ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks
| Title | ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Graziano, Mariano, Balzarotti, Davide, Zidouemba, Alain |
| Conference Name | Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4233-9 |
| Keywords | CFQ recovery, Chained Attacks, composability, emulation, memory forensics, Metrics, multi-path, pubcrawl, Resiliency, ROP, rop attacks, Scalability |
| Abstract | Code reuse attacks based on return oriented programming (ROP) are becoming more and more prevalent every year. They started as a way to circumvent operating systems protections against injected code, but they are now also used as a technique to keep the malicious code hidden from detection and analysis systems. This means that while in the past ROP chains were short and simple (and therefore did not require any dedicated tool for their analysis), we recently started to observe very complex algorithms - such as a complete rootkit - implemented entirely as a sequence of ROP gadgets. In this paper, we present a set of techniques to analyze complex code reuse attacks. First, we identify and discuss the main challenges that complicate the reverse engineer of code implemented using ROP. Second, we propose an emulation-based framework to dissect, reconstruct, and simplify ROP chains. Finally, we test our tool on the most complex example available to date: a ROP rootkit containing four separate chains, two of them dynamically generated at runtime. |
| URL | http://doi.acm.org/10.1145/2897845.2897894 |
| DOI | 10.1145/2897845.2897894 |
| Citation Key | graziano_ropmemu:_2016 |