The recent announcement by Intel and Microsoft about their plans to use control-flow enforcement technology (CET) has some experts waving farewell to return-oriented programming (ROP) attacks. But others question whether this hardware-based solution can really eradicate malware infections based on ROP attacks. A new software-oriented solution from IBM Research — Haifa, however, may hold the promise for immediate defense against ROP.

Almost 90 percent of exploit-based software attacks use the hostile ROP technique in the chain of attack. Over the years, much research has been done to find a solution. Until now, the available techniques have had limited success, and none have taken an effective preventive approach. At IBM Research — Haifa, we developed an anti-ROP technique. It’s an advanced shuffling process that shifts key elements of code, making it harder to exploit vulnerabilities and take control of a program.

So how does ROP work, and how does our novel “moving target” approach stop an ROP attack before it happens?

Breaking the Chain of Attack

ROP is an exploit technique that allows an attacker to take control of a program flow by smashing the call stack to execute instruction sequences. The attacker borrows gadgets, or small pieces of code, from the hijacked program to execute malicious code.

Cybercriminals use ROP because it can easily bypass data execution prevention (DEP), a technology implemented in hardware and software to prevent code injection and execution. If we can break the ROP phase of the chain attack, we can break the entire chain of attack. This prevents the execution of malicious code.

Anti-ROP performs exactly that preemptive process. It prevents hijacking before it happens.

Soft Spots in the Software

One of the many techniques developed to prevent ROP attacks is address space layout randomization (ASLR), a process implemented in almost all operating systems. ASLR randomizes the address bases of the sections, forcing the attacker to guess the location of the gadgets. However, some parts and files are not randomized, leaving weak spots in the program that attackers can still use to invoke their malicious intentions.

Microsoft and Intel recently joined forces to strengthen hardware protection against the widespread use of ROP. They collaborated to integrate CET in Intel hardware. It uses a shadow stack and pointers to prevent cybercriminals from misusing legitimate code.

The CET specification “sets a direction of intent to leverage the fixed hardware architectures of the Central Processing Unit to establish controls to help prevent and interfere with code-reuse attacks,” explained Matthew Rosenquist, an Intel cybersecurity strategist, as quoted by The Register.

The solution will not be deployed in all systems and will not be backward-compatible. It does require upgrading hardware platforms and recompiling the software system.

Moving Targets Prevent ROP Attacks

The software-based anti-ROP solution is easy to install, and it’s compatible with all platforms and operating systems. There is no need to upgrade or modify the system. Put simply, it is a type of advanced randomization process where the entire code section is randomized.

Attackers building a ROP attack assume that the gadgets they need are in absolute addresses or shifted by constant bytes. If they can detect the shift of one gadget, they can detect the shifts of all gadgets.

This is where our novel solution comes in: It is a moving target defense to ensure that detecting the shift of one gadget does not reveal the rest, always staying several steps ahead of the attacker. Our solution can be implemented on Windows, Linux and other operating systems. It analyzes the PE/ELF files, builds chunks composed of a number of function blocks and reorganizes them.

Every phase of the process can be invoked online or offline. The randomized file created has the same functionality as the original file, so the randomization process requires intervention in the structure of the file, fixing headers, updating branches and tables, etc.

Our solution challenges the attacker to guess all address locations of the gadgets. Unlike in ASLR technology, finding a gadget in one block definitely does not reveal the addresses of the other gadgets. In addition, our solution does not require the source code of a program. It supports legacy code, is backward compatible and does not require hardware support.

Architecture and Deployment

The anti-ROP solution can be deployed in various ways and forms. It can be installed as a third-party solution provider, hooked in the system and more. We have already deployed this technique on a number of users’ Windows machines.

Another Deployment Option

A New Level of Security

The anti-ROP solution can block memory corruption zero-day attacks. Beyond that, it can detect attack attempts at almost no performance cost and without having to install new online components. Our evaluations have shown that this software solution can protect against a wide variety of threat sources that use ROP in their attack chain, bringing new levels of security to various applications.

Anti-ROP security is also being incorporated within the SHARCS project, an EU-funded consortium targeted at providing end-to-end security across the hardware and software stack. In this context, anti-ROP is being used to provide a higher level of protection to systems by preventing hackers from leveraging well-known legacy code to generate attacks.

More from Software Vulnerabilities

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…

How Log4j Vulnerability Could Impact You

MITIGATION UPDATE: New vulnerability in 2.17 — CVE-2021-44832 Upgrade to 2.17.1 to mitigate this vulnerability Do NOT enable JNDI in any versions Follow: If you hadn’t heard of Apache Log4j, chances are it’s on your radar now. In fact, you may have been using it for years. Log4j is a logging library. Imagine writing your daily activities into a notebook. That notebook is Log4j. Developers and programmers use it to take notes about what’s happening on applications and servers.…