Abstract：Existing detection approaches of return oriented programming (ROP) attacks cannnot simultaneously provide flexible deployment, allow portability, and allow transparent detection in the cloud environment. A hardware-assisted method was developed to detect ROP attacks in real time using the hardware features of the Intel last branch record (LBR) to record indirect branch information of a guest virtual machine (VM) to achieve rapid detection of gadget attack chains in the hypervisor. In the privileged domain, the method takes advantage of the virtual machine introspection (VMI) technology to validate the legitimacy of indirect branches to guarantee the control flow integrity of the shared link library in the process address space of the guest VM. Tests show that this demonstrate method can detect ROP attacks with an average run-time overhead of less than 7%.
 CARLINI N, WAGNER D. ROP is still dangerous:Breaking modern defenses[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:385-399.  DAVI L, SADEGHI A R, LEHMANN D, et al. Stitching the gadgets:On the ineffectiveness of coarse-grained controlflowintegrity protection[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:401-416.  GÖKTAŞE, ATHANASOPOULOS E, POLYCHRONAKIS M, et al. Size does matter:Why using gadget-chain length to prevent code-reuse attacks is hard[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:417-432.  BLETSCH T, JIANG X X, FREEH V W, et al. Jump-oriented programming:A new class of code-reuse attack[C]//Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. Hong Kong, China:ACM, 2011:30-40.  SNOW K Z, MONROSE F, DAVI L, et al. Just-in-time code reuse:On the effectiveness of fine-grained address space layout randomization[C]//Proceedings of 2013 IEEE Symposium on Security and Privacy. Berkeley, USA:IEEE, 2013:574-588.  VAN DER VEEN V, ANDRIESSE D, GÖKTAŞE, et al. Practical context-sensitive CFI[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, USA:ACM, 2015:927-940.  TICE C, ROEDER T, COLLINGBOURNE P, et al. Enforcing forward-edge control-flow integrity in GCC & LLVM[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:941-955.  MASHTIZADEH A J, BITTAU A, BONEH D. CCFI:Cryptographically enforced control flow integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, USA:ACM, 2015:941-951.  JIA X Q, WANG R, JIANG J, et al. Defending return-oriented programming based on virtualization techniques[J]. Security and Communication Networks, 2013, 6(10):1236-1249.  WANG X Y, BACKER J. SIGDROP:Signature-based ROP detection using hardware performance counters[EB/OL].[2017-05-30]. https://arxiv.org/pdf/1609.02667.pdf.  PAPPAS V, POLYCHRONAKIS M, KEROMYTIS A D. Transparent ROP exploit mitigation using indirect branch tracing[C]//Proceedings of the 22nd USENIX Security Symposium. Washington DC, USA:USENIX, 2013:447-462.  CHENG Y Q, ZHOU Z W, MIAO Y, et al. ROPecker:A generic and practical approach for defending against ROP attack[C]//Proceedings of the 21th Annual Network and Distributed System Security symposium. San Diego, USA:NDSS, 2014:1-14.  LE L. Payload already inside:Datafire-use for ROP exploits[C]//Proceedings of Black Hat USA 2010. Las Vegas, USA, 2010:49-54.  EXPLOIT D. Archived shellcode for various operating systems and architectures[EB/OL].[2017-05-30]. https://www.exploit-db.com/shellcode/?order_by=title&order=asc&p=Lin_x86.