Improved Technique for Verification of Call-return Flow Integrity for Compiler-based Defense against Return-oriented Programming Attacks

摘要

Return-oriented programming (ROP) attacks have been increasing in number recently. ROP is an exploitation technique that can bypass non-executable page protection methods by using existing codes within benign programs or modules. There has been much research on defense methods against ROP attacks, but most of them have high performance overhead (dynamic instrumentation approach) or high time complexity (compiler-based approach) in terms of the detection of gadgets. The ROP defense technique recently proposed by Lee et al. has overcome the limitations of the compiler-based approach, and has further proved its efficiency. Their defense technique performs calculations with a single global variable immediately before the execution of each ret instruction (-1) and at the resetting position (+1). Moreover, their defense technique achieved O(1) in detection time complexity by detecting gadgets within only two executions. In their experiment, the performance overhead was 1.62% and the file size overhead was 4.60%. To verify the control-flow integrity (CFI), their defense scheme was performed to simplify codes by computing a special variable, check_value. However, the code is inefficient because it performs the same computation on all call and ret instructions. In this paper, we propose an ROP defense method to verify the CFI through concentrated functions. We improved Lee et al.'s method by allowing a specific function to separately execute the calculation of the check_value. Our experiment could reduce the file size overhead by approximately 40% while maintaining the efficiency, detection time complexity, and performance presented in Lee et al.'s defense technique.