Sciweavers

CGO
2016
IEEE

Inference of peak density of indirect branches to detect ROP attacks

8 years 8 months ago
Inference of peak density of indirect branches to detect ROP attacks
A program subject to a Return-Oriented Programming (ROP) attack usually presents an execution trace with a high frequency of indirect branches. From this observation, several researchers have proposed to monitor the density of these instructions to detect ROP attacks. These techniques use universal thresholds: the density of indirect branches that characterizes an attack is the same for every application. This paper shows that universal thresholds are easy to circumvent. As an alternative, we introduce an inter-procedural semi-context-sensitive static code analysis that estimates the maximum density of indirect branches possible for a program. This analysis determines detection thresholds for each application; thus, making it more difficult for attackers to compromise programs via ROP. We have used an implementation of our technique in LLVM to find specific thresholds for the programs in SPEC CPU2006. By comparing these thresholds against actual execution traces of corresponding pr...
Mateus Tymburibá, Rubens E. A. Moreira, Fer
Added 31 Mar 2016
Updated 31 Mar 2016
Type Journal
Year 2016
Where CGO
Authors Mateus Tymburibá, Rubens E. A. Moreira, Fernando Magno Quintão Pereira
Comments (0)