Mitigating Return Oriented Programming

Abstract

Code-reuse attack techniques, such as Return Oriented Programming (ROP), pose a significant threat to modern day systems as they are able to circumvent both traditional and more modern protection mechanisms such as antivirus, antimalware, Address Space Layout Randomisation (ASLR) and W⊕X/Data Execution Prevention (DEP). IT companies are actively researching ways in which ROP attacks can be mitigated, emphasising the importance of research in this area. Various defence mechanisms have been designed and developed to attempt to prevent ROP attacks, however, vulnerabilities still exist, and some attacks are still able to bypass these. This paper proposes a solution – ROPMit – that successfully mitigates ROP attacks without the caveats of other current research. ROPMit is a collection of base techniques that detects function boundaries and randomises at the function level the memory layout to mitigate against ROP, even when an info-leak is present, to reveal the address of part of the code section. ROPMit is implemented and tested on Linux 32bit binaries compiled with gcc. Testing is done on a binary with an info-leak and buffer overflow vulnerability on the call stack. A ROP attack attempts to call gadgets in the binary but is blocked by ROPMit with high likelihood. The likelihood of blocking an attack is proportional to the factorial of the number of functions present in the binary.