The present invention relates generally to the field of information security, and more particularly to prevention of return-oriented programming (ROP) attacks.
ROP is a powerful technique by which an attacker can induce unwanted behavior in a computer program whose control the attacker has diverted, without injecting any malicious code. As such, ROP may be used to overcome various strategies designed to prevent the execution of malicious code in the data area, such as data execution prevention (DEP), a security feature in modern operating systems that marks certain areas of memory as non-executable and others as executable. DEP allows only data in an area marked as executable to be run by programs, services, device drivers, etc.
When using ROP, an attacker uses control over the execution stack prior to a function return to direct code execution to some other location in the program. It is relatively straightforward to achieve almost arbitrary code execution by compiling a payload, or malicious code sequence, consisting of a combination of carefully chosen machine language instruction sequences, called gadgets. Gadgets are generally short, typically two to five instructions long, end in a return instruction, and are located in a subroutine within program code or shared library code, for example, libc, the C standard library, or in Windows dlls. A gadget may, for example, consist of a single machine language instruction followed by a return. Various automated tools have been developed to aid in locating gadgets to use in an ROP exploitation.
Address space layout randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly rearranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap, and libraries. ASLR is designed to prevent attacks that make assumptions about the load address of code, but ROP attacks may circumvent ASLR by scanning memory and either finding a known anchor in the code area and calculating offsets from it, or searching for gadgets in the scanned memory.
Another approach to ROP mitigation is instruction location randomization (ILR). ILR focuses on preventing attacks which rely on code being located predictably by randomizing the location of every instruction in a program. Each instruction has an explicit successor, but this information is hidden from an attacker, thus preventing an attacker from easily locating the gadgets required to create a particular malicious code sequence. However, ILR may reduce the stability of running processes and/or severely degrade the end-user experience.