HyperCrop: A hypervisor-based countermeasure for return oriented programming

Jun Jiang; Xiaoqi Jia; Dengguo Feng; Shengzhi Zhang; Peng Liu

doi:10.1007/978-3-642-25243-3_29

HyperCrop: A hypervisor-based countermeasure for return oriented programming

Jun Jiang, Xiaoqi Jia, Dengguo Feng, Shengzhi Zhang, Peng Liu

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Scopus citations

Abstract

Return oriented programming (ROP) has recently caught great attention of both academia and industry. It reuses existing binary code instead of injecting its own code and is able to perform arbitrary computation due to its Turing-completeness. Hence, It can successfully bypass state-of-the-art code integrity mechanisms such as NICKLE and SecVisor. In this paper, we present HyperCrop, a hypervisor-based approach to counter such attacks. Since ROP attackers extract short instruction sequences ending in ret called "gadgets" and craft stack content to "chain" these gadgets together, our method recognizes that the key characteristics of ROP is to fill the stack with plenty of addresses that are within the range of libraries (e.g. libc). Accordingly, we inspect the content of the stack to see if a potential ROP attack exists. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

Original language	English (US)
Title of host publication	Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings
Pages	360-373
Number of pages	14
DOIs	https://doi.org/10.1007/978-3-642-25243-3_29
State	Published - 2011
Event	13th International Conference on Information and Communications Security, ICICS 2011 - Beijing, China Duration: Nov 23 2011 → Nov 26 2011

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7043 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	13th International Conference on Information and Communications Security, ICICS 2011
Country/Territory	China
City	Beijing
Period	11/23/11 → 11/26/11

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-25243-3_29

Cite this

Jiang, J., Jia, X., Feng, D., Zhang, S., & Liu, P. (2011). HyperCrop: A hypervisor-based countermeasure for return oriented programming. In Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings (pp. 360-373). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7043 LNCS). https://doi.org/10.1007/978-3-642-25243-3_29

Jiang, Jun ; Jia, Xiaoqi ; Feng, Dengguo et al. / HyperCrop : A hypervisor-based countermeasure for return oriented programming. Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings. 2011. pp. 360-373 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{57c9fa59a25a42f9bf8a66336df04da4,

title = "HyperCrop: A hypervisor-based countermeasure for return oriented programming",

abstract = "Return oriented programming (ROP) has recently caught great attention of both academia and industry. It reuses existing binary code instead of injecting its own code and is able to perform arbitrary computation due to its Turing-completeness. Hence, It can successfully bypass state-of-the-art code integrity mechanisms such as NICKLE and SecVisor. In this paper, we present HyperCrop, a hypervisor-based approach to counter such attacks. Since ROP attackers extract short instruction sequences ending in ret called {"}gadgets{"} and craft stack content to {"}chain{"} these gadgets together, our method recognizes that the key characteristics of ROP is to fill the stack with plenty of addresses that are within the range of libraries (e.g. libc). Accordingly, we inspect the content of the stack to see if a potential ROP attack exists. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.",

author = "Jun Jiang and Xiaoqi Jia and Dengguo Feng and Shengzhi Zhang and Peng Liu",

note = "Funding Information: This work was supported by National Natural Science Foundation of China (NSFC) under Grant No. 61100228 and 61073179. Peng Liu was supported by AFOSR FA9550-07-1-0527 (MURI), ARO W911NF-09-1-0525 (MURI), and NSF CNS-0905131.; 13th International Conference on Information and Communications Security, ICICS 2011 ; Conference date: 23-11-2011 Through 26-11-2011",

year = "2011",

doi = "10.1007/978-3-642-25243-3_29",

language = "English (US)",

isbn = "9783642252426",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "360--373",

booktitle = "Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings",

}

Jiang, J, Jia, X, Feng, D, Zhang, S & Liu, P 2011, HyperCrop: A hypervisor-based countermeasure for return oriented programming. in Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7043 LNCS, pp. 360-373, 13th International Conference on Information and Communications Security, ICICS 2011, Beijing, China, 11/23/11. https://doi.org/10.1007/978-3-642-25243-3_29

HyperCrop: A hypervisor-based countermeasure for return oriented programming. / Jiang, Jun; Jia, Xiaoqi; Feng, Dengguo et al.
Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings. 2011. p. 360-373 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7043 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - HyperCrop

T2 - 13th International Conference on Information and Communications Security, ICICS 2011

AU - Jiang, Jun

AU - Jia, Xiaoqi

AU - Feng, Dengguo

AU - Zhang, Shengzhi

AU - Liu, Peng

N1 - Funding Information: This work was supported by National Natural Science Foundation of China (NSFC) under Grant No. 61100228 and 61073179. Peng Liu was supported by AFOSR FA9550-07-1-0527 (MURI), ARO W911NF-09-1-0525 (MURI), and NSF CNS-0905131.

PY - 2011

Y1 - 2011

N2 - Return oriented programming (ROP) has recently caught great attention of both academia and industry. It reuses existing binary code instead of injecting its own code and is able to perform arbitrary computation due to its Turing-completeness. Hence, It can successfully bypass state-of-the-art code integrity mechanisms such as NICKLE and SecVisor. In this paper, we present HyperCrop, a hypervisor-based approach to counter such attacks. Since ROP attackers extract short instruction sequences ending in ret called "gadgets" and craft stack content to "chain" these gadgets together, our method recognizes that the key characteristics of ROP is to fill the stack with plenty of addresses that are within the range of libraries (e.g. libc). Accordingly, we inspect the content of the stack to see if a potential ROP attack exists. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

AB - Return oriented programming (ROP) has recently caught great attention of both academia and industry. It reuses existing binary code instead of injecting its own code and is able to perform arbitrary computation due to its Turing-completeness. Hence, It can successfully bypass state-of-the-art code integrity mechanisms such as NICKLE and SecVisor. In this paper, we present HyperCrop, a hypervisor-based approach to counter such attacks. Since ROP attackers extract short instruction sequences ending in ret called "gadgets" and craft stack content to "chain" these gadgets together, our method recognizes that the key characteristics of ROP is to fill the stack with plenty of addresses that are within the range of libraries (e.g. libc). Accordingly, we inspect the content of the stack to see if a potential ROP attack exists. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

UR - http://www.scopus.com/inward/record.url?scp=81055144635&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=81055144635&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-25243-3_29

DO - 10.1007/978-3-642-25243-3_29

M3 - Conference contribution

AN - SCOPUS:81055144635

SN - 9783642252426

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 360

EP - 373

BT - Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings

Y2 - 23 November 2011 through 26 November 2011

ER -

Jiang J, Jia X, Feng D, Zhang S, Liu P. HyperCrop: A hypervisor-based countermeasure for return oriented programming. In Information and Communications Security - 13th International Conference, ICICS 2011, Proceedings. 2011. p. 360-373. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-25243-3_29

HyperCrop: A hypervisor-based countermeasure for return oriented programming

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this