Return-oriented programming payload detection using speculative code execution
Columbia Technology Ventures
posted on 01/15/2012
Lead Inventors: Angelos D. Keromytis, Ph.D. ; Michalis Polychronakis Problem or Unmet Need: Return-oriented programming (ROP) is a co...
Problem or Unmet Need:
Return-oriented programming (ROP) is a computer exploitation technique in which an attacker executes arbitrary code on a victim system by injecting a sequence of addresses to code fragments (referred to as gadgets) that already exist in the address space of the targeted process on the victim system. Current methods for detecting and/or preventing the execution of malicious code such as Data Execution Protection (DEP) are ineffective against ROP attacks because the injected payload in such attacks contains no identifiable malicious code. The current lack of effective ROP exploit detection methods has encouraged attackers to increasingly employ it to compromise computer systems.
Details of the Invention:
The technology is a software method for the detection of ROP payloads in arbitrary inputs. This method scans the input byte by byte to determine whether it contains a sequence of valid memory addresses that point to consecutively executed unique gadgets in the executable memory segments of a target process. These sequences can be heuristically identified because of the low probability that a benign input would contain a sequence of addresses to code fragments that read valid destination addresses from the input and transfer execution control to them. The detection threshold of the method - specifically, the number of consecutive unique gadgets executed due to a potential payload - can be tuned to increase the robustness of the method to false positives.
-- The technology can effectively identify network-level attacks or documents that contain exploits based upon ROP.
-- In contrast to existing exploit detection and prevention methods that can only identify exploits that contain malicious code, the technology can identify exploits that only contain ROP payloads.
-- The technology can be combined with existing exploit detection methods to identify attacks that comprise both ROP and non-ROP components.
Patent Status: Patent Pending
Licensing Status: Available for Licensing or Sponsored Research Support
Publications: ROP Payload Detection Using Speculative Code Execution, M. Polychronakis and A.D. Keromytis, Malware 2011, October 2011.
File Number: CU12079
Find more innovations