Visible to the public Inference of Peak Density of Indirect Branches to Detect ROP Attacks

TitleInference of Peak Density of Indirect Branches to Detect ROP Attacks
Publication TypeConference Paper
Year of Publication2016
AuthorsTymburibá, Mateus, Moreira, Rubens E. A., Quintão Pereira, Fernando Magno
Conference NameProceedings of the 2016 International Symposium on Code Generation and Optimization
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-3778-6
Keywordscomposability, detection, Human Behavior, Metrics, pubcrawl, Resiliency, return oriented programming, rop attacks, Scalability, Securing Compilers, security, static code analysis, static program analysis's
Abstract

A program subject to a Return-Oriented Programming (ROP) attack usually presents an execution trace with a high frequency of indirect branches. From this observation, several researchers have proposed to monitor the density of these instructions to detect ROP attacks. These techniques use universal thresholds: the density of indirect branches that characterizes an attack is the same for every application. This paper shows that universal thresholds are easy to circumvent. As an alternative, we introduce an inter-procedural semi-context-sensitive static code analysis that estimates the maximum density of indirect branches possible for a program. This analysis determines detection thresholds for each application; thus, making it more difficult for attackers to compromise programs via ROP. We have used an implementation of our technique in LLVM to find specific thresholds for the programs in SPEC CPU2006. By comparing these thresholds against actual execution traces of corresponding programs, we demonstrate the accuracy of our approach. Furthermore, our algorithm is practical: it finds an approximate solution to a theoretically undecidable problem, and handles programs with up to 700 thousand assembly instructions in 25 minutes.

URLhttp://doi.acm.org/10.1145/2854038.2854049
DOI10.1145/2854038.2854049
Citation Keytymburiba_inference_2016