The never ending war in the stack and the reincarnation of ROP attacks
Ammari Nader, Joan Calvet, Jose M. Fernandez
TL;DR
This paper analyzes existing anti-ROP solutions, identifies their weaknesses, and proposes new runtime Indicators Of Compromise to enhance detection of ROP attacks, which remain a significant security threat.
Contribution
It provides an in-depth review of current anti-ROP defenses and introduces novel runtime IOCs to improve detection accuracy and reduce false negatives.
Findings
Current anti-ROP solutions have significant weaknesses.
Proposed IOCs can detect ROP attacks at runtime.
Analysis highlights the need for improved detection mechanisms.
Abstract
Return Oriented Programming (ROP) is a technique by which an attacker can induce arbitrary behavior inside a vulnerable program without injecting a malicious code. The continues failure of the currently deployed defenses against ROP has made it again one of the most powerful memory corruption attacks. ROP is also considered as one of the most flexible attacks, its level of flexibility, unlike other code reuse attacks, can reach the Turing completeness. Several efforts have been undertaken to study this threat and to propose better defense mechanisms (mitigation or prevention), yet the majority of them are not deeply reviewed nor officially implemented.Furthermore, similar studies show that the techniques proposed to prevent ROP-based exploits usually yield a high false-negative rate and a higher false-positive rate, not to mention the overhead that they introduce into the protected…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Diamond and Carbon-based Materials Research