Saved in:
Bibliographic Details
Main Authors: Li, Xusheng, Hu, Zhisheng, Wang, Haizhou, Fu, Yiwei, Chen, Ping, Zhu, Minghui, Liu, Peng
Format: Preprint
Published: 2018
Subjects:
Online Access:https://arxiv.org/abs/1807.11110
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914675621363712
author Li, Xusheng
Hu, Zhisheng
Wang, Haizhou
Fu, Yiwei
Chen, Ping
Zhu, Minghui
Liu, Peng
author_facet Li, Xusheng
Hu, Zhisheng
Wang, Haizhou
Fu, Yiwei
Chen, Ping
Zhu, Minghui
Liu, Peng
contents Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that ROPNN has high detection rate (99.3%) and a very low false positive rate (0.01%). ROPNN successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. Additionally, ROPNN detects all 10 ROP exploits that can bypass Bin-CFI. ROPNN is non-intrusive and does not incur any runtime overhead to the protected program.
format Preprint
id arxiv_https___arxiv_org_abs_1807_11110
institution arXiv
publishDate 2018
record_format arxiv
spellingShingle ROPNN: Detection of ROP Payloads Using Deep Neural Networks
Li, Xusheng
Hu, Zhisheng
Wang, Haizhou
Fu, Yiwei
Chen, Ping
Zhu, Minghui
Liu, Peng
Cryptography and Security
Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that ROPNN has high detection rate (99.3%) and a very low false positive rate (0.01%). ROPNN successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. Additionally, ROPNN detects all 10 ROP exploits that can bypass Bin-CFI. ROPNN is non-intrusive and does not incur any runtime overhead to the protected program.
title ROPNN: Detection of ROP Payloads Using Deep Neural Networks
topic Cryptography and Security
url https://arxiv.org/abs/1807.11110