Defending against Return-Oriented Programming
Return-oriented programming (ROP) has become the primary exploitation technique for system compromise in the presence of non-executable page protections. ROP exploits are facilitated mainly by the lack of complete address space randomization coverage or the presence of memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations. Existing defenses against ROP exploits either require source code or symbolic debugging information, or impose a significant runtime overhead, which limits their applicability for the protection of third-party applications.
We propose two novel techniques to prevent ROP exploits on third-party applications without requiring their source code or debug symbols, while at them same time incurring a minimal performance overhead. The first technique, in-place code randomization, uses various narrow-scope code transformations that can be applied statically, without changing the location of basic blocks, allowing the safe randomization of stripped binaries even with partial disassembly coverage. The second technique is based on the detection of abnormal control transfers that take place during ROP code execution. This is achieved using hardware features of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to the protected applications. To demonstrate their practical value, we built prototypes for the latest version of Windows, which is the most targeted platform for this type of attacks. Our evaluation using publicly available ROP exploits demonstrates that our techniques prevent the exploitation of vulnerable Windows 7 applications, with a performance overhead ranging from zero to 1% on average.
Slides: [ pptx ]