STROP: Static Approach for Detection of Return-Oriented Programming Attack in Network
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Choi, YoungHan | - |
dc.contributor.author | Lee, DongHoon | - |
dc.date.accessioned | 2021-09-04T20:24:29Z | - |
dc.date.available | 2021-09-04T20:24:29Z | - |
dc.date.created | 2021-06-15 | - |
dc.date.issued | 2015-01 | - |
dc.identifier.issn | 0916-8516 | - |
dc.identifier.uri | https://scholar.korea.ac.kr/handle/2021.sw.korea/94747 | - |
dc.description.abstract | Recently, a malicious user attacks a web browser through a malicious page that exploits the vulnerability of the browser and that executes malicious code. To prevent this attack, some methods have been devised such as DEP (Data Execution Prevention) that prevents data in stack frame or heap region from being executed. However, to evade these defense techniques, return-oriented programming (ROP) is introduced. ROP executes arbitrary code indirectly using gadget, which is group of instructions including ret instruction in a module that doesn't apply ASLR (Address Space Layout Randomization). In this paper, we propose a static approach to detect ROP payload in a network irrespective of the environment of the system under attack. Most studies have tried to detect ROP attacks using dynamic analysis, because ROP has various addresses of gadgets according to loaded modules. These methods have a limitation that must consider the environment of system to operate ROP, such as the version of OS and modules including gadgets. To overcome this limitation, our method detects ROP payload using static analysis without preliminary knowledge about the environment. We extract five characteristics of ROP and then propose a novel algorithm, STROP, to detect ROP in payload without execution. Our idea is as follows: STROP makes stack frame using input payload statically. It extracts addresses suspected as indicating gadgets and makes groups using the addresses. And then, STROP determine whether the payload includes ROP based on static characteristics. We implement a prototype using snort (network-based intrusion system) and evaluate it. Experiments show that our technique can detect ROP payload with a low number of false alarms. False positive (FP) is 1.3% for 2,239 benign files and 0.05-0.51% for 1GB packet dump file. Among 68 ROP payloads, STROP detects 51 payloads. This research can be applied to existing systems that collect malicious codes, such as Honeypot. | - |
dc.language | English | - |
dc.language.iso | en | - |
dc.publisher | IEICE-INST ELECTRONICS INFORMATION COMMUNICATIONS ENG | - |
dc.title | STROP: Static Approach for Detection of Return-Oriented Programming Attack in Network | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Lee, DongHoon | - |
dc.identifier.doi | 10.1587/transcom.E98.B.242 | - |
dc.identifier.scopusid | 2-s2.0-84924736546 | - |
dc.identifier.wosid | 000359495400028 | - |
dc.identifier.bibliographicCitation | IEICE TRANSACTIONS ON COMMUNICATIONS, v.E98B, no.1, pp.242 - 251 | - |
dc.relation.isPartOf | IEICE TRANSACTIONS ON COMMUNICATIONS | - |
dc.citation.title | IEICE TRANSACTIONS ON COMMUNICATIONS | - |
dc.citation.volume | E98B | - |
dc.citation.number | 1 | - |
dc.citation.startPage | 242 | - |
dc.citation.endPage | 251 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.journalRegisteredClass | scie | - |
dc.description.journalRegisteredClass | scopus | - |
dc.relation.journalResearchArea | Engineering | - |
dc.relation.journalResearchArea | Telecommunications | - |
dc.relation.journalWebOfScienceCategory | Engineering, Electrical & Electronic | - |
dc.relation.journalWebOfScienceCategory | Telecommunications | - |
dc.subject.keywordAuthor | return-oriented programming | - |
dc.subject.keywordAuthor | exploit code | - |
dc.subject.keywordAuthor | network based intrusion detection system | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
(02841) 서울특별시 성북구 안암로 14502-3290-1114
COPYRIGHT © 2021 Korea University. All Rights Reserved.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.