Publications

Publications

Type of Publication: Article in Collected Edition

Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets

Author(s):
Stancill, Blaine; Snow, Kevin; Otterness, Nathan; Monrose, Fabian; Davi, Lucas; Sadeghi, Ahmad-Reza
Title of Anthology:
Proc. of 16th Research in Attacks, Intrusions and Defenses (RAID) Symposium
Publication Date:
2013
Digital Object Identifier (DOI):
doi:10.1007/978-3-642-41284-4_4
Citation:
Download BibTeX

Abstract

Return-oriented programming ROP offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that do not require any modification to end-user platforms. Specifically, we propose a novel framework that efficiently analyzes documents PDF, Office, or HTML files and detects whether they contain a returnoriented programming payload. To do so, we provide advanced techniques for taking memory snapshots of a target application, efficiently transferring the snapshots to a host system, as well as novel static analysis and filtering techniques to identify and profile chains of code pointers referencing ROP gadgets that may even reside in randomized libraries. Our evaluation of over 7,662 benign and 57 malicious documents demonstrate that we can perform such analysis accurately and expeditiously -- with the vast majority of documents analyzed in about 3 seconds.