Technical Field
The present invention relates generally to detection and prevention of Return-oriented-programming (ROP) attacks, and more particularly, to transparent detection, extraction, and prevention of ROP attacks based on code and/or stack inconsistency.
Description of the Related Art
Return-oriented programming (ROP) is one of most sophisticated and powerful modern attack techniques, and can bypass state-of-the-art security defense mechanisms (e.g., data execution prevention (DEP), address space layout randomization (ASLR), etc.). This technique has gained popularity in modern attacks and exploits due to its strength. Several approaches have been proposed to detect the attacks, but conventional approaches can only detect attacks after they occur. Moreover, most approaches require the understanding of the program to be protected such as the analysis of program control flow (e.g., disassembly of binary code or source code) and the instrumentation of security-enhancing code into the program. However, such requirements may not be always available in production environments where programs are deployed without supporting information (e.g., source code information).
A conventional approach to detect ROP attacks (e.g., kBouncer) detects ROP attacks by using Indirect Branch Tracing, which is offered by hardware features of commodity processors (e.g., Last Branch Recording in Intel CPUs). These CPUs store the last branches in specific registers. For example, kBouncer records return instructions and checks whether they are preceded by call instructions. Another conventional approach to detect ROP attacks (e.g., ROPPecker) detects ROP attacks by identifying the existence of a long sequence of ROP gadgets chained together, which is discovered by Last Branch Recording of modern CPUs. This approach requires a pre-processing of ROP gadgets included in the program binary and related libraries. Using this information and the return addresses in the last branches, this approach determines the existence of a long chain. However, both of these conventional approaches can only detect ROP attacks after ROP gadgets are already executed.