Prevention Of ROP Attacks Through Counting Basic Block

Return Oriented Programming(ROP)is a exploitation technique that is able to perform arbitrary unintended operations by constructing a gadget(ending with ret,jmp,call)chain reusing existing code sequence.Existing defense mechanisms mainly focus on hiding memory layout information and monitoring control flow but all have some limitations and can not defense against ROP attacks comprehensively and effectively.By characterizing the gadgets used in the ROP attack,a ROP attack defense method based on basic block count is proposed.The method tracks the execution of the instructions in the system and judge whether the running program is a ROP attack program or not by counting the basic blocks within the range of the limited length command.Especially for the difference of call and return between the gadget with ret instruction and the traditional function call,we put forward a method that detects the match of call and ret instruction.With in-depth search and research,we find that there still exist special gadget that can bypass the above proposed general ROP attack defense method,such as longer gadget and one gadget which can execute system function directly.As a result we come up with defense method which aims at special gadget.Based on the above analysis,we design and implement a detection and defense prototype system based on the basic block count.The system is based on open source virtual machine DECAF and combine with VMI and dynamic binary instrument to detect the number of instruction and basic block,wrong function call and return and special basic block when system is running.Moreover,we complete algorithm to search for special instruction basic block off-line.With actual attack and defense test,the prototype system can detect ROP attack that is built with actual CVE vulnerabilities and special gadget for bypassing,system average performance loss of CPU is 30.4% and file system 46.3%.The results show that our method can effectively defense against ROP attack within the acceptable range of performance loss...