977 research outputs found
ROPocop - Dynamic Mitigation of Code-Reuse Attacks
Control-flow attacks, usually achieved by exploiting a buffer-overflow
vulnerability, have been a serious threat to system security for over fifteen
years. Researchers have answered the threat with various mitigation techniques,
but nevertheless, new exploits that successfully bypass these technologies
still appear on a regular basis.
In this paper, we propose ROPocop, a novel approach for detecting and
preventing the execution of injected code and for mitigating code-reuse attacks
such as return-oriented programming (RoP). ROPocop uses dynamic binary
instrumentation, requiring neither access to source code nor debug symbols or
changes to the operating system. It mitigates attacks by both monitoring the
program counter at potentially dangerous points and by detecting suspicious
program flows.
We have implemented ROPocop for Windows x86 using PIN, a dynamic program
instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite
show an average overhead of 2.4x, which is comparable to similar approaches,
which give weaker guarantees. Real-world applications show only an initially
noticeable input lag and no stutter. In our evaluation our tool successfully
detected all 11 of the latest real-world code-reuse exploits, with no false
alarms. Therefore, despite the overhead, it is a viable, temporary solution to
secure critical systems against exploits if a vendor patch is not yet
available
- …