Anti-ROP: A Moving Target Defense
The recent announcement by Intel and Microsoft about their plans to use control-flow enforcement technology (CET) has some experts waving farewell to return-oriented programming (ROP) attacks. But others question whether this hardware-based solution can really eradicate malware infections based on ROP attacks. A new software-oriented solution from IBM Research — Haifa, however, may hold the promise for immediate defense against ROP.
Almost 90 percent of exploit-based software attacks use the hostile ROP technique in the chain of attack. Over the years, much research has been done to find a solution. Until now, the available techniques have had limited success, and none have taken an effective preventive approach. At IBM Research — Haifa, we developed an anti-ROP technique. It’s an advanced shuffling process that shifts key elements of code, making it harder to exploit vulnerabilities and take control of a program.
So how does ROP work, and how does our novel “moving target” approach stop an ROP attack before it happens?
Breaking the Chain of Attack
ROP is an exploit technique that allows an attacker to take control of a program flow by smashing the call stack to execute instruction sequences. The attacker borrows gadgets, or small pieces of code, from the hijacked program to execute malicious code.
Cybercriminals use ROP because it can easily bypass data execution prevention (DEP), a technology implemented in hardware and software to prevent code injection and execution. If we can break the ROP phase of the chain attack, we can break the entire chain of attack. This prevents the execution of malicious code.
Anti-ROP performs exactly that preemptive process. It prevents hijacking before it happens.
Soft Spots in the Software
One of the many techniques developed to prevent ROP attacks is address space layout randomization (ASLR), a process implemented in almost all operating systems. ASLR randomizes the address bases of the sections, forcing the attacker to guess the location of the gadgets. However, some parts and files are not randomized, leaving weak spots in the program that attackers can still use to invoke their malicious intentions.
Microsoft and Intel recently joined forces to strengthen hardware protection against the widespread use of ROP. They collaborated to integrate CET in Intel hardware. It uses a shadow stack and pointers to prevent cybercriminals from misusing legitimate code.
The CET specification “sets a direction of intent to leverage the fixed hardware architectures of the Central Processing Unit to establish controls to help prevent and interfere with code-reuse attacks,” explained Matthew Rosenquist, an Intel cybersecurity strategist, as quoted by The Register.
The solution will not be deployed in all systems and will not be backward-compatible. It does require upgrading hardware platforms and recompiling the software system.
Moving Targets Prevent ROP Attacks
The software-based anti-ROP solution is easy to install, and it’s compatible with all platforms and operating systems. There is no need to upgrade or modify the system. Put simply, it is a type of advanced randomization process where the entire code section is randomized.
Attackers building a ROP attack assume that the gadgets they need are in absolute addresses or shifted by constant bytes. If they can detect the shift of one gadget, they can detect the shifts of all gadgets.
This is where our novel solution comes in: It is a moving target defense to ensure that detecting the shift of one gadget does not reveal the rest, always staying several steps ahead of the attacker. Our solution can be implemented on Windows, Linux and other operating systems. It analyzes the PE/ELF files, builds chunks composed of a number of function blocks and reorganizes them.
Every phase of the process can be invoked online or offline. The randomized file created has the same functionality as the original file, so the randomization process requires intervention in the structure of the file, fixing headers, updating branches and tables, etc.
Our solution challenges the attacker to guess all address locations of the gadgets. Unlike in ASLR technology, finding a gadget in one block definitely does not reveal the addresses of the other gadgets. In addition, our solution does not require the source code of a program. It supports legacy code, is backward compatible and does not require hardware support.
Architecture and Deployment
The anti-ROP solution can be deployed in various ways and forms. It can be installed as a third-party solution provider, hooked in the system and more. We have already deployed this technique on a number of users’ Windows machines.
Another Deployment Option
A New Level of Security
The anti-ROP solution can block memory corruption zero-day attacks. Beyond that, it can detect attack attempts at almost no performance cost and without having to install new online components. Our evaluations have shown that this software solution can protect against a wide variety of threat sources that use ROP in their attack chain, bringing new levels of security to various applications.
Anti-ROP security is also being incorporated within the SHARCS project, an EU-funded consortium targeted at providing end-to-end security across the hardware and software stack. In this context, anti-ROP is being used to provide a higher level of protection to systems by preventing hackers from leveraging well-known legacy code to generate attacks.