Detecting Code Reuse Attacks with a Model of Conformant Program Execution [chapter]

Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller
2014 Lecture Notes in Computer Science  
Code reuse attacks circumvent traditional program protection mechanisms such as W ⊕ X by constructing exploits from code already present within a process. Existing techniques to defend against these attacks provide ad hoc solutions or lack in features necessary to provide comprehensive and adoptable solutions. We present a systematic approach based on first principles for the efficient, robust detection of these attacks; our work enforces expected program behavior instead of defending against
more » ... ticipated attacks. We define conformant program execution (CPE) as a set of requirements on program states. We demonstrate that code reuse attacks violate these requirements and thus can be detected; further, new exploit variations will not circumvent CPE. To provide an efficient and adoptable solution, we also define observed conformant program execution, which validates program state at system call invocations; we demonstrate that this relaxed model is sufficient to detect code reuse attacks. We implemented our algorithm in a tool, ROPStop, which operates on unmodified binaries, including running programs. In our testing, ROPStop accurately detected real exploits while imposing low overhead on a set of modern applications: 5.3% on SPEC CPU2006 and 6.3% on an Apache HTTP Server.
doi:10.1007/978-3-319-04897-0_1 fatcat:j2orydo2qjeqhf3kmn22misxba