent to ROP attacks. Specifically, we observe special patterns of certain hardware events when a ROP attack occurs during program execution. Such hardware event-based patterns form signatures to flag ROP attacks at runtime. SIGDROP leverages Hardware Performance Counters, which are already present in commodity processors, to efficiently capture and extract the signatures. Our evaluation demonstrates that SIGDROP can effectively detect ROP attacks with acceptable performance overhead and negligible storage overhead.