The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
ROP(반환 지향 프로그래밍)는 공격자가 최신 운영 체제의 보안 메커니즘을 회피하는 데 매우 중요했습니다. 기존 ROP 탐지 접근 방식은 주로 호스트 기반 침입 탐지 시스템(HIDS)에 중점을 두고 있지만 네트워크 기반 침입 탐지 시스템(NIDS)은 네트워크의 IoT 장치를 포함한 다양한 호스트를 보호하는 데에도 필요합니다. 그러나 기존 접근 방식은 두 가지 문제로 인해 네트워크 수준 보호에 충분하지 않습니다. (1) 동적 접근 방식은 검사에 평균 2차 또는 분 단위의 시간이 걸립니다. NIDS에 적용하려면 거의 실시간 감지를 달성하기 위해 밀리초 단위가 필요합니다. (XNUMX) 정적 접근 방식은 휴리스틱 패턴을 사용하기 때문에 거짓 긍정을 생성합니다. NIDS에 적용하려면 오경보를 억제하기 위해 오탐을 최소화해야 합니다. 본 논문에서는 타겟 라이브러리(즉, ROP 가젯에 사용되는 라이브러리)를 학습하여 악성 데이터에서 ROP 체인을 정적으로 탐지하는 방법을 제안합니다. 우리의 방법은 대상 라이브러리에서 실행 가능한 ROP 가젯을 철저하게 수집하고 검사 단계와 별도로 학습하여 검사를 가속화합니다. 또한 의심스러운 바이트 시퀀스가 ROP 체인으로 실행될 때 제대로 링크될 수 있는지를 정적으로 검증함으로써 기존 정적 검사에서 불가피한 오탐(false positive)을 줄입니다. 실험 결과는 우리의 방법이 높은 정밀도로 밀리초 단위의 ROP 체인 감지를 달성했음을 보여주었습니다.
Toshinori USUI
NTT Secure Platform Laboratories,The University of Tokyo
Tomonori IKUSE
NTT Secure Platform Laboratories
Yuto OTSUKI
NTT Secure Platform Laboratories
Yuhei KAWAKOYA
NTT Secure Platform Laboratories
Makoto IWAMURA
NTT Secure Platform Laboratories
Jun MIYOSHI
NTT Secure Platform Laboratories
Kanta MATSUURA
The University of Tokyo
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
부
Toshinori USUI, Tomonori IKUSE, Yuto OTSUKI, Yuhei KAWAKOYA, Makoto IWAMURA, Jun MIYOSHI, Kanta MATSUURA, "ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 7, pp. 1476-1492, July 2020, doi: 10.1587/transinf.2019ICP0016.
Abstract: Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019ICP0016/_p
부
@ARTICLE{e103-d_7_1476,
author={Toshinori USUI, Tomonori IKUSE, Yuto OTSUKI, Yuhei KAWAKOYA, Makoto IWAMURA, Jun MIYOSHI, Kanta MATSUURA, },
journal={IEICE TRANSACTIONS on Information},
title={ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets},
year={2020},
volume={E103-D},
number={7},
pages={1476-1492},
abstract={Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.},
keywords={},
doi={10.1587/transinf.2019ICP0016},
ISSN={1745-1361},
month={July},}
부
TY - JOUR
TI - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
T2 - IEICE TRANSACTIONS on Information
SP - 1476
EP - 1492
AU - Toshinori USUI
AU - Tomonori IKUSE
AU - Yuto OTSUKI
AU - Yuhei KAWAKOYA
AU - Makoto IWAMURA
AU - Jun MIYOSHI
AU - Kanta MATSUURA
PY - 2020
DO - 10.1587/transinf.2019ICP0016
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 7
JA - IEICE TRANSACTIONS on Information
Y1 - July 2020
AB - Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
ER -