Defeating ROP Through Denial of Stack Pivot

Code reuse, specifically return-oriented programming (ROP) is a popular and prevalent infiltration technique. While current solutions based on code randomization, artificial diversification and control-flow integrity have rendered ROP attacks harder to accomplish, they have been unsuccessful in completely eliminating them. Particularly, CFI-based approaches lack incremental deployability and impose high performance overhead – two key requirement for practical application.
In this paper, we present a novel defense against ROP attacks. We observe that stack pivoting – a key step in executing ROP attacks, moves the stack pointer from the stack region to a non-stack (often heap) region, thereby violating the integrity of the stack pointer. Unlike CFI-based defenses, our defense does not rely on the control-flow of the program. Instead, we assert the sanity of stack pointer at predetermined execution points in order to detect stack pivoting and thereby defeat ROP. The key advantage of our approach is that it allows for incremental deployability, an Achilles heel for CFI. That is, we can selectively protect some modules that can coexist with other unprotected modules. Other advantages include: (1) We do not depend on ASLR – which is particularly vulnerable to information disclosure attacks, and (2) We do not make any assumptions regarding the so called “gadget". This is particularly important since recent attacks have demonstrated the weakness of such assumptions. We implemented our defense in a proof-of-concept system called PBlocker. We evaluated PBlocker on SPEC 2006 benchmark and show an average runtime overhead of under 1.04%.

Author(s):

Aravind Prakash    
Syracuse University
United States

Heng Yin    
Syracuse University
United States