ROPecker: A Generic and Practical Approach For Defending Against ROP Attack

Abstract—Return-Oriented Programming (ROP) is a sophis-ticated exploitation technique that is able to drive target applica-tions to perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences (gadgets). Existing defense mechanisms either only handle specific types of gadgets, require access to source code and/or a customized compiler, break the integrity of application binary, or suffer from high performance overhead. In this paper, we present a novel system, ROPecker, to efficiently and effectively defend against ROP attacks withou

APTs way: evading Your EBNIDS

APTs and government-supported attackers use a broad arsenal of techniques to avoid having their exploits detected by IDSes. Signature Based IDSes are not efficient against nation-state-sponsored attackers which use custom shellcode encoders in an exploit. Emulation Based NIDSes (EBNIDS) have been proposed as a solution to mitigate such attacks. EBNISes detect a suspicious network stream (pre-processing) and after converting them to emulate-able byte sequences run it in an instrumented environment (Emulation), finally matching the behavior with certain heuristics (Heuristics Detection). In this talk, we will present novel ways that an APT might use to circumvente the Pre-Processing, Emulation and Heuristic Detection steps of EBNIDSes by employing a wide range of evasion techniques

ROP Payload Detection Using Speculative Code Execution

The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on shellcode identification are oblivious to this new breed of exploits, since attack vectors may not contain binary code anymore. In this paper, we present a detection method for the identification of ROP payloads in arbitrary data such as network traffic or process memory buffers. Our technique speculatively drives the execution of code that already exists in the address space of a targeted process according to the scanned input data, and identifies the execution of valid ROP code at runtime. Our experimental evaluation demonstrates that our prototype implementation can detect a broad range of ROP exploits against Windows applications without false positives, while it can be easily integrated into existing defenses based on shellcode detection.

Identifying Code Injection and Reuse Payloads In Memory Error Exploits

Today's most widely exploited applications are the web browsers and document readers we use every day. The immediate goal of these attacks is to compromise target systems by executing a snippet of malicious code in the context of the exploited application. Technical tactics used to achieve this can be classified as either code injection - wherein malicious instructions are directly injected into the vulnerable program - or code reuse, where bits of existing program code are pieced together to form malicious logic. In this thesis, I present a new code reuse strategy that bypasses existing and up-and-coming mitigations, and two methods for detecting attacks by identifying the presence of code injection or reuse payloads. Fine-grained address space layout randomization efficiently scrambles program code, limiting one's ability to predict the location of useful instructions to construct a code reuse payload. To expose the inadequacy of this exploit mitigation, a technique for "just-in-time" exploitation is developed. This new technique maps memory on-the-fly and compiles a code reuse payload at runtime to ensure it works in a randomized application. The attack also works in face of all other widely deployed mitigations, as demonstrated with a proof-of-concept attack against Internet Explorer 10 in Windows 8. This motivates the need for detection of such exploits rather than solely relying on prevention. Two new techniques are presented for detecting attacks by identifying the presence of a payload. Code reuse payloads are identified by first taking a memory snapshot of the target application, then statically profiling the memory for chains of code pointers that reuse code to implement malicious logic. Code injection payloads are identified with runtime heuristics by leveraging hardware virtualization for efficient sandboxed execution of all buffers in memory. Employing both detection methods together to scan program memory takes about a second and produces negligible false positives and false negatives provided that the given exploit is functional and triggered in the target application version. Compared to other strategies, such as the use of signatures, this approach requires relatively little effort spent on maintenance over time and is capable of detecting never before seen attacks. Moving forward, one could use these contributions to form the basis of a unique and effective network intrusion detection system (NIDS) to augment existing systems.Doctor of Philosoph