Defending return-oriented programming based on virtualization techniques

Xiaoqi Jia, Rui Wang, Jun Jiang, Shengzhi Zhang, Peng Liu

Research output: Contribution to journalArticle

6 Citations (Scopus)

Abstract

Over the past few years, return-oriented programming (ROP) has drawn great attention of both academia and industry. Because of its Turing completeness, ROP reuses short instruction sequences already present in the victim program's address space to perform arbitrary computation. Hence, it can successfully bypass state-of-the-art code integrity check mechanisms. In this paper, we look into using virtualization technologies to defeat return-oriented programming. We design and implement HyperCropII, a virtualization-based automatic runtime approach to defend such attacks. ROP attackers extract short instruction sequences ending in ret called "gadgets" and craft stack content to "chain" these gadgets together. We observe that a key characteristic of ROP is to fill the stack with plenty of addresses that are within the range of the program's libraries. Accordingly, we inspect the content of the stack to see if a potential ROP attack exists and quarantine the damages for further security purposes. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

Original languageEnglish (US)
Pages (from-to)1236-1249
Number of pages14
JournalSecurity and Communication Networks
Volume6
Issue number10
DOIs
StatePublished - Jan 1 2013

Fingerprint

Computer programming
Industry
Virtualization

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Computer Networks and Communications

Cite this

Jia, Xiaoqi ; Wang, Rui ; Jiang, Jun ; Zhang, Shengzhi ; Liu, Peng. / Defending return-oriented programming based on virtualization techniques. In: Security and Communication Networks. 2013 ; Vol. 6, No. 10. pp. 1236-1249.
@article{a240a3511370486b87e0e5684228b05e,
title = "Defending return-oriented programming based on virtualization techniques",
abstract = "Over the past few years, return-oriented programming (ROP) has drawn great attention of both academia and industry. Because of its Turing completeness, ROP reuses short instruction sequences already present in the victim program's address space to perform arbitrary computation. Hence, it can successfully bypass state-of-the-art code integrity check mechanisms. In this paper, we look into using virtualization technologies to defeat return-oriented programming. We design and implement HyperCropII, a virtualization-based automatic runtime approach to defend such attacks. ROP attackers extract short instruction sequences ending in ret called {"}gadgets{"} and craft stack content to {"}chain{"} these gadgets together. We observe that a key characteristic of ROP is to fill the stack with plenty of addresses that are within the range of the program's libraries. Accordingly, we inspect the content of the stack to see if a potential ROP attack exists and quarantine the damages for further security purposes. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.",
author = "Xiaoqi Jia and Rui Wang and Jun Jiang and Shengzhi Zhang and Peng Liu",
year = "2013",
month = "1",
day = "1",
doi = "10.1002/sec.693",
language = "English (US)",
volume = "6",
pages = "1236--1249",
journal = "Security and Communication Networks",
issn = "1939-0122",
publisher = "John Wiley and Sons Inc.",
number = "10",

}

Defending return-oriented programming based on virtualization techniques. / Jia, Xiaoqi; Wang, Rui; Jiang, Jun; Zhang, Shengzhi; Liu, Peng.

In: Security and Communication Networks, Vol. 6, No. 10, 01.01.2013, p. 1236-1249.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Defending return-oriented programming based on virtualization techniques

AU - Jia, Xiaoqi

AU - Wang, Rui

AU - Jiang, Jun

AU - Zhang, Shengzhi

AU - Liu, Peng

PY - 2013/1/1

Y1 - 2013/1/1

N2 - Over the past few years, return-oriented programming (ROP) has drawn great attention of both academia and industry. Because of its Turing completeness, ROP reuses short instruction sequences already present in the victim program's address space to perform arbitrary computation. Hence, it can successfully bypass state-of-the-art code integrity check mechanisms. In this paper, we look into using virtualization technologies to defeat return-oriented programming. We design and implement HyperCropII, a virtualization-based automatic runtime approach to defend such attacks. ROP attackers extract short instruction sequences ending in ret called "gadgets" and craft stack content to "chain" these gadgets together. We observe that a key characteristic of ROP is to fill the stack with plenty of addresses that are within the range of the program's libraries. Accordingly, we inspect the content of the stack to see if a potential ROP attack exists and quarantine the damages for further security purposes. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

AB - Over the past few years, return-oriented programming (ROP) has drawn great attention of both academia and industry. Because of its Turing completeness, ROP reuses short instruction sequences already present in the victim program's address space to perform arbitrary computation. Hence, it can successfully bypass state-of-the-art code integrity check mechanisms. In this paper, we look into using virtualization technologies to defeat return-oriented programming. We design and implement HyperCropII, a virtualization-based automatic runtime approach to defend such attacks. ROP attackers extract short instruction sequences ending in ret called "gadgets" and craft stack content to "chain" these gadgets together. We observe that a key characteristic of ROP is to fill the stack with plenty of addresses that are within the range of the program's libraries. Accordingly, we inspect the content of the stack to see if a potential ROP attack exists and quarantine the damages for further security purposes. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

UR - http://www.scopus.com/inward/record.url?scp=84884717431&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84884717431&partnerID=8YFLogxK

U2 - 10.1002/sec.693

DO - 10.1002/sec.693

M3 - Article

AN - SCOPUS:84884717431

VL - 6

SP - 1236

EP - 1249

JO - Security and Communication Networks

JF - Security and Communication Networks

SN - 1939-0122

IS - 10

ER -