Hardware Assisted ROP Detection Mode (HARD Mode)
Abstract
Return oriented programming (ROP) is a form of code-reuse attack employed in many modern exploitation attacks. Current defenses such as address-space randomization, structured exception handling, and memory space permissions have thus far proven only speed bumps for attackers. Utilizing new hardware capabilities in the upcoming Intel Haswell platform, we have leveraged a hardware-based approach to protect against a ROP attack. With our process, an application s and associated libraries code segments in memory are marked non-executable and the page faults created when switching execution between pages are utilized as events during which invoke the decision engine. The decision engine is designed to examine the program s actions which caused it to attempt to pass a page boundary and report to an enforcement component which ensures the program s execution terminators. Our proof of concept decision engine examines returns that cross page boundaries and ensures that the target of a return is preceded by a call operation. Should a page transition be approved by a decision engine, the requested memory is marked executable. Otherwise, the enforcement engine will set the program counter register to zero, causing the application to crash.
Document Details
- Document Type
- Technical Report
- Publication Date
- Aug 01, 2013
- Accession Number
- ADA591718
Entities
People
- Martin Carlisle
- Michael Lemay
- Michael Winstead
- Nathaniel Hart
- Rodney Lykins
Organizations
- United States Air Force Academy