Honey Gad get: A Deception Based ROP Detection Scheme

摘要

Return-Oriented Programming (ROP) is a robust attack which has been proven to be Turing-complete. ROP reuses code segments named gadget in vulnerable applications and modifies control flow to achieve malicious attacks. Existing defense techniques for code reuse attacks attempt to restrict the policy of control flow transfer (e.g. CFI) or make locating gadgets a hard work (e.g. ASLR). However, decades of the arm race proved the ability to detect up-to-date attacks remains the Achille's heel. In honeypot, a general pattern for operators is spreading honeytokens and hunting spammers by capturing their malicious behavior. In order to capture the attack pattern of code reuse attacks, we present a novel deception based ROP detection model named Honey-Gadget. HoneyGadget inserts various types of honey gadgets as tokens to some specific points of binary files where normal control flow would not reach and record their places once the application is loaded. During the execution, HoneyGadget uses Last Branch Record (LBR) to trace execution records. On performing a sensitive function call, HoneyGadget compares LBR records with the maintained address list, and terminates the program immediately if some records match. Since these honey gadgets will not be executed by normal control flow, there must be a ROP attack. We have developed a fully functioning prototype of HoneyGadget. Our evaluation results show that HoneyGadget can (1) capture ROP attacks actively and (2) incurs an acceptable overhead of 7.61%.