Improvement and Weakness of Zero-Sum Defender against Return-Oriented Programming Attacks

Donghoon LEE  Jaewook JUNG  Younsung CHOI  Dongho WON  

Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E99-A   No.12   pp.2585-2590
Publication Date: 2016/12/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E99.A.2585
Type of Manuscript: LETTER
Category: Cryptography and Information Security
Keyword: 
return-oriented programming,  exploit code,  malware defense,  software security,  

Full Text: PDF(828.6KB)>>
Buy this Article




Summary: 
Return-oriented programming (ROP) attacks, which have been increasing in number recently, are an exploitation technique that can bypass non-executable page protection methods by using codes that exist within benign programs or modules. There have been many studies on defense against ROP attacks, but most of them have high overhead or high time complexity in terms of the detection of gadgets. In this letter, we suggest an ROP defense technique which is fast, space-efficient, and of lower detection time complexity; it uses a compiler-based approach. The most recent ROP defense technique is a compiler-based zero-sum defender suggested by Kim et al., achieving very low overhead. However, it still did not solve the issue of time complexity regarding detection. Our technique performs a specific computation to identify gadgets at the resetting position immediately before and after a return instruction. This method can efficiently identify a series of gadgets performed without calls and defend against them. In our experiment, the performance overhead was 1.62% and the file size overhead was 4.60%; our proposed technique achieved O(1) in terms of time complexity while having almost the same overhead as the zero-sum defender.