The recent announcement by Intel and Microsoft about their plans to use control-flow enforcement technology (CET) has some experts waving farewell to return-oriented programming (ROP) attacks. But others question whether this hardware-based solution can really eradicate malware infections based on ROP attacks. A new software-oriented solution from IBM Research — Haifa, however, may hold the promise for immediate defense against ROP.

Almost 90 percent of exploit-based software attacks use the hostile ROP technique in the chain of attack. Over the years, much research has been done to find a solution. Until now, the available techniques have had limited success, and none have taken an effective preventive approach. At IBM Research — Haifa, we developed an anti-ROP technique. It’s an advanced shuffling process that shifts key elements of code, making it harder to exploit vulnerabilities and take control of a program.

So how does ROP work, and how does our novel “moving target” approach stop an ROP attack before it happens?

Breaking the Chain of Attack

ROP is an exploit technique that allows an attacker to take control of a program flow by smashing the call stack to execute instruction sequences. The attacker borrows gadgets, or small pieces of code, from the hijacked program to execute malicious code.

Cybercriminals use ROP because it can easily bypass data execution prevention (DEP), a technology implemented in hardware and software to prevent code injection and execution. If we can break the ROP phase of the chain attack, we can break the entire chain of attack. This prevents the execution of malicious code.

Anti-ROP performs exactly that preemptive process. It prevents hijacking before it happens.

Soft Spots in the Software

One of the many techniques developed to prevent ROP attacks is address space layout randomization (ASLR), a process implemented in almost all operating systems. ASLR randomizes the address bases of the sections, forcing the attacker to guess the location of the gadgets. However, some parts and files are not randomized, leaving weak spots in the program that attackers can still use to invoke their malicious intentions.

Microsoft and Intel recently joined forces to strengthen hardware protection against the widespread use of ROP. They collaborated to integrate CET in Intel hardware. It uses a shadow stack and pointers to prevent cybercriminals from misusing legitimate code.

The CET specification “sets a direction of intent to leverage the fixed hardware architectures of the Central Processing Unit to establish controls to help prevent and interfere with code-reuse attacks,” explained Matthew Rosenquist, an Intel cybersecurity strategist, as quoted by The Register.

The solution will not be deployed in all systems and will not be backward-compatible. It does require upgrading hardware platforms and recompiling the software system.

Moving Targets Prevent ROP Attacks

The software-based anti-ROP solution is easy to install, and it’s compatible with all platforms and operating systems. There is no need to upgrade or modify the system. Put simply, it is a type of advanced randomization process where the entire code section is randomized.

Attackers building a ROP attack assume that the gadgets they need are in absolute addresses or shifted by constant bytes. If they can detect the shift of one gadget, they can detect the shifts of all gadgets.

This is where our novel solution comes in: It is a moving target defense to ensure that detecting the shift of one gadget does not reveal the rest, always staying several steps ahead of the attacker. Our solution can be implemented on Windows, Linux and other operating systems. It analyzes the PE/ELF files, builds chunks composed of a number of function blocks and reorganizes them.

Every phase of the process can be invoked online or offline. The randomized file created has the same functionality as the original file, so the randomization process requires intervention in the structure of the file, fixing headers, updating branches and tables, etc.

Our solution challenges the attacker to guess all address locations of the gadgets. Unlike in ASLR technology, finding a gadget in one block definitely does not reveal the addresses of the other gadgets. In addition, our solution does not require the source code of a program. It supports legacy code, is backward compatible and does not require hardware support.

Architecture and Deployment

The anti-ROP solution can be deployed in various ways and forms. It can be installed as a third-party solution provider, hooked in the system and more. We have already deployed this technique on a number of users’ Windows machines.

Another Deployment Option

A New Level of Security

The anti-ROP solution can block memory corruption zero-day attacks. Beyond that, it can detect attack attempts at almost no performance cost and without having to install new online components. Our evaluations have shown that this software solution can protect against a wide variety of threat sources that use ROP in their attack chain, bringing new levels of security to various applications.

Anti-ROP security is also being incorporated within the SHARCS project, an EU-funded consortium targeted at providing end-to-end security across the hardware and software stack. In this context, anti-ROP is being used to provide a higher level of protection to systems by preventing hackers from leveraging well-known legacy code to generate attacks.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today