Ecole d'ingénieur et centre de recherche en Sciences du numérique

ROPMEMU: A framework for the analysis of complex code-reuse attacks

Graziano, Mariano; Balzarotti, Davide; Zidouemba, Alain

ASIACCS 2016, 11th ACM Asia Conference on Computer and Communications Security, May 30-June 3, 2016, Xi'ian, China

Code reuse attacks based on return oriented programming (ROP) are becoming more and more prevalent every year. They started as a way to circumvent operating systems protections against injected code, but they are now also used as a technique to keep the malicious code hidden from detection and analysis systems. This means that while in the past ROP chains were short and simple (and therefore did not require any dedicated tool for their analysis), we recently started to observe very complex algorithms - such as a complete rootkit - implemented entirely as a sequence of ROP gadgets. In this paper, we present a set of techniques to analyze complex code reuse attacks. First, we identify and discuss the main challenges that complicate the reverse engineer of code implemented using ROP. Second, we propose an emulation-based framework to dissect, reconstruct, and simplify ROP chains. Finally, we test our tool on the most complex example available to date: a ROP rootkit containing four separate chains, two of them dynamically generated at runtime. 

Document Doi Bibtex

Titre:ROPMEMU: A framework for the analysis of complex code-reuse attacks
Type:Conférence
Langue:English
Ville:Xi'an
Pays:CHINE
Date:
Département:Sécurité numérique
Eurecom ref:4838
Copyright: © ACM, 2016. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2016, 11th ACM Asia Conference on Computer and Communications Security, May 30-June 3, 2016, Xi'ian, China http://dx.doi.org/10.1145/2897845.2897894
Bibtex: @inproceedings{EURECOM+4838, doi = {http://dx.doi.org/10.1145/2897845.2897894}, year = {2016}, title = {{ROPMEMU}: {A} framework for the analysis of complex code-reuse attacks}, author = {{G}raziano, {M}ariano and {B}alzarotti, {D}avide and {Z}idouemba, {A}lain}, booktitle = {{ASIACCS} 2016, 11th {ACM} {A}sia {C}onference on {C}omputer and {C}ommunications {S}ecurity, {M}ay 30-{J}une 3, 2016, {X}i'ian, {C}hina }, address = {{X}i'an, {CHINE}}, month = {05}, url = {http://www.eurecom.fr/publication/4838} }
Voir aussi: