Hardware-assisted ROP attack detection on cloud platforms

doi:10.16511/j.cnki.qhdxxb.2018.26.008

Abstract
Figures/Tables
References
Related Articles
Metrics

Download: PDF(1215 KB)
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract Existing detection approaches of return oriented programming (ROP) attacks cannnot simultaneously provide flexible deployment, allow portability, and allow transparent detection in the cloud environment. A hardware-assisted method was developed to detect ROP attacks in real time using the hardware features of the Intel last branch record (LBR) to record indirect branch information of a guest virtual machine (VM) to achieve rapid detection of gadget attack chains in the hypervisor. In the privileged domain, the method takes advantage of the virtual machine introspection (VMI) technology to validate the legitimacy of indirect branches to guarantee the control flow integrity of the shared link library in the process address space of the guest VM. Tests show that this demonstrate method can detect ROP attacks with an average run-time overhead of less than 7%.

Keywords cloud platform return oriented programming(ROP) detection control flow integrity last branch record

ZTFLH:

TP309.2

Issue Date: 15 March 2018

	Service

	E-mail this article
	E-mail Alert
	RSS
	Articles by authors

	WANG Lina
	ZHOU Weikang
	LIU Weijie
	YU Rongwei

Cite this article:

WANG Lina,ZHOU Weikang,LIU Weijie, et al. Hardware-assisted ROP attack detection on cloud platforms[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(3): 237-242.

URL:

http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2018.26.008 OR http://jst.tsinghuajournals.com/EN/Y2018/V58/I3/237

[1] CARLINI N, WAGNER D. ROP is still dangerous:Breaking modern defenses[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:385-399.
[2] DAVI L, SADEGHI A R, LEHMANN D, et al. Stitching the gadgets:On the ineffectiveness of coarse-grained controlflowintegrity protection[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:401-416.
[3] GÖKTAŞE, ATHANASOPOULOS E, POLYCHRONAKIS M, et al. Size does matter:Why using gadget-chain length to prevent code-reuse attacks is hard[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:417-432.
[4] BLETSCH T, JIANG X X, FREEH V W, et al. Jump-oriented programming:A new class of code-reuse attack[C]//Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. Hong Kong, China:ACM, 2011:30-40.
[5] SNOW K Z, MONROSE F, DAVI L, et al. Just-in-time code reuse:On the effectiveness of fine-grained address space layout randomization[C]//Proceedings of 2013 IEEE Symposium on Security and Privacy. Berkeley, USA:IEEE, 2013:574-588.
[6] VAN DER VEEN V, ANDRIESSE D, GÖKTAŞE, et al. Practical context-sensitive CFI[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, USA:ACM, 2015:927-940.
[7] TICE C, ROEDER T, COLLINGBOURNE P, et al. Enforcing forward-edge control-flow integrity in GCC & LLVM[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:941-955.
[8] MASHTIZADEH A J, BITTAU A, BONEH D. CCFI:Cryptographically enforced control flow integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, USA:ACM, 2015:941-951.
[9] JIA X Q, WANG R, JIANG J, et al. Defending return-oriented programming based on virtualization techniques[J]. Security and Communication Networks, 2013, 6(10):1236-1249.
[10] WANG X Y, BACKER J. SIGDROP:Signature-based ROP detection using hardware performance counters[EB/OL].[2017-05-30]. https://arxiv.org/pdf/1609.02667.pdf.
[11] PAPPAS V, POLYCHRONAKIS M, KEROMYTIS A D. Transparent ROP exploit mitigation using indirect branch tracing[C]//Proceedings of the 22nd USENIX Security Symposium. Washington DC, USA:USENIX, 2013:447-462.
[12] CHENG Y Q, ZHOU Z W, MIAO Y, et al. ROPecker:A generic and practical approach for defending against ROP attack[C]//Proceedings of the 21th Annual Network and Distributed System Security symposium. San Diego, USA:NDSS, 2014:1-14.
[13] LE L. Payload already inside:Datafire-use for ROP exploits[C]//Proceedings of Black Hat USA 2010. Las Vegas, USA, 2010:49-54.
[14] EXPLOIT D. Archived shellcode for various operating systems and architectures[EB/OL].[2017-05-30]. https://www.exploit-db.com/shellcode/?order_by=title&order=asc&p=Lin_x86.

[1]	ZHAO Gang, YU Yue, HUANG Minhuan, WANG Yuying, WANG Jiajie, SUN Xiaoxia. Test method for the font parser in PDF viewers[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(3): 266-271.
[2]	CAO Laicheng, LIU Yufei, DONG Xiaoye, GUO Xian. User privacy-preserving cloud storage scheme on CP-ABE[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(2): 150-156.
[3]	ZOU Jing, LI Bin, ZHANG Li, LUO Yang, SUN Yunchuan, LI Shixian. Security analysis of dynamic provable data possession based on Hash aggregation[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(11): 1145-1149,1158.
[4]	WANG Yuding, YANG Jiahai. Data access control model based on data's role and attributes for cloud computing[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(11): 1150-1158.
[5]	SHEN Ke, YE Xiaojun, LIU Xiaonan, LI Bin. Android App behavior-intent inference based on API usage analysis[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(11): 1139-1144.
[6]	LIANG Bin, GONG Weigang, YOU Wei, LI Zan, SHI Wenchang. DTA technique for JavaScript optimizing compilation mode[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 932-938.
[7]	PEI Jisheng, YE Xiaojun. Provenance dependency path pattern mining algorithm based on grammar induction[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(6): 561-568.
[8]	FANG Yong, LIU Daosheng, HUANG Cheng. Detecting of fake accounts with hierarchical clustering[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(6): 620-624.
[9]	ZHOU Caiqiu, YANG Yuwang, WANG Yongjian. Behavior measurement scheme for the wireless sensor network nodes[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(1): 39-43.
[10]	NING Bo, PEI Xiaoxia, LI Yuju, PEI Xinyu. Query authentications based on a fixed grid partitioning quad-tree index in LBS big data[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(7): 785-792.
[11]	LI Zhoujun, WU Chunming, WANG Xiao. Assessment of Android application's risk behavior based on a sandbox system[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 453-460.
[12]	SHI Hongsong, GAO Jinping, JIA Wei, LIU Hui. Analyse of the security architecture and policy model in the Common Criteria[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 493-498.
[13]	MA Gang, DU Yuge, YANG Xi, ZHANG Bo, SHI Zhongzhi. Risk assessment expert system for the complex system[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 66-76,82.
[14]	XU Qiang, LIANG Bin, YOU Wei, SHI Wenchang. Detecting Android malware phishing login interface based on SURF algorithm[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 77-82.
[15]	TU Shanshan, TAO Huaizhou, HUANG Yongfeng. Detection of instant voice communication steganography using semi-supervised learning[J]. Journal of Tsinghua University(Science and Technology), 2015, 55(11): 1246-1252.

Viewed

Full text

Abstract

Cited

Shared

Discussed