Visible to the public POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity

TitlePOSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity
Publication TypeConference Paper
Year of Publication2016
AuthorsUsui, Toshinori, Ikuse, Tomonori, Iwamura, Makoto, Yada, Takeshi
Conference NameProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4139-4
Keywordsattack code detection, Chained Attacks, hidden Markov model, pubcrawl, resilience, return-oriented programming, Scalability
AbstractReturn-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of operating systems. It is currently used in malicious documents that exploit viewer applications and cause malware infection. For inspecting a large number of commonly handled documents, high-performance and flexible-detection methods are required. However, current solutions are either time-consuming or less precise. In this paper, we propose a novel method for statically detecting ROP chains in malicious documents. Our method generates a hidden Markov model (HMM) of ROP chains as well as one of benign documents by learning known malicious and benign documents and libraries used for ROP gadgets. Detection is performed by calculating the likelihood ratio between malicious and benign HMMs. In addition, we reduce the number of false positives by ROP chain integrity checking, which confirms whether ROP gadgets link properly if they are executed. Experimental results showed that our method can detect ROP-based malicious documents with no false negatives and few false positives at high throughput.
URLhttp://doi.acm.org/10.1145/2976749.2989040
DOI10.1145/2976749.2989040
Citation Keyusui_poster:_2016