Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Detecting method for ROP (Return-Oriented Programming) attacks

A detection method and dynamic link library technology, applied in the field of detection against ROP attacks

Inactive Publication Date: 2017-01-11
HUAZHONG UNIV OF SCI & TECH +1
View PDF4 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

According to the results of an online survey released on March 9, 2015, according to Zero Point Data, Windows XP now occupies half of the domestic computer operating system market. Although Microsoft has stopped technical support, nearly 80% of users are still unwilling to give up using XP.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detecting method for ROP (Return-Oriented Programming) attacks
  • Detecting method for ROP (Return-Oriented Programming) attacks
  • Detecting method for ROP (Return-Oriented Programming) attacks

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0038] PE files refer to program files of the Microsoft Windows operating system, and dynamic link libraries are typical PE files. At present, the modification technology of PE files is very mature, but there is no mature technology to detect ROP attacks only by modifying the dynamic link library. Using this idea to detect ROP attacks does not need to modify the kernel program of the system, and it is compatible with all Windows systems.

[0039] This embodiment provides a detection method for ROP attacks, including a preprocessing stage and a loading stage:

[0040] In the preprocessing stage, the solution we adopt is to add a new code segment in the original dynamic link library as a new segment, and then add code to the new segment to realize the function of filling warning instructions in the loading position of the original dynamic link library.

[0041] image 3 is in figure 2 The part to be modified is marked in detail on the basis of the above. In the NT header, fo...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a detecting method for ROP (Return-Oriented Programming) attacks. The method comprises the following steps of obtaining a new base address of a dynamic linking library, wherein the new base address is equal to the sum of an original base address of the dynamic linking library and offset, the offset is random non-zero integral multiples of allocation granularity, and the absolute value of the offset is greater than length of the dynamic linking library; modifying base address fields of the dynamic linking library, and enabling the base address fields to point to the new base address of the dynamic linking library; increasing a code segment into the dynamic linking library, wherein the code segment is used for filling a loading position which corresponds to the original base address of the dynamic linking library with a warning instruction, the tail part of the code section has a jump instruction, and jump distance of the jump instruction is relative distance between the jump instruction and an entry function; and setting the entry address of the dynamic linking library to be the address of the code section. The detecting method disclosed by the invention can be applied to all Windows systems without causing extra burden on the systems, and can be used for detecting all ROP attacks except JIT-ROP.

Description

technical field [0001] The invention belongs to the technical field of system security, and more specifically relates to a detection method for ROP attacks. Background technique [0002] With the rapid development of information technology and the rapid popularization of the Internet, computer software systems play an increasingly important role in social life. At the same time, various program loopholes are still common, especially in legacy software systems. Through these vulnerabilities, attackers can hijack the control flow of software system programs and divert them to their own preset control flow, making the system perform behaviors that are not intended by the user. A common attack method is Return-Oriented Programming (ROP for short) attack. This attack method searches for code fragments ending with jump instructions (such as RET instructions) in memory, and combines these code fragments to form a Complete the instruction sequence of the attack purpose, and replace...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56
CPCG06F21/566G06F2221/033
Inventor 李伟明孔华锋贺玄
Owner HUAZHONG UNIV OF SCI & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products