Innovation

Return-oriented programming payload detection using speculative code execution

Columbia Technology Ventures
posted on 01/15/2012

Lead Inventors: Angelos D. Keromytis, Ph.D. ; Michalis Polychronakis Problem or Unmet Need: Return-oriented programming (ROP) is a co...


Innovation Details
 

Detailed Description

Lead Inventors: Angelos D. Keromytis, Ph.D.; Michalis Polychronakis



Problem or Unmet Need:

Return-oriented programming (ROP) is a computer exploitation technique in which an attacker executes arbitrary code on a victim system by injecting a sequence of addresses to code fragments (referred to as gadgets) that already exist in the address space of the targeted process on the victim system. Current methods for detecting and/or preventing the execution of malicious code such as Data Execution Protection (DEP) are ineffective against ROP attacks because the injected payload in such attacks contains no identifiable malicious code. The current lack of effective ROP exploit detection methods has encouraged attackers to increasingly employ it to compromise computer systems.



Details of the Invention:

The technology is a software method for the detection of ROP payloads in arbitrary inputs. This method scans the input byte by byte to determine whether it contains a sequence of valid memory addresses that point to consecutively executed unique gadgets in the executable memory segments of a target process. These sequences can be heuristically identified because of the low probability that a benign input would contain a sequence of addresses to code fragments that read valid destination addresses from the input and transfer execution control to them. The detection threshold of the method - specifically, the number of consecutive unique gadgets executed due to a potential payload - can be tuned to increase the robustness of the method to false positives.



Applications:

-- The technology can effectively identify network-level attacks or documents that contain exploits based upon ROP.



Advantages:

-- In contrast to existing exploit detection and prevention methods that can only identify exploits that contain malicious code, the technology can identify exploits that only contain ROP payloads.

-- The technology can be combined with existing exploit detection methods to identify attacks that comprise both ROP and non-ROP components.



Patent Status: Patent Pending



Licensing Status: Available for Licensing or Sponsored Research Support



Publications: ROP Payload Detection Using Speculative Code Execution, M. Polychronakis and A.D. Keromytis, Malware 2011, October 2011.


Further Information
Calvin Chu
Email: TechTransfer@columbia.edu

File Number: CU12079 


IP Protection


License Online

This innovation currently is not available for online licensing. Please contact Tech Transfer at Columbia Technology Ventures for more information.

Request more info via email request more info
People

Case Manager:

Tech Transfer Tech Transfer

Innovations (1132)


Download Technology Brief (PDF)


Followed By

Follow this innovation



No one is following this innovation.

Organization
Communities
Profile
Related Tags

Find more innovations


February 11, 2009

12,860 members 17,268 innovations 176 organizations

Browse

Linda L. Restifo, M.D., Ph.D. - University of Arizona

"I want to say again how happy I am about the iBridge Network mechanism. This seems ideal for NeuronMetrics and I'm very pleased we will be part of this venture."  read more...