The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
A programação orientada ao retorno (ROP) tem sido crucial para que os invasores evitem os mecanismos de segurança dos sistemas operacionais recentes. Embora as abordagens de detecção de ROP existentes se concentrem principalmente em sistemas de detecção de intrusão baseados em host (HIDSes), os sistemas de detecção de intrusões baseados em rede (NIDSes) também são desejados para proteger vários hosts, incluindo dispositivos IoT na rede. No entanto, as abordagens existentes não são suficientes para a proteção em nível de rede devido a dois problemas: (1) As abordagens dinâmicas levam tempo, em média, de segunda ou de minuto para inspeção. Para aplicação em NIDSes, é necessária uma ordem de milissegundos para obter detecção quase em tempo real. (2) As abordagens estáticas geram falsos positivos porque utilizam padrões heurísticos. Para aplicação aos NIDSes, os falsos positivos devem ser minimizados para suprimir falsos alarmes. Neste artigo, propomos um método para detectar estaticamente cadeias ROP em dados maliciosos, aprendendo as bibliotecas alvo (ou seja, as bibliotecas usadas para dispositivos ROP). Nosso método acelera sua inspeção coletando exaustivamente dispositivos ROP viáveis nas bibliotecas alvo e aprendendo-os separadamente da etapa de inspeção. Além disso, reduzimos os falsos positivos inevitáveis para a inspeção estática existente, verificando estaticamente se uma sequência de bytes suspeita pode ser vinculada corretamente quando executada como uma cadeia ROP. Resultados experimentais mostraram que nosso método alcançou detecção de cadeia ROP de ordem de milissegundos com alta precisão.
Toshinori USUI
NTT Secure Platform Laboratories,The University of Tokyo
Tomonori IKUSE
NTT Secure Platform Laboratories
Yuto OTSUKI
NTT Secure Platform Laboratories
Yuhei KAWAKOYA
NTT Secure Platform Laboratories
Makoto IWAMURA
NTT Secure Platform Laboratories
Jun MIYOSHI
NTT Secure Platform Laboratories
Kanta MATSUURA
The University of Tokyo
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copiar
Toshinori USUI, Tomonori IKUSE, Yuto OTSUKI, Yuhei KAWAKOYA, Makoto IWAMURA, Jun MIYOSHI, Kanta MATSUURA, "ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 7, pp. 1476-1492, July 2020, doi: 10.1587/transinf.2019ICP0016.
Abstract: Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019ICP0016/_p
Copiar
@ARTICLE{e103-d_7_1476,
author={Toshinori USUI, Tomonori IKUSE, Yuto OTSUKI, Yuhei KAWAKOYA, Makoto IWAMURA, Jun MIYOSHI, Kanta MATSUURA, },
journal={IEICE TRANSACTIONS on Information},
title={ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets},
year={2020},
volume={E103-D},
number={7},
pages={1476-1492},
abstract={Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.},
keywords={},
doi={10.1587/transinf.2019ICP0016},
ISSN={1745-1361},
month={July},}
Copiar
TY - JOUR
TI - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
T2 - IEICE TRANSACTIONS on Information
SP - 1476
EP - 1492
AU - Toshinori USUI
AU - Tomonori IKUSE
AU - Yuto OTSUKI
AU - Yuhei KAWAKOYA
AU - Makoto IWAMURA
AU - Jun MIYOSHI
AU - Kanta MATSUURA
PY - 2020
DO - 10.1587/transinf.2019ICP0016
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 7
JA - IEICE TRANSACTIONS on Information
Y1 - July 2020
AB - Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
ER -