The document presents a proposal called DynIMA that uses dynamic instrumentation and integrity measurement to detect return-oriented programming (ROP) attacks. DynIMA instruments code at load time to perform integrity checks at runtime. Two approaches are examined: taint tracking and dynamic tracing using DTrace. Preliminary results show the instrumentation detects ROP attacks but with an overhead of up to 112% for some programs. Future work is needed to improve performance and analyze detection capabilities.

1. RuhR-University Bochum System Security Lab
Dynamic Integrity Measurement and
Attestation: Towards Defense Against
Return-Oriented Programming Attacks
Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy
Ruhr-University Bochum, Germany
ACM STC 2009 – 4th Annual Workshop on Scalable Trusted Computing
Chicago, Illinois, USA – November 13, 2009

2. RuhR-University Bochum System Security Lab
Introduction
● Return-Oriented Programming (ROP) Attacks
– Generalization of “return-into-libc” attacks
– Change program behavior without code injection
– Instead, use existing code
● NX bit does'nt help!
● Discovered for Intel CISC (CCS 2007), and
generalized to RISC architecture (CCS 2008)
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 2

3. RuhR-University Bochum System Security Lab
ROP Attack
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 3

4. RuhR-University Bochum System Security Lab
How does ROP work?
● Assumption: attacker controls the stack
● Stack is overwritten with return addresses
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 4

5. RuhR-University Bochum System Security Lab
Properties of ROP
● Points to the middle of functions
● Typically small instruction sequences (gadgets)
● Creates unintended instructions sequences
● Example:
b8 13 00 00 00 mov $0x13,%eax
e9 c3 f8 ff ff jmp 3aae9
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 5

6. RuhR-University Bochum System Security Lab
Properties of ROP
● Points in the middle of functions
● Typically small instruction sequences (gadgets)
● Creates unintended instructions sequences
● Example:
b8 13 00 00 00 mov $0x13,%eax
e9 c3 f8 ff ff jmp 3aae9
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 6

7. RuhR-University Bochum System Security Lab
Properties of ROP
● Points in the middle of functions
● Typically small instruction sequences (gadgets)
● Creates unintended instructions sequences
● Example:
b8 13 00 00 00 mov $0x13,%eax
e9 c3 f8 ff ff jmp 3aae9 Code is interpreted differently!
00 00 add %al,(%eax)
00 e9 add %ch,%cl
c3 ret
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 7

8. RuhR-University Bochum System Security Lab
Our Proposal
● DynIMA: Dynamic Integrity Measurement and
Attestion
– Bridge gap between load-time attestation and
runtime integrity monitoring
– Support for wide-range of programs (e.g., no
source code available)
– Our focus: detection of ROP attacks
● Main idea: include runtime checks via code
instrumentation before loading programs
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 8

9. RuhR-University Bochum System Security Lab
DynIMA Architecture
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 9

10. RuhR-University Bochum System Security Lab
Tracking Instrumentation
● We examine two approaches
– Taint Tracking
– Dynamic Tracing
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 10

11. RuhR-University Bochum System Security Lab
Taint Tracking
● Dynamic taint analysis marks untrusted data as tainted
and tracks its propagation
● Terminates program if tainted data is misused
(e.g. as a pointer)
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 11

12. RuhR-University Bochum System Security Lab
Using Taint Tracking to Detect ROP
● Idea: count instructions between two rets and
raise alert if less or equal 5 instructions
– Observation: ROP gadgets are small (2 – 5)
– We were able to detect ROP attacks
– But: does this work in general?
● False positives / false negatives
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 12

13. RuhR-University Bochum System Security Lab
Dynamic Tracing
● Instrument code on-the-fly
● Tracing code exists only if probes are activated
– Seems to be more flexible and faster
● DTrace (available on OpenSolaris, Mac OS X)
– Code instrumentation and probe points
configured via D programming language
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 13

14. RuhR-University Bochum System Security Lab
Using DTrace
● Idea: Detect whether functions are called from
beginning or in the middle
● D program:
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 14

15. RuhR-University Bochum System Security Lab
Using DTrace
● Idea: Detect whether functions are called from
beginning or in the middle
● D program:
● However: can only detect intended returns
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 15

16. RuhR-University Bochum System Security Lab
Some Recent Results
● The underlying instrumentation tool of taint
analysis is faster and more powerful than
DTrace: PIN
● We now use PIN directly:
– On function call: memorize valid ret address
– Check every instruction if it is a ret
– Compare current ret if valid address (in list)
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 16

17. RuhR-University Bochum System Security Lab
Performance of Detection with PIN
● First results:
gzip: w/o Pin: 16,49s with ROP-Detect: 24,51s
bzip2: w/o Pin: 157,72s with ROP-Detect: 173,43s
bunzip2: w/o Pin: 63,19s with ROP-Detect: 73,98s
sha1sum: w/o Pin: 3,18s with ROP-Detect: 6,77s
● Overhead of ROP-Detect instrumentation:
gzip: 48,64%
bzip2: 9,96%
bunzip2: 17,08 %
sha1sum: 112,89 %
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 17

18. RuhR-University Bochum System Security Lab
Conclusion
● Return-Oriented Programming attacks can change runtime
program behavior without code injection
● Good solution would be:
– Do your coding right (no buffer overflows, etc.)
– CPU modification to protect return address stack
– However, not to be expected on PCs soon
● Dynamic instrumentation might help to detect ROP attacks
● Future work:
– Analyze ROP detection capability
– Improve performance
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 18

19. RuhR-University Bochum System Security Lab
Questions?
Marcel Winandy
Ruhr-University Bochum
marcel.winandy@trust.rub.de
Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 19