HyperCrop: A hypervisor-based countermeasure for return oriented programming

Jun Jiang, Xiaoqi Jia, Dengguo Feng, Shengzhi Zhang, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations


Return oriented programming (ROP) has recently caught great attention of both academia and industry. It reuses existing binary code instead of injecting its own code and is able to perform arbitrary computation due to its Turing-completeness. Hence, It can successfully bypass state-of-the-art code integrity mechanisms such as NICKLE and SecVisor. In this paper, we present HyperCrop, a hypervisor-based approach to counter such attacks. Since ROP attackers extract short instruction sequences ending in ret called "gadgets" and craft stack content to "chain" these gadgets together, our method recognizes that the key characteristics of ROP is to fill the stack with plenty of addresses that are within the range of libraries (e.g. libc). Accordingly, we inspect the content of the stack to see if a potential ROP attack exists. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

Original languageEnglish (US)
Title of host publicationInformation and Communications Security - 13th International Conference, ICICS 2011, Proceedings
Number of pages14
StatePublished - 2011
Event13th International Conference on Information and Communications Security, ICICS 2011 - Beijing, China
Duration: Nov 23 2011Nov 26 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7043 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other13th International Conference on Information and Communications Security, ICICS 2011

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'HyperCrop: A hypervisor-based countermeasure for return oriented programming'. Together they form a unique fingerprint.

Cite this