Hardware Assisted ROP Detection Mode (HARD Mode)
AIR FORCE ACADEMY COLORADO SPRINGS CO ACADEMY CENTER FOR CYBERSPACE RESEARCH
Pagination or Media Count:
Return oriented programming ROP is a form of code-reuse attack employed in many modern exploitation attacks. Current defenses such as address-space randomization, structured exception handling, and memory space permissions have thus far proven only speed bumps for attackers. Utilizing new hardware capabilities in the upcoming Intel Haswell platform, we have leveraged a hardware-based approach to protect against a ROP attack. With our process, an application s and associated libraries code segments in memory are marked non-executable and the page faults created when switching execution between pages are utilized as events during which invoke the decision engine. The decision engine is designed to examine the program s actions which caused it to attempt to pass a page boundary and report to an enforcement component which ensures the program s execution terminators. Our proof of concept decision engine examines returns that cross page boundaries and ensures that the target of a return is preceded by a call operation. Should a page transition be approved by a decision engine, the requested memory is marked executable. Otherwise, the enforcement engine will set the program counter register to zero, causing the application to crash.
- Computer Systems Management and Standards